Warewolf security settings can be configured using Warewolf studio. They are saved to a secure.config file in %progradmdata%\Warewolf\Server Settings. The Lightweight Execution Engine for Warewolf supports loading this secure.config.
A secure.config file must be in the Lightweight Execution Engine’s bin directory. If that file doesn’t exist when it is deployed into Azure, the engine returns HTTP 503 (deny-all) for every request. This is a safe-by-default behaviour.
Examples of a typical configuration:
Locks the Public group down server-wide, then grants public access only to the specific workflows that need it.
{
"SecretKey": "",
"AuthenticationOverrideWorkflow": { "ResourceID": "00000000-0000-0000-0000-000000000000", "Name": "" },
"WindowsGroupPermissions": [
{ "WindowsGroup": "Warewolf Administrators", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": true, "View": true, "Execute": true, "Contribute": true, "DeployTo": true, "DeployFrom": true, "Administrator": true },
{ "WindowsGroup": "Public", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": false, "View": false, "Execute": false, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false },
{ "WindowsGroup": "Public", "ResourceID": "11111111-1111-1111-1111-111111111111", "ResourceName": "Hello World", "IsServer": false, "View": true, "Execute": true, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false },
{ "WindowsGroup": "Warewolf Administrators", "ResourceID": "11111111-1111-1111-1111-111111111111", "ResourceName": "Hello World", "IsServer": false, "View": true, "Execute": true, "Contribute": true, "DeployTo": false, "DeployFrom": false, "Administrator": false }
]
}
Grants Secure access to authenticated groups (JWT or Microsoft Entra ID).
{
"SecretKey": "",
"AuthenticationOverrideWorkflow": { "ResourceID": "00000000-0000-0000-0000-000000000000", "Name": "" },
"WindowsGroupPermissions": [
{ "WindowsGroup": "Warewolf Administrators", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": true, "View": true, "Execute": true, "Contribute": true, "DeployTo": true, "DeployFrom": true, "Administrator": true },
{ "WindowsGroup": "Public", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": false, "View": false, "Execute": false, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false },
{ "WindowsGroup": "SalesAppUsers", "ResourceID": "22222222-2222-2222-2222-222222222222", "ResourceName": "CreateOrder", "IsServer": false, "View": true, "Execute": true, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false },
{ "WindowsGroup": "SalesAppUsers", "ResourceID": "33333333-3333-3333-3333-333333333333", "ResourceName": "GetOrderStatus", "IsServer": false, "View": true, "Execute": true, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false }
]
}
Applies least privilege per workflow — grants a specific group only Execute (plus the required View) on a single workflow, so callers can run that one API but reach nothing else.
{
"SecretKey": "",
"AuthenticationOverrideWorkflow": { "ResourceID": "00000000-0000-0000-0000-000000000000", "Name": "" },
"WindowsGroupPermissions": [
{ "WindowsGroup": "Warewolf Administrators", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": true, "View": true, "Execute": true, "Contribute": true, "DeployTo": true, "DeployFrom": true, "Administrator": true },
{ "WindowsGroup": "Public", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": false, "View": false, "Execute": false, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false },
{ "WindowsGroup": "ReportRunners", "ResourceID": "44444444-4444-4444-4444-444444444444", "ResourceName": "RunDailyReport", "IsServer": false, "View": true, "Execute": true, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false }
]
}
Reserves server-wide administrative access for a trusted group (for example
Warewolf Administrators) while leaving the Public group denied, so internal and
operational workflows are never publicly reachable.
{
"SecretKey": "",
"AuthenticationOverrideWorkflow": { "ResourceID": "00000000-0000-0000-0000-000000000000", "Name": "" },
"WindowsGroupPermissions": [
{ "WindowsGroup": "Warewolf Administrators", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": true, "View": true, "Execute": true, "Contribute": true, "DeployTo": true, "DeployFrom": true, "Administrator": true },
{ "WindowsGroup": "Public", "ResourceID": "00000000-0000-0000-0000-000000000000", "ResourceName": "", "IsServer": true, "View": false, "Execute": false, "Contribute": false, "DeployTo": false, "DeployFrom": false, "Administrator": false }
]
}
You can bypass the check by setting BYPASS_SECURE_CONFIG=true. Do not set this — or WAREWOLF_SUPER_ADMIN_ENABLED — in production. These environment variables are for local development only!
Troubleshooting
| Symptom | Likely cause | Fix |
| Every request returns HTTP 503 | secure.config not in the engine’s bin directory |
Add a valid secure.config (or set BYPASS_SECURE_CONFIG=true for dev only). |
| Secured route returns 401 | Microsoft Entra config. | Confirm WAREWOLF_ENTRA_AUDIENCE / WAREWOLF_ENTRA_TENANT_ID match your token. |
| Secured route returns 403 or 500 | Permission denied. | Check your secure.config and compare it to your roles in Entra. If using a JWT token, look for your username in the secure.config. |
