Workflow rosters and queues

Process Engine defines and enforces security for the rosters and queues used in processing workflows.

Workflow security

Using Process Configuration Console, you can assign access rights to workflow rosters, work queues, component queues, and user queues. The following table describes what each access right allows you to do.

In a... having this access right... means you can...

Workflow roster

Query

View the roster summary of the work item. You can also view the work item itself if you have read access to the queue containing the work item.

Create

Launch a workflow.

Query & Create

Do both of the above.

Work or component queue

Query

View work items.

Process

Lock, modify, save, and complete work items.

(The Process option alone—without Query—is valid only if there are no other users with the Query option selected.)

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

Query & Process

View and process work items in the queue.

CAUTION  See Component queue security issues for important security-related information.

User queue (a database table with a server specification, such as Inbox(0)) Query View work items.
Query & Process

Lock, modify, save, and complete work items.

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

User queue (user's subset of work items in the queue, such as Inbox) No access rights

View work items assigned to you. In addition, you can lock, modify, save, and complete work items assigned to you.

Note that you do not have full access to the work item—you can only see and modify those data fields, workflow groups, and attachments to which the workflow author has given you access.

Query View work items assigned to you.
Query & Process

Lock, modify, save, and complete work items.

Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control.

Important tips regarding security

The following are several items to be aware of when assigning access rights to workflow rosters and queues.

If... then...
the user is a member of the Process Engine Administrator Group, the user automatically has full rights to each roster and queue, even if you don't explicitly assign him access rights.
you do not assign anyone to a specific access right for a roster or queue,

you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively.

CAUTION  To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage.

TIP To prevent (nearly) everyone from accessing a workflow roster or queue, assign at least one user to each possible access right for the workflow roster or queue. For example, to prevent most access to a queue, assign the Query & Process access right to one member of the Process Engine Administrator Group, who has implicit access to the queue anyway.