This section contains information about security for workflow-related objects.
When you configure the workflow system security connection, you must specify a group to be the workflow system administration group. You specify this group in the administration console on the General tab of the workflow system.
Be aware of the following items when you assign access rights to workflow rosters and queues.
| If... | then... |
|---|---|
| the user is a member of the workflow system administration group, | the user automatically has full rights to each roster and queue, even if you don't explicitly assign access rights to the user. |
| you do not assign anyone to a specific access right for a roster or queue, | you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively. Important: To give
a specific access right to all users, leave the access right blank.
Do not assign an all-inclusive group such as Domain Users (Active
Directory). Assigning large groups to a workflow roster or queue can
adversely affect database and memory usage.
|
The system administrator can assign access rights to workflow rosters, work queues, and user queues. The following table describes the capabilities that are granted for each access right.
| In a... | having this access right... | means you can... |
|---|---|---|
| Workflow roster | Query | View the roster summary of the work item. You can also view the work item itself if you have read access to the queue containing the work item. |
| Create | Launch a workflow. | |
| Query & Create | Do both of the above. | |
| Work or component queue | Query | View work items. |
| Process | Lock, modify, save, and complete work items. (The Process option alone—without Query—is valid only if there are no other users with the Query option selected.) Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
|
| Query & Process | View and process work items in the queue. | |
| User queue (a database table with a server specification, such as Inbox(0)) | Query | View work items. |
| Query & Process | Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
|
| User queue (user's subset of work items in the queue, such as Inbox) | No access rights | View work items assigned to you. In addition, you can lock,
modify, save, and complete work items assigned to you. Note that you do not have full access to the work item—you can only see and modify those data fields, workflow groups, and attachments to which the workflow author has given you access. |
| Query | View work items assigned to you. | |
| Query & Process | Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
You can restrict the ability to run certain Process applications by specifying users or groups to the corresponding role.
Only members of the group (or members of the Application Engine Administrators group) can run the associated application. In addition, members of the PWAdministrator and PWConfiguration roles can view the Admin page. For more information about controlling application access, see Access roles for using Process applications (Workplace and Workplace XT).
Viewing, opening, and modifying work items is controlled by the access rights that are defined by your system administrator for each workflow roster or queue.
In addition to controlling access to Process Configuration Console application, you can control changes to the workflow system configuration by use of the group assigned to the workflow system configuration group. You assign this group when you configure the workflow system security groups in the administration console. If this group is assigned, only those users who belong to the group or the workflow system administration group can modify the system configuration through Process Configuration Console or the related APIs.
The access rights you assign when saving a workflow definition have the following effect:
| If the workflow has this access right... | in Process Designer, you can... |
|---|---|
| View | open the workflow definition and launch a workflow. |
| Author | open, check out, and modify a workflow definition. |