You can set security levels on workflow rosters, work queues, user queues, and component queue. The security levels you set affect the user's access to the work items contained in the roster or queue. For more information about security levels, see About workflow security.
The following are several items to be aware of when assigning access rights to workflow rosters and queues.
If... | then... |
---|---|
the user is a member of the Process Engine Administrator Group, | the user automatically has full rights to each roster and queue, even if you don't explicitly assign him access rights. |
you do not assign anyone to a specific access right for a roster or queue, |
you give everyone this specific access right to the workflow roster or queue. For example, if you only assign Query access rights to a user, the user can still create or process workflows if you have not explicitly assigned those access rights for the workflow roster or queue, respectively. CAUTION To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage. |
TIP To prevent (nearly) everyone from accessing a workflow roster or queue, assign at least one user to each possible access right for the workflow roster or queue. For example, to prevent most access to a queue, assign the Query & Process access right to one member of the Process Engine Administrator Group, who has implicit access to the queue anyway.
NOTE If your system uses Active Directory for user authentication, we recommend that you not use 'Domain Users' to set up permission. This group by default will contain all users in the Active Directory. A user can override his default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.
If you put the 'Domain Users' group on the ACL list of a workflow queue, PE creates a database environment record for every user on the Active Directory when expanding the group. This will consume substantial database and memory resources.
To set security levels - config
Select the users and add them to the list of selected users. See Participant selection for information about selecting users.
See Security example below for examples of use.
TIP All users have Query access unless you restrict Query access by specifying it for one or more specific users. In that case, only those users (and users with both Query and Process access) will have Query access to the queue.
To change access rights already assigned, right-click on one or more items in the Selected users list. From the list, select or clear the access rights you want to change.
To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them):
This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.
Specifying Query, Process, or both Query and Process has the following effects:
Selected users | Access | Result |
---|---|---|
To correct this situation, change UserA and UserB to Query and Process. |