IBM FileNet P8, Version 5.2.1            

Setting security levels

You can set security levels on workflow rosters, work queues, user queues, and component queue. The security levels you set affect the user's access to the work items contained in the roster or queue.

The following table describes conditions to be aware of when assigning access rights to workflow rosters and queues.

If... Then...
The user is a member of the workflow_system_admin_group group: The user automatically has full rights to each roster and queue, even if you do not explicitly assign the user access rights.
You do not assign anyone to a specific access right for a roster or queue: You give everyone this specific access right to the workflow roster or queue. For example, if you assign Query access rights only to a user, the user can still create or process workflows if you do not explicitly assign those access rights for the workflow roster or queue, respectively.
Attention: To give a specific access right to all users, leave the access right blank. Do not assign an all-inclusive group such as Domain Users (Active Directory). Assigning large groups to a workflow roster or queue can adversely affect database and memory usage.
Tip: To prevent nearly everyone from accessing a workflow roster or queue, assign at least one user to each possible access right for the workflow roster or queue. For example, to prevent most users access to a queue, assign the Query and Process access right to one member of the workflow_system_admin_group group, who has implicit access to the queue.

If your system uses Active Directory for user authentication, do not use Domain Users to set up permission. This group by default contains all users in the Active Directory. A user can override his default primary group. If you intend to allow all users to access a queue, leave the ACL of the queue empty.

If you put the Domain Users group on the ACL list of a workflow queue, the workflow system creates a database environment record for every user on the Active Directory when expanding the group. This action consumes substantial database and memory resources.

To set security levels:

  1. If the Properties window is not already displayed, select the queue, roster, or event log you want to modify and click Properties on the toolbar.
  2. Click the Security tab.
  3. By default when you create a roster or queue, all users have all rights (both Query and Process), as shown in the All users text below the Selected users list. This text updates as you add or remove users from the Selected users list, showing you what rights all remaining users have, given the rights you have assigned to selected users.
  4. To restrict access to specific users, select Query or Process or both check boxes.
  5. Select the users and add them to the list of selected users.
    Tip: All users have Query access unless you restrict Query access by specifying it for one or more specific users. In that case, only those users (and users with both Query and Process access) will have Query access to the queue.
  6. To revoke access rights, select one or more items from the Selected users list and click Remove.

    To change access rights already assigned, right-click one or more items in the Selected users list. From the list, select or clear the access rights you want to change.

  7. Click OK when done.
  8. Click Commit Changes on the toolbar to apply this change to your isolated region.

To set security so that a few users (UserA and UserB) have Process access (they can lock and process items in the queue), while all other users have Query access (they can look at items in the queue, but not change them), select the Process check box and select UserA and UserB. Move them to the Selected users list.

This restricts Process access to UserA and UserB. Since all users (including UserA and UserB) still have Query access by default, all users can list and open the work items in this queue, but not change them.

Specifying Query, Process, or both Query and Process has the following effects:

Table 1. Effects of Query and Process access
Selected users Access Result
UserA and UserB Process All users, including UserA and UserB have query access. Only UserA and UserB can process work.
UserA and UserB Query and Process Only UserA and UserB can query and process work. All other users have no access.
UserA and UserB

UserC

Query and Process

Query

UserA and UserB can query and process work.

UserC can query.

All other users have no access.

UserA and UserB

UserC

Process

Query

Error: Only UserC can query; UserA and UserB cannot query, so they cannot process.

To correct this situation, change UserA and UserB to Query and Process.



Last updated: October 2015
bpfc019.htm

© Copyright IBM Corporation 2015.