Managing Access to Workflows managing-access-to-workflows
Configure ACLs according to user accounts to allow (or disable) starting, and participating in, workflows.
Required User Permissions for Workflows required-user-permissions-for-workflows
Actions on workflows can be undertaken if:
-
you are working with the
admin
account -
the account has been assigned to the default group
workflow-users
:- this group holds all the privileges necessary for your users to perform workflow actions.
- when the account is in this group it only has access to workflows that it has initiated.
-
the account has been assigned to the default group
workflow-administrators
:- this group holds all the privileges necessary for your privileged users to monitor and administer workflows.
- when the account is in this group it has access to all workflows.
Configuring Access to Workflows configuring-access-to-workflows
Workflow models inherit a default access control list (ACL) for controlling how users can interact with workflows. To customize user access for a workflow, modify the Access Control List (ACL) in the repository for the folder containing the workflow model node:
Apply an ACL for the specific workflow model to /var/workflow/models apply-an-acl-for-the-specific-workflow-model-to-var-workflow-models
If the workflow model is stored within /var/workflow/models
then you can assign a specific ACL, relevant to only that workflow, on the folder:
-
Open CRXDE Lite in your web browser (for example, http://localhost:4502/crx/de).
-
In the node tree, select the node for the workflow models folder:
/var/workflow/models
-
Click the Access Control tab.
-
In the Local Access Control Policies (Access Control List) table, click the plus icon to Add Entry.
-
In the Add New Entry dialog add a new ACE with the following properties:
- Principal:
content-authors
- Type:
Deny
- Privileges:
jcr:read
- rep:glob: reference to the specific workflow
The Access Control List table now includes the restriction for
content-authors
on theprototype-wfm-01
workflow model. - Principal:
-
Click Save All.
The
prototype-wfm-01
workflow is no longer available to members of thecontent-authors
group.
Create a subfolder in /var/workflow/models and apply the ACL to that create-a-subfolder-in-var-workflow-models-and-apply-the-acl-to-that
Your development team can create the workflows in a sub-folder of
/var/workflow/models
Comparable to the DAM workflows stored under
/var/workflow/models/dam/
You can then add an ACL to the folder itself.
-
Open CRXDE Lite in your web browser (for example, http://localhost:4502/crx/de).
-
In the node tree, select the node for the individual folder in the workflow models folder; for example:
/var/workflow/models/prototypes
-
Click the Access Control tab.
-
In the Applicable Access Control Policy table, click the plus icon to Add an entry.
-
In the Local Access Control Policies (Access Control List) table, click the plus icon to Add Entry.
-
In the Add New Entry dialog add a new ACE with the following properties:
- Principal:
content-authors
- Type:
Deny
- Privileges:
jcr:read
note note NOTE As with Apply an ACL for the specific workflow model to /var/workflow/models you can include a rep:glob to limit access to a specific workflow. The Access Control List table now includes the restriction for
content-authors
on theprototypes
folder. - Principal:
-
Click Save All.
The models in the
prototypes
folder are no longer available to members of thecontent-authors
group.