 |
 |
|
|
|
About workflow security
Following is information about security for workflow-related objects.
Additional privileges for the Process Engine
administrative group
A user who is a member of the Process Engine
administrators group
(PEAdministrators by default for Workplace and SysAdminG
for FileNet Web Services Client
or Open Client):
- Has full rights to each workflow roster and queue.
- Can unlock work items that are currently locked by other users.
- Can access all workflow applications (FileNet Web Services Client
or Open Client
only).
Important tips regarding security
The following are several items to be aware of when assigning access rights
to workflow rosters and queues.
If... |
then... |
the user is a member of the Process Engine
administrators group
(PEAdministrators by default for Workplace and SysAdminG
for FileNet Web Services Client
or Open Client), |
the user automatically has full rights to each roster and queue,
even if you don't explicitly assign him access rights. |
you do not assign anyone to a specific access right for a roster
or queue, |
you give everyone this specific access right to the roster or queue.
CAUTION To
give a specific access right to all users, leave the access right blank.
Do not assign a group such as "Domain Users," which adversely
affects database and memory usage.
|
TIP To
prevent (nearly) everyone from accessing a roster or queue, assign at least
one user to each possible access right for the roster or queue. For example,
to prevent most access to a queue, assign the Query
& Process access right to one member of the Process Engine
administrators group,
who has implicit access to the queue anyway.
Workflow roster and queue security
Using the Process Configuration Console,
the system administrator can assign access rights to workflow rosters,
work queues, and user queues. The following table describes what each
access right allows you to do.
In a...
|
having this access right...
|
means you can...
|
Workflow roster
|
Query
|
View the roster summary of the work item. You can also view the work
item itself if you have read access to the queue containing the work item.
|
Create
|
Launch a workflow.
|
Query & Create
|
Do both of the above.
|
Work or component queue
|
Query
|
View work items.
|
Query & Process
|
Lock, modify, save, and complete work items.
Note that Process access applies to the queue in which the work item
is locked, rather than to the destination queue (the queue to which the
work item is dispatched upon completion of the step). The destination
is under system, not user, control.
CAUTION See
Component
queue security issues for important security-related information.
|
User queue (a database table with a server specification, such as Inbox(0))
|
Query
|
View work items.
|
Query & Process
|
Lock, modify, save, and complete work items.
Note that Process access applies to the queue in which the work item
is locked, rather than to the destination queue (the queue to which the
work item is dispatched upon completion of the step). The destination
is under system, not user, control.
|
User queue (user's subset of work items in the queue, such as Inbox)
|
No access rights
|
View work items assigned to you. In addition, you can lock, modify, save,
and complete work items assigned to you.
Note that you do not have full access to the work item—you can only see
and modify those data fields, workflow groups, and attachments to which
the workflow author has given you access.
|
Query
|
View work items assigned to you.
|
Query & Process
|
Lock, modify, save, and complete work items.
Note that Process access applies to the queue in which the work item
is locked, rather than to the destination queue (the queue to which the
work item is dispatched upon completion of the step). The destination
is under system, not user, control.
|
Application security
You can restrict the ability to run certain applications by using the
optional group that corresponds to the application. If the optional group
is defined, the requirement for running the corresponding application
is as follows:
If this group exists...
|
then to run...
|
you must belong to one of these groups...
|
for Workplace |
for FileNet Web Services Client
or Open Client |
PWAdministrator
|
Process Administrator
|
PWAdministrator
|
PWAdministrator or SysAdminG
|
PWDesigner
|
Process Designer
|
PWDesigner
|
PWDesigner or SysAdminG
|
PWConfiguration
|
Process Configuration Console
|
PWConfiguration
|
PWConfiguration or or SysAdminG
|
PSConsole |
Simulation Console |
PSConsole |
PSConsole or or SysAdminG |
PSDesigner |
Simulation
Designer |
PSDesigner |
PSDesigner or or SysAdminG |
If the optional group is not defined, any user can run the associated
application. Note that viewing, opening, and modifying work items is still
controlled by the access rights defined by your system administrator for
each workflow roster or queue.
System configuration security
In addition to controlling access to the Process Configuration Console
application, you can control changes to the Process Engine
system configuration by use of the optional group SysConfigG. If this
group is not defined, any user can modify the Process Engine
system configuration. If the group is defined, only those users who belong
to this group or the Process Engine
administrators group
(PEAdministrators by default for Workplace and SysAdminG
for FileNet Web Services Client
or Open Client)
can modify the system configuration.
The restricted configuration modifications are:
- Initializing or emptying an isolated region.
- Removing the workflow database.
- Setting system-wide user information.
- Configurating workflow rosters, queues, and event logs.
- Setting region-wide configuration values.
TIP If
your directory service allows nested groups, make the SysConfigG group
a member of the PWConfiguration group to allow all users who can make
security changes to have access to the Process Configuration Console.
Workflow definition security
The access rights you assign when saving a workflow definition have the
following effect:
If the workflow has this access right...
|
in Process Designer,
you can...
|
View
|
open the workflow definition and launch a workflow.
|
Author
|
open, check out, and modify a workflow definition.
|
Process Engine
users and groups
The Process Engine
installation creates the following users and groups. These users and groups
should not be deleted.
Users |
Groups |
f_maint
fnsw
SysAdmin
FieldService
Operator
|
fnadmin
fnop
fnusr |
|