Workspace Process Rights... the definitive answer?

  • 13 October 2014
  • 6 replies
  • 3 views
S
Userlevel 3
Badge +16

Hi all,

 

I keep getting conflicting advise on this one, but once and for all can anyone tell me exactly which tickboxes have to be ticked in Workspace for rights to be correctly assigned for a Workflow Process for the following:

 

1) I want all Domain users to be able to access the form and submit the request, which then triggers a workflow prcoess.

2) What tickboxes are needed for the Authorisers on the Process? The Authorisers will approve/decline the requests via EMAIL only.

 

Its all a bit confusing, so a simple answer would be great.

 

Thanks

6 replies

A
Badge +9

1) Definitely start rigths. Might want to sprink some view or view/particpate, but definitely start rights.

2) If they email is going to the they should be able to action it.

S
Badge +10

Simple answer is Start and View Participate.

T
Badge +10

Thought I would add to this thread.  You can normally think of permissions in 2 ways.  First as users that need to start a process and second as users that will need to run reports and/or look at the viewflow diagram.

 

Start permissions: Users that need to start the process:

 

Note:  Users assigned as destination users within the workflow:  No permissions are necessary to be set in the K2 Workspace for them to complete their tasks.  As soon as the workflow process assigns them as a destination user they have permissions to perform that task.

 

Reporting (including looking at the K2 viewflow diagram)

 

View Participate permissions:  To view K2 reports or to look at the viewflow diagram of process instances when you've been assigned as a destination user you can use View Participate permissions.  However, it’s NOT recommended to give View Participate permissions to all users (domain users group for example) as it might affect reporting performance since K2 needs to do extra queries to see if that person was assigned as a destination user in a particular process instance.   One common misunderstanding with view participate is that if a user started a process instance and even though the user has view participate permissions on a process they still can’t look at reports on that process instance or see the view flow if they haven’t been assigned as a destination user in that process.

 

View permissions:   Can run reports and see the viewflow diagram of all instances of that process.  Typically given to the business owners.

 

Hope this helps.

Tim

 

S
Badge +10

To add to what timkin said,

 

View Participate and View would be set according to what visibility you want the users to have on the other processes. 

 

@timkin: If you want to use view particiapate, but want the process originator to have visibility of the requests they started and not other requests in that process, could you maybe get round this by having a activity with destination as the originator but a placeholder event. Or does the activity need to have a form event to qualify.

S
Badge +8

Permission in K2 are far too broad, IMHO.  For example, for a business owner to be able to redirect or terminate an instance of his process, he has to have admin rights on the process, which also grants him lots of other things you probably don't want them to be able to do.  Instead, they have to call the IT department everytime they need to take one of these actions.  We implemented more than a little code to work around this particular annoyance, but it is workable.

 

For most of our processes, we grant all domain users Start and View rights.  If a particular process needs authorization rules, we push that to the application layer where the application can make decision like "Did this user originate this process?" or "Was this process submitted on behalf of this user?"  or "Is this person an admin user who can do anything?"  This allows as to customize the authorization rules per process (or even per process instance) and not have to mess around (too much) with K2's identity cache.

T
Badge +10

Hi  @s0m3one

 

In reply to your suggestion I typically create a "Withdraw" activity that gets assigned to the originator that allows the user to basically cancel or Withdraw their request.  This handles the scenario of someone accidently hitting submit too quickly or something changed and the process no longer applies.  It also then allows for the View Participate permissions to be applied to see the view flow.  However, there are situations were you simply don't want to allow the user to cancel a process and your suggestion of creating an activity with a placeholder event and assigning it to the originator appears to work just fine in my tests.  Good suggestion.

 

I also agree with  @sbrownhuntoilco that  there should be more granular permissions available.  I run into this scenario a lot and although there are custom code solutions available not everyone wants to go that route and it would be great to have an out of the box feature and interface to use.

 

Regards,

Tim

 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings