From a6a0c5d80e920f4dbbe556f8a569d72fa635b04e Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 20 Nov 2025 15:05:34 -0800
Subject: [PATCH 1/5] Initial commit

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 _automating-configurations/workflow-access-control.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 _automating-configurations/workflow-access-control.md

diff --git a/_automating-configurations/workflow-access-control.md b/_automating-configurations/workflow-access-control.md
new file mode 100644
index 00000000000..e69de29bb2d

From 98aedb9bde57acbf95d4e705bbf4b9c8bdc05123 Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 20 Nov 2025 17:53:09 -0800
Subject: [PATCH 2/5] Adds doc for workflow and workflow-state

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 .../workflow-access-control.md                | 95 +++++++++++++++++++
 .../workflow-state-access-control.md          | 95 +++++++++++++++++++
 2 files changed, 190 insertions(+)
 create mode 100644 _automating-configurations/workflow-state-access-control.md

diff --git a/_automating-configurations/workflow-access-control.md b/_automating-configurations/workflow-access-control.md
index e69de29bb2d..023a73fbd79 100644
--- a/_automating-configurations/workflow-access-control.md
+++ b/_automating-configurations/workflow-access-control.md
@@ -0,0 +1,95 @@
+---
+layout: default
+title: Workflow access control
+nav_order: 30
+---
+
+# Workflow access control
+
+**Status:** Experimental  
+**Replaces:** `plugins.flow_framework.filter_by_backend_roles` (on deprecation path; see note below)
+{: .warning }
+
+This page explains how **Flow Framework** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for **workflow state** records.
+
+> For the end-to-end framework concepts and APIs, see [Resource Sharing and Access Control]({{site.url}}{{site.baseurl}}/security/access-control/resources/)
+{: .note}
+
+---
+
+## Onboarding
+
+- **Resource type:** `workflow`
+- **System index:** `.plugins-flow-framework-workflow-templates`
+- **Onboarded in:** `3.4`
+
+When resource-level authorization is enabled for this type, each workflow’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**.
+
+---
+
+## Enable or disable for this resource type
+
+Add the type to the protected list and enable the feature.
+
+### `opensearch.yml` (3.4+)
+
+```yaml
+plugins.security.experimental.resource_sharing.enabled: true
+plugins.security.system_indices.enabled: true
+plugins.security.experimental.resource_sharing.protected_types:
+  - "workflow"
+````
+
+### Dev Tools (3.4+)
+
+```curl
+PUT _cluster/settings
+{
+  "transient": {
+    "plugins.security.experimental.resource_sharing.enabled": true,
+    "plugins.security.experimental.resource_sharing.protected_types": ["workflow", <existing-resource-types>]
+  }
+}
+```
+{% include copy-curl.html %}
+
+---
+
+## Workflow access levels
+
+Flow Framework exposes **three access levels** for workflow documents.
+
+### 1. workflow_read_only
+
+This read-only access level grants a read and search only access to the shared workflow.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow/get"
+- "cluster:admin/opensearch/flow_framework/workflow/search"
+```
+
+### 2. workflow_read_write
+
+This read-write access level grants full access to a workflow except share.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow/*"
+- "cluster:monitor/*"
+```
+
+### 3. workflow_full_access
+
+This access level grants complete access to a workflow and will allow shared user owner-like permission.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow/*"
+- "cluster:monitor/*"
+- "cluster:admin/security/resource/share"
+```
+
+---
+
+> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).
diff --git a/_automating-configurations/workflow-state-access-control.md b/_automating-configurations/workflow-state-access-control.md
new file mode 100644
index 00000000000..039b0ef2705
--- /dev/null
+++ b/_automating-configurations/workflow-state-access-control.md
@@ -0,0 +1,95 @@
+---
+layout: default
+title: Workflow state access control
+nav_order: 35
+---
+
+# Workflow state access control
+
+**Status:** Experimental  
+**Replaces:** `plugins.flow_framework.filter_by_backend_roles"` (on deprecation path; see note below)
+{: .warning }
+
+This page explains how **Flow Framework** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for **workflows**.
+
+> For the end-to-end framework concepts and APIs, see [Resource Sharing and Access Control]({{site.url}}{{site.baseurl}}/security/access-control/resources/)
+{: .note}
+
+---
+
+## Onboarding
+
+- **Resource type:** `workflow-state`
+- **System index:** `.plugins-flow-framework-state`
+- **Onboarded in:** `3.4`
+
+When resource-level authorization is enabled for this type, each workflow-state’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**.
+
+---
+
+## Enable or disable for this resource type
+
+Add the type to the protected list and enable the feature.
+
+### `opensearch.yml` (3.4+)
+
+```yaml
+plugins.security.experimental.resource_sharing.enabled: true
+plugins.security.system_indices.enabled: true
+plugins.security.experimental.resource_sharing.protected_types:
+  - "workflow-state"
+````
+
+### Dev Tools (3.4+)
+
+```curl
+PUT _cluster/settings
+{
+  "transient": {
+    "plugins.security.experimental.resource_sharing.enabled": true,
+    "plugins.security.experimental.resource_sharing.protected_types": ["workflow-state", <existing-resource-types>]
+  }
+}
+```
+{% include copy-curl.html %}
+
+---
+
+## Workflow state access levels
+
+Flow Framework exposes **three access levels** for workflow states.
+
+### 1. workflow_state_read_only
+
+This read-only access level grants a read and search only access to the shared workflow-state.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow_state/get"
+- "cluster:admin/opensearch/flow_framework/workflow_state/search"
+```
+
+### 2. workflow_state_read_write
+
+This read-write access level grants full access to a workflow-state except share.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow_state/*"
+- "cluster:monitor/*"
+```
+
+### 3. workflow_state_full_access
+
+This access level grants complete access to a workflow-state and will allow shared user owner-like permission.
+
+Following actions are allowed with this access-level:
+```yaml
+- "cluster:admin/opensearch/flow_framework/workflow_state/*"
+- "cluster:monitor/*"
+- "cluster:admin/security/resource/share"
+```
+
+---
+
+> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).

