Enable enterprise control over node usage with governance policies

Feature Requests
, ,
1

The idea is:

Add a Node Governance system that allows instance admins to control which nodes are available for use in workflows. Admins can create allow/block policies targeting individual nodes or categories of nodes, with support for both global (instance-wide) and project-level scoping. The feature includes:

  • Policy management with configurable scope (global vs project)
  • Node categorization for bulk policy management (e.g., “External APIs”, “Google Services”)
  • Priority-based policy resolution (Global Block > Global Allow > Project Block > Project Allow)
  • Access request workflow where users can request access to blocked nodes with justification
  • Admin review interface to approve/reject access requests
  • Visual indicators in the node creator showing blocked/pending status

My use case:

Enterprise organizations need to control which third-party integrations their teams can use in automation workflows. For example:

  • A security team wants to block all external email services except the company-approved provider
  • A compliance team needs to prevent certain data from flowing to unapproved cloud storage nodes
  • A project team needs temporary access to a blocked node for a specific use case and can request approvalI think it would be beneficial to add this because:

I think it would be beneficial to add this because:
Currently, n8n has no UI built-in way to restrict which nodes users can add to workflows. This creates security and compliance risks for enterprise deployments where organizations need to enforce policies about which external services can be integrated. This feature enables IT/security teams to enforce governance policies while still allowing flexibility through the access request workflow.

Any resources to support this?

I have a working implementation with full backend infrastructure, admin UI, and node creator integration: feat(core): Add node governance for controlling node access by tzachish1 · Pull Request #24993 · n8n-io/n8n · GitHub

Are you willing to work on this?

Yes, I have already implemented this feature and am willing to contribute it upstream.

2

This governance feature would be great for the long term, but in the meantime, are you aware of the NODES_INCLUDE and NODES_EXCLUDE environment variables?

They let you whitelist or blacklist nodes at the instance level. Not as granular as project-level policies, but it covers the basic “restrict which nodes are available” use case.

NODES_INCLUDE=["n8n-nodes-base.httpRequest","n8n-nodes-base.slack","n8n-nodes-base.code"]

Docs: Nodes environment variables | n8n Docs

One caveat: it doesn’t work for credential-only nodes (HTTP Request integrations like Datadog, Zabbix, etc.) - I’ve opened a separate feature request for that Allow NODES_INCLUDE/NODES_EXCLUDE to filter credential-only nodes (HTTP Request integrations)

Hope this help :folded_hands:

3

Thanks for your response,

I am aware of those environment variable, but it is near impossible to include/exclude big number of nodes. The purpose of this feature is to provide an easy way for administrator to manage what is allowed/blocked on instance level and provide project level granolarity

1 Like