Following is information about security for workflow-related objects.
When configuring the Process Engine security connection via Process Task Manager, you must assign a user through which to connect to the directory service. See Configure Process Engine security for additional information. In addition, you must specify a group to be the Process Engine Administrator Group.
A user who is a member of the Process Engine Administrator Group:
The following are several items to be aware of when assigning access rights to workflow rosters and queues.
If... | then... |
---|---|
the user is a member of the Process Engine Administrator Group, | the user automatically has full rights to each roster and queue, even if you don't explicitly assign him access rights. |
you do not assign anyone to a specific access right for a roster or queue, |
you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively. CAUTION To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage. |
TIP To prevent (nearly) everyone from accessing a workflow roster or queue, assign at least one user to each possible access right for the workflow roster or queue. For example, to prevent most access to a queue, assign the Query & Process access right to one member of the Process Engine Administrator Group, who has implicit access to the queue anyway.
Using Process Configuration Console, the system administrator can assign access rights to workflow rosters, work queues, and user queues. The following table describes what each access right allows you to do.
In a... | having this access right... | means you can... |
---|---|---|
Workflow roster | Query |
View the roster summary of the work item. You can also view the work item itself if you have read access to the queue containing the work item. |
Create |
Launch a workflow. | |
Query & Create |
Do both of the above. | |
Work or component queue | Query |
View work items. |
Process | Lock, modify, save, and complete work items. (The Process option alone—without Query—is valid only if there are no other users with the Query option selected.) Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
|
Query & Process |
View and process work items in the queue. CAUTION See Component queue security issues for important security-related information. | |
User queue (a database table with a server specification, such as Inbox(0)) | Query | View work items. |
Query & Process |
Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. | |
User queue (user's subset of work items in the queue, such as Inbox) | No access rights |
View work items assigned to you. In addition, you can lock, modify, save, and complete work items assigned to you. Note that you do not have full access to the work item—you can only see and modify those data fields, workflow groups, and attachments to which the workflow author has given you access. |
Query | View work items assigned to you. | |
Query & Process |
Lock, modify, save, and complete work items. Note that Process access applies to the queue in which the work item is locked, rather than to the destination queue (the queue to which the work item is dispatched upon completion of the step). The destination is under system, not user, control. |
You can restrict the ability to run certain Process applications by specifying users or groups to the corresponding role.
NOTE The names of the roles can change; the following table refers to the default role name.
This role... |
controls access to this application... |
---|---|
PWAdministrator |
Process Administrator |
PWDiagram | Process Designer, Diagram mode |
PWDesigner |
Process Designer, Design mode and Diagram mode |
P8BPMProcess DesignerEX | Microsoft Visio import in Process Designer |
PWConfiguration |
Process Configuration Console |
PSConsole | Simulation Console |
PSDesigner | Simulation Designer |
Note that viewing, opening, and modifying work items is still controlled by the access rights defined by your system administrator for each workflow roster or queue.
In addition to controlling access to Process Configuration Console application, you can control changes to the Process Engine system configuration by use of the group assigned to the Process Engine Configuration Group. You assign this group when configuring the Process Engine security connection in Process Task Manager. If this group is assigned, only those users who belong to the group or the Process Engine Administrator Group can modify the system configuration via Process Configuration Console or the related APIs.
The restricted configuration modifications are:
TIP If your directory service allows nested groups, make the Process Engine Administrator Group a member of the PWConfiguration group to allow all users who can make security changes to have access to Process Configuration Console.
The access rights you assign when saving a workflow definition have the following effect:
If the workflow has this access right... |
in Process Designer, you can... |
---|---|
View |
open the workflow definition and launch a workflow. |
Author |
open, check out, and modify a workflow definition. |