Given a K2 process instance ID, we would like to determine whether a specific user is authorized to access that instance. Access should be allowed when at least 1 of the following conditions are met
1. The user has a task assigned in the process instance
2. The user had actioned the process instance at some point i.e. Participated in the workflow
3. The user has View or View Participate or Admin rights on the process
Loosely speaking, this corresponds to process rights but at a process *instance* level instead of a process *set* level.
Any ideas appreciated. Thanks.
The best way to accomplish what you are asking here is by making use of a properly thought out category security model. You can read more about this here.
Take note of the different levels of permissions to be granted (i.e. view/execute etc).
Steve - I am not sure I understand your suggestion. The Category system can certainly be used to restrict access to smart objects but that wasn't my question. My question was about how to determine whether a given user has access to a specific process instance.
What am I missing?
Steve - Understood. However, we are looking to implement this functionality as part of a internal API layer that mediates access between a React application UI and the K2 engine. So the service account that implements this API needs this ability to impersonate an end user and take actions on their behalf e.g. start a workflow, action it, check access to requested process instance, show me all workflows I participated in and so on.
Are you saying this is not possible?