You can set security levels on workflow rosters, work queues, user queues, and component queue. The security levels you set affect the user's access to the work items contained in the roster or queue.
The following table describes conditions to be aware of when assigning access rights to workflow rosters and queues.
If... | Then... |
---|---|
The user is a member of the workflow_system_admin_group group: | The user automatically has full rights to each roster and queue, even if you do not explicitly assign the user access rights. |
You do not assign anyone to a specific access right for a roster or queue: | You give everyone this specific access right to the workflow
roster or queue. For example, if you assign Query access rights only
to a user, the user can still create or process workflows if you do
not explicitly assign those access rights for the workflow roster
or queue, respectively. Attention: To give a specific
access right to all users, leave the access right blank. Do not assign
an all-inclusive group such as Domain Users (Active Directory). Assigning
large groups to a workflow roster or queue can adversely affect database
and memory usage.
|
If your system uses Active Directory for user authentication, do not use Domain Users to set up permission. This group by default contains all users in the Active Directory. A user can override his default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.
If you put the Domain Users group on the ACL list of a workflow queue, the workflow system creates a database environment record for every user on the Active Directory when expanding the group. This action consumes substantial database and memory resources.
To set security levels:
To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them), select the Process check box and select UserA and UserB. Move them to the Selected users list.
This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.
Specifying Query, Process, or both Query and Process has the following effects:
Selected users | Access | Result |
---|---|---|
UserA and UserB | Process | All users, including UserA and UserB have query access. Only UserA and UserB can process work. |
UserA and UserB | Query and Process | Only UserA and UserB can query and process work. All other users have no access. |
UserA and UserB UserC |
Query and Process Query |
UserA and UserB can query and process work. UserC can query. All other users have no access. |
UserA and UserB UserC |
Process Query |
Error: Only UserC can query; UserA and UserB cannot query,
so they cannot process. To correct this situation, change UserA and UserB to Query and Process. |