From cd2e9a89a7c7b2b834a4819e4fac3d35ebb6f5a2 Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 20 Nov 2025 18:02:39 -0800
Subject: [PATCH 3/5] Updates docs

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 _automating-configurations/workflow-access-control.md     | 8 ++++----
 .../workflow-state-access-control.md                      | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/_automating-configurations/workflow-access-control.md b/_automating-configurations/workflow-access-control.md
index 023a73fbd79..5074c2df2a1 100644
--- a/_automating-configurations/workflow-access-control.md
+++ b/_automating-configurations/workflow-access-control.md
@@ -7,7 +7,7 @@ nav_order: 30
 # Workflow access control
 
 **Status:** Experimental  
-**Replaces:** `plugins.flow_framework.filter_by_backend_roles` (on deprecation path; see note below)
+**Replaces:** `plugins.flow_framework.filter_by_backend_roles`
 {: .warning }
 
 This page explains how **Flow Framework** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for **workflow state** records.
@@ -59,7 +59,7 @@ PUT _cluster/settings
 
 Flow Framework exposes **three access levels** for workflow documents.
 
-### 1. workflow_read_only
+### workflow_read_only
 
 This read-only access level grants a read and search only access to the shared workflow.
 
@@ -69,7 +69,7 @@ Following actions are allowed with this access-level:
 - "cluster:admin/opensearch/flow_framework/workflow/search"
 ```
 
-### 2. workflow_read_write
+### workflow_read_write
 
 This read-write access level grants full access to a workflow except share.
 
@@ -79,7 +79,7 @@ Following actions are allowed with this access-level:
 - "cluster:monitor/*"
 ```
 
-### 3. workflow_full_access
+### workflow_full_access
 
 This access level grants complete access to a workflow and will allow shared user owner-like permission.
 
diff --git a/_automating-configurations/workflow-state-access-control.md b/_automating-configurations/workflow-state-access-control.md
index 039b0ef2705..0a26f1713c7 100644
--- a/_automating-configurations/workflow-state-access-control.md
+++ b/_automating-configurations/workflow-state-access-control.md
@@ -7,7 +7,7 @@ nav_order: 35
 # Workflow state access control
 
 **Status:** Experimental  
-**Replaces:** `plugins.flow_framework.filter_by_backend_roles"` (on deprecation path; see note below)
+**Replaces:** `plugins.flow_framework.filter_by_backend_roles`
 {: .warning }
 
 This page explains how **Flow Framework** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for **workflows**.
@@ -59,7 +59,7 @@ PUT _cluster/settings
 
 Flow Framework exposes **three access levels** for workflow states.
 
-### 1. workflow_state_read_only
+### workflow_state_read_only
 
 This read-only access level grants a read and search only access to the shared workflow-state.
 
@@ -69,7 +69,7 @@ Following actions are allowed with this access-level:
 - "cluster:admin/opensearch/flow_framework/workflow_state/search"
 ```
 
-### 2. workflow_state_read_write
+### workflow_state_read_write
 
 This read-write access level grants full access to a workflow-state except share.
 
@@ -79,7 +79,7 @@ Following actions are allowed with this access-level:
 - "cluster:monitor/*"
 ```
 
-### 3. workflow_state_full_access
+### workflow_state_full_access
 
 This access level grants complete access to a workflow-state and will allow shared user owner-like permission.
 

