Workflow security
This section contains information about security for workflow-related objects.
The security administration group
When you configure the workflow system security connection, you must specify a group to be the workflow system administration group. You specify this group in the administration console on the General tab of the workflow system.
- Has full rights to each workflow roster and queue.
- Can unlock work items that are currently locked by other users.
Important tips regarding security
Be aware of the following items when you assign access rights to workflow rosters and queues.
| If... | then... |
|---|---|
| the user is a member of the workflow system administration group, | the user automatically has full rights to each roster and queue, even if you don't explicitly assign access rights to the user. |
| you do not assign anyone to a specific access right for a roster or queue, |
you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively. Important: To give a specific access right to all users, leave the access right blank.
Do not assign an all-inclusive group such as
Domain Users (Active Directory).
Assigning large groups to a workflow roster or queue can adversely affect database and memory
usage. |
Workflow roster and queue security
The system administrator can assign access rights to workflow rosters, work queues, and user queues. The following table describes the capabilities that are granted for each access right.
| In a... | having this access right... | means you can... |
|---|---|---|
| Workflow roster | Query | View the roster summary of the work item. You can also view the work item itself if you have read access to the queue containing the work item. |
| Create | Launch a workflow. | |
| Query & Create | Do both of the above. | |
| Work or component queue | Query | View work items. |
| Process | Lock, modify, save, and complete work items. (The Process option alone—without Query—is valid only if there are no other users with the Query option selected.) Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
|
| Query & Process | View and process work items in the queue. | |
| User queue (a database table with a server specification, such as Inbox(0)) | Query | View work items. |
| Query & Process | Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
|
| User queue (user's subset of work items in the queue, such as Inbox) | No access rights | View work items assigned to you. In addition, you can lock, modify, save, and complete work
items assigned to you. Note that you do not have full access to the work item—you can only see and modify those data fields, workflow groups, and attachments to which the workflow author has given you access. |
| Query | View work items assigned to you. | |
| Query & Process | Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
System configuration security
In addition to controlling access to Process Configuration Console application, you can control changes to the workflow system configuration by use of the group assigned to the workflow system configuration group. You assign this group when you configure the workflow system security groups in the administration console. If this group is assigned, only those users who belong to the group or the workflow system administration group can modify the system configuration through Process Configuration Console or the related APIs.
- Initializing or emptying an isolated region.
- Removing the workflow database.
- Setting system-wide user information.
- Configuring workflow rosters, queues, and event logs.
- Setting region-wide configuration values.
Workflow definition security
The access rights you assign when saving a workflow definition have the following effect:
| If the workflow has this access right... | in Process Designer, you can... |
|---|---|
| View | open the workflow definition and launch a workflow. |
| Author | open, check out, and modify a workflow definition. |