Skip navigation FileNet logo
Glossary  |  Help Directory  
  Help for Process Engine Reference  
  Search  |  Index  
Concepts
  About attachments
  About the Component Integrator
  About launching a workflow
  About milestones
  About operations
About the RMI registry
About rosters
About routing
About rules
  About security
  About security queues
  About step processors
  About step states
  About system maps
  About transfer
  About workflow fields
  About workflow maps
  About workflow participants
  Component queue security issues
  Content Engine (CE) operations
  Coordinate information
  Custom web applications
  Eliminating port 32771 conflicts
  Java Runtime Environment (JRE)
  Maximum index key size
  Naming conventions
  System fields
  Troubleshooting
  Wildcards
  Workflow database field size limitations
  Workflow exceptions
Events & Statistics
Expressions
Procedures
   

About workflow security

Following is information about security for workflow-related objects.

Additional privileges for the Process Engine administrative group

A user who is a member of the Process Engine administrators group (PEAdministrators by default for Workplace and SysAdminG for FileNet Web Services Client or Open Client):

  • Has full rights to each workflow roster and queue.
  • Can unlock work items that are currently locked by other users.
  • Can access all workflow applications (FileNet Web Services Client or Open Client only).

Important tips regarding security

The following are several items to be aware of when assigning access rights to workflow rosters and queues.

If... then...
the user is a member of the Process Engine administrators group (PEAdministrators by default for Workplace and SysAdminG for FileNet Web Services Client or Open Client), the user automatically has full rights to each roster and queue, even if you don't explicitly assign him access rights.
you do not assign anyone to a specific access right for a roster or queue, you give everyone this specific access right to the roster or queue.

CAUTION To give a specific access right to all users, leave the access right blank. Do not assign a group such as "Domain Users," which adversely affects database and memory usage.

TIP To prevent (nearly) everyone from accessing a roster or queue, assign at least one user to each possible access right for the roster or queue. For example, to prevent most access to a queue, assign the Query & Process access right to one member of the Process Engine administrators group, who has implicit access to the queue anyway.

Workflow roster and queue security

Using the Process Configuration Console, the system administrator can assign access rights to workflow rosters, work queues, and user queues. The following table describes what each access right allows you to do.

In a...
having this access right...
means you can...

Workflow roster

Query

View the roster summary of the work item. You can also view the work item itself if you have read access to the queue containing the work item.

Create

Launch a workflow.

Query & Create

Do both of the above.

Work or component queue

Query

View work items.

Query & Process

Lock, modify, save, and complete work items.

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

CAUTION See Component queue security issues for important security-related information.

User queue (a database table with a server specification, such as Inbox(0))

Query

View work items.

Query & Process

Lock, modify, save, and complete work items.

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

User queue (user's subset of work items in the queue, such as Inbox)

No access rights

View work items assigned to you. In addition, you can lock, modify, save, and complete work items assigned to you.

Note that you do not have full access to the work item—you can only see and modify those data fields, workflow groups, and attachments to which the workflow author has given you access.

Query

View work items assigned to you.

Query & Process

Lock, modify, save, and complete work items.

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

Application security

You can restrict the ability to run certain applications by using the optional group that corresponds to the application. If the optional group is defined, the requirement for running the corresponding application is as follows:

If this group exists...

then to run...

you must belong to one of these groups...

for Workplace for FileNet Web Services Client or Open Client

PWAdministrator

Process Administrator

PWAdministrator

PWAdministrator or SysAdminG

PWDesigner

Process Designer

PWDesigner

PWDesigner or SysAdminG

PWConfiguration

Process Configuration Console

PWConfiguration

PWConfiguration or or SysAdminG

PSConsole Simulation Console PSConsole PSConsole or or SysAdminG
PSDesigner Simulation Designer PSDesigner PSDesigner or or SysAdminG

If the optional group is not defined, any user can run the associated application. Note that viewing, opening, and modifying work items is still controlled by the access rights defined by your system administrator for each workflow roster or queue.

System configuration security

In addition to controlling access to the Process Configuration Console application, you can control changes to the Process Engine system configuration by use of the optional group SysConfigG. If this group is not defined, any user can modify the Process Engine system configuration. If the group is defined, only those users who belong to this group or the Process Engine administrators group (PEAdministrators by default for Workplace and SysAdminG for FileNet Web Services Client or Open Client) can modify the system configuration.

The restricted configuration modifications are:

  • Initializing or emptying an isolated region.
  • Removing the workflow database.
  • Setting system-wide user information.
  • Configurating workflow rosters, queues, and event logs.
  • Setting region-wide configuration values.

TIP If your directory service allows nested groups, make the SysConfigG group a member of the PWConfiguration group to allow all users who can make security changes to have access to the Process Configuration Console.

Workflow definition security

The access rights you assign when saving a workflow definition have the following effect:

If the workflow has this access right...

in Process Designer, you can...

View

open the workflow definition and launch a workflow.

Author

open, check out, and modify a workflow definition.

Process Engine users and groups

The Process Engine installation creates the following users and groups. These users and groups should not be deleted.

Users Groups

f_maint
fnsw
SysAdmin
FieldService
Operator

fnadmin
fnop
fnusr