Skip to main content

Given a K2 process instance ID, we would like to determine whether a specific user is authorized to access that instance. Access should be allowed when at least 1 of the following conditions are met

 

1. The user has a task assigned in the process instance
2. The user had actioned the process instance at some point i.e. Participated in the workflow
3. The user has View or View Participate or Admin rights on the process

 

Loosely speaking, this corresponds to process rights  but at a process *instance* level instead of a process *set* level. 

 

Any ideas appreciated. Thanks.

 

 

The best way to accomplish what you are asking here is by making use of a properly thought out category security model. You can read more about this here.



 



Take note of the different levels of permissions to be granted (i.e. view/execute etc).


Steve - I am not sure I understand your suggestion. The Category system can certainly be used to restrict access to smart objects but that wasn't my question. My question was about how to determine whether a given user has access to a specific process instance.



 



What am I missing?


Hi

Can you please clarify what you mean by access to a specific instance?

My original post on this thread outlined the specific requirements. 


A user will have "access" when a task is assigned to them or a group that they are in.

I would suggest granting participate permissions if the requirement is that they need to see the reporting data for instances in which they have participated.

I understand you are looking for a smart object to return this data for you - however using system smartobjects is not intended for usage outside of the management site (read. internal).

Permissions are granted at a category/item level, workflow level but not per instance specifically.

Steve - Understood. However, we are looking to implement this functionality as part of a internal API layer that mediates access between a React application UI and the K2 engine. So the service account that implements this API needs this ability to impersonate an end user and take actions on their behalf e.g. start a workflow, action it, check access to requested process instance, show me all workflows I participated in and so on.



 



Are you saying this is not possible?


In that case I would look at the Tasks smart objet and the Reporting Smartobjects for an OOB approach.

Would you mind pointing out specific smart objects in the Reporting category that may help here? And where can I find the Tasks smart object?


These can be surfaced by using the Rest API


Your link was titled REST but it redirected to the Odata API documentation. Anyway, I do understand that Odata can be used to provide access to smart objects, my follow-up question to your suggestion to use Tasks and Reporting smart objects was...exactly which smart objects are you recommending? I browsed around but could not find anything appropriate. 


I think it best that we move this conversation to a TAS session. Please contact your account manager to help you set this up that way we can ensure that we are being attentive and approaching your requirements holistically.

Hi VA1,



 



I think there are couple ways to approach this. You can try the Process Set Permissions SmartObject. It's a system SmartObject under SystemManagementWorkflowsSmartObjects, and it will require Admin server right via Management site.



 



Alternatively, you can try the K2 APIs. The Workflow Management API will allow you to do that.  A while back, I have this sample code for debugging, perhaps, this will work for your scenario. I would also recommend getting in touch with Service team for more in depth review of your requirement.



 



SourceCode.Workflow.Management.ProcSetPermissions procPermissions = new ProcSetPermissions();



// need process set ID of the process.

procPermissions.ProcSetID = 9;

Permissions theRight = workflowServer.GetProcessUserPermissions(9);

foreach (Permissions item in theRight)

{

System.Console.WriteLine("Your permission " + item.ToString());

System.Console.Read();

}


 


Reply