Forum Discussion

KH1's avatar
KH1
Contributor II
5 days ago

Workflow Profile Hierarchies: Security Model | Application Security Roles v Workflow Security

Please share your practical advice to secure Workflow Profile Hierarchies per the two requirements below. Thank you.

A. Workflow Profile Hierarchies: Admin v Builder/Business
0. 'Cube Root Workflow Profiles' | Admin and Business | Top Level Cube_suffix
1. 'Default/Child Workflow Profile Types' | Admin/Business 'Cube Root Workflow Profiles'
2. Admin 'Parent/Child Workflow Profile Types' | Admin/Business 'Cube Root Workflow Profiles'
3. Business 'Parent/Child Workflow Profile Types' | Business 'Cube Root Workflow Profiles

B. Two Workflow Requirements: Admin v Builder/Business
1. Builder not allowed to see/create/edit:
- Admin 'Cube Root Workflow Profiles'
- 'Default/Child' and Admin 'Parent/Child Workflow Profile Types' | Admin 'Cube Root Workflow Profiles'
- 'Default/Child Workflow Profile Types' | Business 'Cube Root Workflow Profiles'
- Admin 'Parent/Child Workflow Profile Types' | Business 'Cube Root Workflow Profiles'
2. Admin/Builder allowed to see/create/edit:
Business 'Cube Root Workflow Profiles'
-- Business 'Parent Workflow Profile Types': Review, Base Input, Parent Input
-- Business 'Child Workflow Profile Types': Import, Forms, Journals

C. Security Model: Application Security Roles + Workflow Security | Admin v Builder/Business
0. Security Groups: 'Admin Roles and Builder Roles' and Child Groups = 'Admin Roles' + 'Builder Roles'
1. Application Security Roles | Manage Workflow Profiles = 'Admin Roles and Builder Roles'
2. Workflow Security = 'Admin Roles' = Admin/Business 'Default Workflow Profile Types'
3.1. Workflow Security = 'Admin Roles' = Admin 'Cube Root Workflow Profiles'
3.2. Workflow Security = 'Admin Roles' = Admin 'Parent Workflow Profile Types'
4.1. Workflow Security = 'Builder Roles' = Business 'Cube Root Workflow Profiles'
4.2 Workflow Security = 'Builder Roles' = Business 'Parent Workflow Profile Types'

D. Security Model Results: Admin v Builder/Business
- 1 + 2 + 3 + 4 = Workflow Requirement 1 = Fail
- 1 + 2 + 3 + 4 = Workflow Requirement 2 = Succeed

Thank you, SMEs.

Workflow Profile Hierarchies and Security Model

 

Data Integration
Forms
Import
Journals
Workflow

1 Reply

  • MarcusH's avatar
    MarcusH
    Valued Contributor
    16 hours ago

    The basic set up for managing Workflow Profiles is that the user must have Application User Interface: WorkflowProfilesPage. Then if you give the user the Application Security Role ManageWorkflowProfiles, they have access to manage all Workflow Profiles. If the user does not have that permission, the user's access to the Maintenance Group on each Workflow Profile is evaluated. That's it.

    A couple of things to bear in mind outside of the Manage Workflows area. Application Security Role ManageWorkflowProfiles gives the user permission to clear stage data as well i.e. they can click Load and Import and clear the data. They will need additional security for the Transformation Rules though.

    Secondly check if you are using the function GetCubeRootInfo anywhere in Business Rules. The user must have maintenance access to the cube root workflow profile for that to work. Workaround is to query the database directly to get the info.