From cf764a1b505c75b201c97c8af05f92b110978c6c Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 20 Nov 2025 18:37:36 -0800
Subject: [PATCH 4/5] Adds migration steps

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 .../workflow-access-control.md                | 40 ++++++++++++++++++-
 .../workflow-state-access-control.md          | 38 +++++++++++++++++-
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/_automating-configurations/workflow-access-control.md b/_automating-configurations/workflow-access-control.md
index 5074c2df2a1..fdc30f8b396 100644
--- a/_automating-configurations/workflow-access-control.md
+++ b/_automating-configurations/workflow-access-control.md
@@ -20,7 +20,7 @@ This page explains how **Flow Framework** integrates with the Security plugin’
 ## Onboarding
 
 - **Resource type:** `workflow`
-- **System index:** `.plugins-flow-framework-workflow-templates`
+- **System index:** `.plugins-flow-framework-templates`
 - **Onboarded in:** `3.4`
 
 When resource-level authorization is enabled for this type, each workflow’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**.
@@ -90,6 +90,42 @@ Following actions are allowed with this access-level:
 - "cluster:admin/security/resource/share"
 ```
 
+> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).
+{: .note } yellow
+
 ---
 
-> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).
+## Migrating from legacy framework
+
+> **Admin-only:** The migrate API can only be run **by cluster administrators** (super-admins or rest-admins).
+{: .important }
+
+Once the feature is turned on, and the resource is marked as protected it is imperative that cluster-admins call the migrate API to migrate legacy-sharing information to the new framework:
+
+### 3.3 clusters
+```curl
+POST _plugins/_security/api/resources/migrate 
+{
+  "source_index": ".plugins-flow-framework-templates",
+  "username_path": "/user/name",
+  "backend_roles_path": "/user/backend_roles",
+  "default_access_level": "<pick-one-access-level>"
+}
+```
+{% include copy-curl.html %}
+
+### 3.4+ clusters
+
+```curl
+POST _plugins/_security/api/resources/migrate 
+{
+  "source_index": ".plugins-flow-framework-templates",
+  "username_path": "/user/name",
+  "backend_roles_path": "/user/backend_roles",
+  "default_owner": "<replace-with-existing-user>",
+  "default_access_level": {
+    "workflow": "<pick-one-access-level>"
+  }
+}
+```
+{% include copy-curl.html %}
diff --git a/_automating-configurations/workflow-state-access-control.md b/_automating-configurations/workflow-state-access-control.md
index 0a26f1713c7..3f51b273912 100644
--- a/_automating-configurations/workflow-state-access-control.md
+++ b/_automating-configurations/workflow-state-access-control.md
@@ -90,6 +90,42 @@ Following actions are allowed with this access-level:
 - "cluster:admin/security/resource/share"
 ```
 
+> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).
+{: .note } yellow
+
 ---
 
-> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/flow-framework/).
+## Migrating from legacy framework
+
+> **Admin-only:** The migrate API can only be run **by cluster administrators** (super-admins or rest-admins).
+{: .important }
+
+Once the feature is turned on, and the resource is marked as protected it is imperative that cluster-admins call the migrate API to migrate legacy-sharing information to the new framework:
+
+### 3.3 clusters
+```curl
+POST _plugins/_security/api/resources/migrate 
+{
+  "source_index": ".plugins-flow-framework-state",
+  "username_path": "/user/name",
+  "backend_roles_path": "/user/backend_roles",
+  "default_access_level": "<pick-one-access-level>"
+}
+```
+{% include copy-curl.html %}
+
+### 3.4+ clusters
+
+```curl
+POST _plugins/_security/api/resources/migrate 
+{
+  "source_index": ".plugins-flow-framework-state",
+  "username_path": "/user/name",
+  "backend_roles_path": "/user/backend_roles",
+  "default_owner": "<replace-with-existing-user>",
+  "default_access_level": {
+    "workflow-state": "<pick-one-access-level>"
+  }
+}
+```
+{% include copy-curl.html %}

From baa359c9f2ff665b6d13ddb7c52c00ff5e9b3cbc Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Thu, 20 Nov 2025 18:42:01 -0800
Subject: [PATCH 5/5] Add ntoe

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 _automating-configurations/workflow-access-control.md       | 3 +++
 _automating-configurations/workflow-state-access-control.md | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/_automating-configurations/workflow-access-control.md b/_automating-configurations/workflow-access-control.md
index fdc30f8b396..2b0fdd99851 100644
--- a/_automating-configurations/workflow-access-control.md
+++ b/_automating-configurations/workflow-access-control.md
@@ -31,6 +31,9 @@ When resource-level authorization is enabled for this type, each workflow’s vi
 
 Add the type to the protected list and enable the feature.
 
+> **Admin-only:** These settings can be configured **only by cluster administrators** (super-admins).
+{: .important }
+
 ### `opensearch.yml` (3.4+)
 
 ```yaml
diff --git a/_automating-configurations/workflow-state-access-control.md b/_automating-configurations/workflow-state-access-control.md
index 3f51b273912..bf624cc5f4a 100644
--- a/_automating-configurations/workflow-state-access-control.md
+++ b/_automating-configurations/workflow-state-access-control.md
@@ -31,6 +31,9 @@ When resource-level authorization is enabled for this type, each workflow-state
 
 Add the type to the protected list and enable the feature.
 
+> **Admin-only:** These settings can be configured **only by cluster administrators** (super-admins).
+{: .important }
+
 ### `opensearch.yml` (3.4+)
 
 ```yaml