Workflow Security

Table of Contents

Understanding User Permissions during Workflow Runtime

During runtime, the Workflow runs its inner activities using the permissions of the user that executed the Workflow. To better understand this process, you should know the type of workflow users:

  • Workflow Executor

    This is the user that runs the Workflow. When a Workflow is executed, it uses the permissions of the executor to perform the activities. This is the default security context of the Workflow.

  • Workflow Creator

    This is the user that creates and deploys the Workflow. The Workflow creator should be a user with sufficient privileges in case some of the workflow activities require higher capabilities, such as accessing the CommServe database.

Although the Workflow executor determines the permissions to be used during runtime, there are some workflow activities that can help you execute certain activities using the level of permission from other users:

A good example is when you are using the CommServDBQuery in your Workflow. This activity requires a user with high CommCell capabilities. If you are a user with sufficient privileges, you can use the impersonateCreator activity to run the CommServe query, and therefore allow other users with lower permissions to execute your workflow. After the CommServDBQuery activity is done, you can revert back to using the executor’s permissions by using the impersonateExecutor activity.

Configuring Users to Operate Workflows

By default, any CommCell user can create and save a \Workflow. However, if the Workflow needs to be deployed, the user must belong to a CommCell group that is:

  • configured with the Agent Management capability
  • associated to the client computer where the Workflow Engine is installed

Workflow activities that need access to the CommServe database require higher CommCell capabilities. See Assigning Capabilities to a User Group for more information on available capabilities and how to set them.

Configuring Workflow Permissions

By default, Workflows can be viewed and managed by the user that created them and by the CommCell administrator. You can configure a workflow to be available to other users and user groups. This mechanism allows the Workflow creator to share a Workflow with other users as well as restrict the operations that they can perform, such as editing or deleting the Workflow.

If there are users that require your Workflow as an activity in their Workflows, but you do not want to give them full access, you can associate those users to your Workflow and assign them the Execute capability. This will only allow them to run your Workflow within their Workflow.

The following sections describe the steps to configure the security properties of a Workflow.

Setting the Users, User Groups and Capabilities of a Workflow

  1. From the CommCell Browser, navigate to Workflows.
  2. Right-click the <Workflow> and click Properties.
  1. Click the Security tab.
  2.  Do one of the following:
    • To grant permissions for a new user or user group, click Add and select the user and/or user group name.
    • To modify permissions for an existing user or user group, select the user and/or user group name.
  3. Select the capabilities that you want the user or user group to have towards the workflow. The following capabilities are available:
    • View -  to view the workflow and workflow jobs.
    • Edit -  to view, modify and deploy the workflow.
    • Execute - to run the workflow and also manage the workflow job run by the user.
    • Job Management - to manage all running jobs for the workflow.
    • Delete - to delete the workflow
  4. Click OK.

Removing an Existing User or User Group

  1. From the CommCell Browser, navigate to Workflows.
  2. Right-click the <Workflow> and click Properties.
  1. Click the Security tab.
  2. Select the user and/or user group that you want to remove and then click Remove.

    If you want to keep the user listed but remove all Workflow permissions, then clear all the Capability check boxes.

  3. Click OK.