Assigning workflow security levels
You can set security levels on specific areas in an isolated region, such as rosters, and workflow queues. The security levels determine the access users must have to work items that are contained in the roster or workflow queue.
About this task
Condition | Results |
---|---|
The user is a member of the workflow_system_admin_group group: | The user automatically has full rights to each roster and workflow queue, even if you do not explicitly assign the user access rights. |
You do not assign anyone to a specific access right for a roster or workflow queue: | You give everyone this specific access right to the roster
or workflow queue. For example, when you assign access rights to a
roster, you can assign Query access rights to one user, ExampleUserA.
In addition, you do not explicitly assign the Create access right
to any user. Therefore, ExampleUserB can launch process workflows,
but the only user who can query the roster is ExampleUserA. Attention: To give a specific access right to all users, leave
the access right blank. Do not assign an all-inclusive group such
as Domain Users (Active Directory). Assigning large groups to a workflow
roster or queue can adversely affect database and memory usage.
|
If your system uses Active Directory for user authentication, do not use Domain Users to set up permission. This group by default contains all users in the Active Directory. Users can override their default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.
If you put the Domain Users group on the ACL of a workflow queue, the workflow system creates a database environment record for every user on the Active Directory when you expand the group. This action consumes substantial database and memory resources.
Procedure
To assign security levels:
Example
To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them), select the Process option and select UserA and UserB. Move them to the Selected users list.
This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.
Specifying Query, Process, or both Query and Process has the following effects:
Selected users | Access | Result |
---|---|---|
UserA and UserB | Process | All users, including UserA and UserB have query access. Only UserA and UserB can process work. |
UserA and UserB | Query and Process | Only UserA and UserB can query and process work. All other users have no access. |
UserA and UserB UserC |
Query and Process Query |
UserA and UserB can query and process work. UserC can query. All other users have no access. |
UserA and UserB UserC |
Process Query |
Error: Only UserC can query; UserA and UserB cannot query,
so they cannot process. To correct this situation, change UserA and UserB to Query and Process. |