Workflow Security

During runtime, the workflow runs its inner activities using the permissions of the user who executed the workflow. To better understand this process, you should know the types of workflow users:

  • Workflow Executor

    This is the user who executes the workflow. When a workflow is executed, the permissions of the executor are used to perform the activities. This is the default security context of the workflow.

  • Workflow Creator

    This is the user who creates and deploys the workflow. The workflow creator should be a user with permissions sufficient to run workflow activities that require higher permissions, for example, activities that access the CommServe database.

For information on Workflow permissions, see Permissions and Permitted Actions by Feature: Workflow. For information on user security, see Security Associations.

Impersonating Users

Although the workflow executor determines the permissions used during runtime, there are some workflow activities that can execute certain activities using the level of permission from other users:

For example, the CommServDBQuery activity requires a user with high CommCell permissions. If you are a user with sufficient permissions, you can use the impersonateCreator activity to run the CommServe query, and therefore allow users with lower permissions to execute your workflow. After the CommServDBQuery activity is complete, you can revert back to using the executor’s permissions by using the impersonateExecutor activity.

Configuring Workflow Permissions

By default, workflows can be viewed and managed by the user who created them and by the CommCell administrator. You can configure a workflow to be available to other users and user groups. This mechanism allows the workflow creator to share a workflow with other users as well as restrict the operations that they can perform, such as editing or deleting the workflow.

Note: If there are users who require your workflow as an activity in their workflows, but you do not want to give them full access, you can associate those users to your workflow and assign them the Execute Workflow permission. This allows them to only run your workflow within their workflow.

The following sections describe the steps to configure the security properties of a workflow.

Setting the Users, User Groups and Permissions of a Workflow

  1. From the CommCell Browser, go to Workflows.
  2. Right-click the Workflow and click Properties.
  3. Click the Security tab.
  4. Do one of the following:
    • To grant permissions for a new user or user group, click Add and select the user and/or user group name.
    • To modify permissions for an existing user or user group, select the user and/or user group name.

    Note: To allow users or user groups to manage all workflows, assign workflow permissions at the CommCell level. For example, if a user is allowed to delete any workflow, make a security association with the user, the CommCell, and a role containing the Delete Workflow permission.

    For information on creating security associations, see Security Associations.

  5. Under Role, in the Please select Role box, click Custom Role, and then select the permissions you want the user or user group to have towards the workflow.

    For information on permissions, see Permissions and Permitted Actions by Feature.

  6. Click OK.

Removing an Existing User or User Group

  1. From the CommCell Browser, go to Workflows.
  2. Right-click the Workflow and click Properties.
  3. Click the Security tab.
  4. Select the user or user group and then click Remove.

    If you want to keep the user listed but remove all workflow permissions, then clear all of the Allow check boxes.

  5. Click OK.

Last modified: 3/12/2018 4:07:32 PM