IBM FileNet P8, Version 5.2.1

Assigning workflow security levels

You can set security levels on specific areas in an isolated region, such as rosters, and workflow queues. The security levels determine the access users must have to work items that are contained in the roster or workflow queue.

About this task

The following table describes conditions that you must be aware of when you assign access rights to rosters and workflow queues.

Note: If you are assigning security for an application space, you select the users or groups who have write access to the application space.

Condition	Results
The user is a member of the `workflow_system_admin_group` group:	The user automatically has full rights to each roster and workflow queue, even if you do not explicitly assign the user access rights.
You do not assign anyone to a specific access right for a roster or workflow queue:	You give everyone this specific access right to the roster or workflow queue. For example, when you assign access rights to a roster, you can assign Query access rights to one user, ExampleUserA. In addition, you do not explicitly assign the Create access right to any user. Therefore, ExampleUserB can launch process workflows, but the only user who can query the roster is ExampleUserA. Attention: To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage.

Condition

Results

The user is a member of the workflow_system_admin_group group:

The user automatically has full rights to each roster and workflow queue, even if you do not explicitly assign the user access rights.

You do not assign anyone to a specific access right for a roster or workflow queue:

You give everyone this specific access right to the roster or workflow queue. For example, when you assign access rights to a roster, you can assign Query access rights to one user, ExampleUserA. In addition, you do not explicitly assign the Create access right to any user. Therefore, ExampleUserB can launch process workflows, but the only user who can query the roster is ExampleUserA.

Attention: To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage.

Tip: To prevent nearly everyone from accessing a roster or queue, assign at least one user to each possible access right for the roster, or queue. For example, to prevent most users access to a queue, assign the Query and Process access right to one member of the workflow_system_admin_group group, who has implicit access to the queue.

If your system uses Active Directory for user authentication, do not use Domain Users to set up permission. This group by default contains all users in the Active Directory. Users can override their default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.

If you put the Domain Users group on the ACL of a workflow queue, the workflow system creates a database environment record for every user on the Active Directory when you expand the group. This action consumes substantial database and memory resources.

Procedure

To assign security levels:

Access the Security tab for the specific application space, roster, or queue in the administration console.
1. In the domain navigation pane, select the object store.
2. In the object store navigation pane, click the Administrative > Workflow System > Isolated Regions folder and click the isolated region that you want to work with.
3. Click the specific area in the isolated region to which you want to assign security levels. For example, click Rosters > DefaultRosters.
4. In the details pane, click the Security tab.
Select the users and groups to which you want to assign access rights to a roster, workflow queue, or application space. By default when you create a roster or workflow queue, all users have all rights (both Query and Process). For application spaces, you select the users and groups to which you want to assign write access to the application space.
Save your changes.

Example

To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them), select the Process option and select UserA and UserB. Move them to the Selected users list.

This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.

Specifying Query, Process, or both Query and Process has the following effects:

Table 1. Effects of Query and Process access
Selected users	Access	Result
UserA and UserB	Process	All users, including UserA and UserB have query access. Only UserA and UserB can process work.
UserA and UserB	Query and Process	Only UserA and UserB can query and process work. All other users have no access.
UserA and UserB UserC	Query and Process Query	UserA and UserB can query and process work. UserC can query. All other users have no access.
UserA and UserB UserC	Process Query	Error: Only UserC can query; UserA and UserB cannot query, so they cannot process. To correct this situation, change UserA and UserB to Query and Process.