Shared Responsibility Model
info
This page is part of the Temporal Knowledge Hub.
note
Tailor this matrix to clarify ownership boundaries so developers know who to contact.
At ABC Financial, the ownership of Temporal applications is shared between the Temporal Platform Team (who manages Temporal Cloud infrastructure) and Application Teams (who build and run Temporal Workflows).
Key: ✅= responsible, ❌= not responsible, 🤝🏼= shared responsibility
Identity Access Management (IAM)
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Temporal Cloud access (go/temporal-request) | ✅ | ❌ |
| SAML and SCIM configurations | ✅ | ❌ |
| Temporal Cloud user groups | ✅ | ❌ |
| User principal provisioning and de-provisioning | ✅ | ❌ |
| User principal role assignment | ✅ | ❌ |
| API key provisioning | ✅ | ❌ |
Network Connectivity
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Private Connectivity to Temporal Cloud | ✅ | ❌ |
| Firewall rules to Temporal Cloud | ✅ | ❌ |
Data Security
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Data compliance policy | ✅ | ❌ |
| Data Converter implementation | ✅ | ❌ |
| Data Converter usage | ❌ | ✅ |
| Codec Server hosting | ✅ | ❌ |
| Codec Server configuration (per Namespace) | ❌ | ✅ |
Infrastructure
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Temporal Cloud Namespace provisioning (go/temporal-namespace) | ✅ | ❌ |
| Temporal Cloud metrics | ✅ | ❌ |
| Temporal Cloud Namespace rate limits | ❌ | ✅ |
| Temporal Cloud Namespace Capacity | ❌ | ✅ |
| Temporal Cloud audit logs | ✅ | ❌ |
Governance
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Temporal Platform Hub | ✅ | ❌ |
| Temporal developer guide | ✅ | ❌ |
Development
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Workflow development | ❌ | ✅ |
| Automated tests (i.e. unit, integration, replay) | ❌ | ✅ |
| Workflow versioning | ❌ | ✅ |
Worker
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Worker identity authentication policy | ✅ | ❌ |
| Worker identity auth implementation | ❌ | ✅ |
| Worker identity auth rotation | ✅ | ❌ |
| Worker infrastructure health (e.g. Kubernetes health) | ✅ | ❌ |
| Worker deployment health | ❌ | ✅ |
| Worker configurations (i.e. Task Queue, Execution Slots) | 🤝🏼 (defaults) | 🤝🏼 (customization) |
| Worker auto-scaling framework (i.e. KEDA) | ✅ | ❌ |
| Worker auto-scaling configuration | ❌ | ✅ |
Temporal Application Deployment
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Build pipeline for Worker | ✅ | ❌ |
| Artifact management | ✅ | ❌ |
| Workflow versioning management (e.g. Worker Versioning) policy | ✅ | ❌ |
| Worker build (i.e. Workflow and Worker Definition) | ❌ | ✅ |
| Worker build release (i.e. control which build to release and when) | ✅ | ❌ |
Observability
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Observability platform (e.g. Datadog, Dynatrace) | ✅ | ❌ |
| Temporal SDK metrics collection | ✅ | ❌ |
| Temporal SDK metrics configuration | ❌ | ✅ |
| Temporal custom metrics emission | ❌ | ✅ |
| Temporal Cloud metrics collection | ✅ | ❌ |
| Monitoring dashboard (go/temporal-dashboard) | ✅ | ❌ |
| Temporal Cloud platform alerts | ✅ | ❌ |
| Temporal Workflow alerts | ❌ | ✅ |
Operation
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Support coordination with Temporal (the company) | ✅ | ❌ |
| Load testing | ❌ | ✅ |
| Incident response | 🤝🏼 (platform incident) | 🤝🏼 (application incident) |
Cost
| Responsibility | Platform Team | Application Team |
|---|---|---|
| Temporal Cloud platform cost | ✅ | ❌ |
| Temporal Cloud Namespace cost | ❌ | ✅ |
Decision framework
When in doubt, ask yourself:
- Does the issue affect multiple teams or namespaces? → Platform Team
- Is it business logic or application-specific? → Application Team
- Does it require Temporal Cloud
Adminaccess? → Platform Team