K2 Five Forum

VA1 · ‎05-13-2022

Given a K2 process instance ID, we would like to determine whether a specific user is authorized to access that instance. Access should be allowed when at least 1 of the following conditions are met

1. The user has a task assigned in the process instance
2. The user had actioned the process instance at some point i.e. Participated in the workflow
3. The user has View or View Participate or Admin rights on the process

Loosely speaking, this corresponds to process rights but at a process *instance* level instead of a process *set* level.

Any ideas appreciated. Thanks.

SteveBarnard · ‎05-17-2022

The best way to accomplish what you are asking here is by making use of a properly thought out category security model. You can read more about this here.

Take note of the different levels of permissions to be granted (i.e. view/execute etc).

VA1 · ‎05-17-2022

Steve - I am not sure I understand your suggestion. The Category system can certainly be used to restrict access to smart objects but that wasn't my question. My question was about how to determine whether a given user has access to a specific process instance.

What am I missing?

SteveBarnard · ‎05-17-2022

Hi

Can you please clarify what you mean by access to a specific instance?

VA1 · ‎05-17-2022

My original post on this thread outlined the specific requirements.

SteveBarnard · ‎05-17-2022

A user will have "access" when a task is assigned to them or a group that they are in.

I would suggest granting participate permissions if the requirement is that they need to see the reporting data for instances in which they have participated.

I understand you are looking for a smart object to return this data for you - however using system smartobjects is not intended for usage outside of the management site (read. internal).

Permissions are granted at a category/item level, workflow level but not per instance specifically.

VA1 · ‎05-17-2022

Steve - Understood. However, we are looking to implement this functionality as part of a internal API layer that mediates access between a React application UI and the K2 engine. So the service account that implements this API needs this ability to impersonate an end user and take actions on their behalf e.g. start a workflow, action it, check access to requested process instance, show me all workflows I participated in and so on.

Are you saying this is not possible?

SteveBarnard · ‎05-17-2022

In that case I would look at the Tasks smart objet and the Reporting Smartobjects for an OOB approach.

VA1 · ‎05-17-2022

Would you mind pointing out specific smart objects in the Reporting category that may help here? And where can I find the Tasks smart object?

SteveBarnard · ‎05-17-2022

These can be surfaced by using the Rest API

K2 Five Forum

Which Smartobject shows process instance permissions?

K2 Five

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?

Re: Which Smartobject shows process instance permissions?