Set security levels

You can set security levels on workflow rosters, work queues, user queues, and component queue. The security levels you set affect the user's access to the work items contained in the roster or queue. For more information about security levels, see About workflow security.

Important tips regarding security

The following are several items to be aware of when assigning access rights to workflow rosters and queues.

If... then...
the user is a member of the Process Engine Administrator Group, the user automatically has full rights to each roster and queue, even if you don't explicitly assign him access rights.
you do not assign anyone to a specific access right for a roster or queue,

you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively.

CAUTION  To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage.

TIP To prevent (nearly) everyone from accessing a workflow roster or queue, assign at least one user to each possible access right for the workflow roster or queue. For example, to prevent most access to a queue, assign the Query & Process access right to one member of the Process Engine Administrator Group, who has implicit access to the queue anyway.

NOTE  If your system uses Active Directory for user authentication, we recommend that you not use 'Domain Users' to set up permission. This group by default will contain all users in the Active Directory. A user can override his default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.

If you put the 'Domain Users' group on the ACL list of a workflow queue, Process Engine creates a database environment record for every user on the Active Directory when expanding the group. This will consume substantial database and memory resources.

To set security levels - config

  1. If the Properties dialog box is not already displayed, select the queue, roster, or event log you want to modify and click Properties on the toolbar.
  2. Select the Security tab.
  3. By default when you create a roster or queue, all users have all rights (both Query and Process), as shown in the All users text below the Selected users list. This text updates as you add or remove users from the Selected users list, showing you what rights all remaining users have, given the rights you have assigned to selected users.
  4. To restrict access to specific users, select Query or Process or both check boxes.

    Select the users and add them to the list of selected users. See Participant selection for information about selecting users.

    See Security example below for examples of use.

    TIP All users have Query access unless you restrict Query access by specifying it for one or more specific users. In that case, only those users (and users with both Query and Process access) will have Query access to the queue.

  5. To revoke access rights, select one or more items from the Selected users list and click Remove.

    To change access rights already assigned, right-click on one or more items in the Selected users list. From the list, select or clear the access rights you want to change.

  6. Click OK when done.
  7. Click Commit Changes on the toolbar to apply this change to your isolated region. See Commit changes for additional information.

Security example

To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them):

This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.

Specifying Query, Process, or both Query and Process has the following effects:

Selected users Access Result
UserA & UserB Process All users, including UserA and UserB have query access.
Only UserA and UserB can process work.
UserA and UserB Query & Process Only UserA and UserB can query and process work.
All other users have no access.

UserA & UserB
UserC

Query & Process
Query

UserA and UserB can query and process work.
UserC can query.
All other users have no access.

UserA & UserB
UserC

Process
Query

Error: Only UserC can query; UserA and UserB cannot query, so they cannot process.

To correct this situation, change UserA and UserB to Query and Process.