OneStream Community

Hello,
The Security Roles you mention are only really relevant in the batch-mode / multi-period workflow page (where you select the year instead of a month, on a monthly workflow for example):

I am not aware of a way to remove the option for normal users, so they don't see the Lock workflow (for their own workflow steps), however you can use an event handler to block the action of non-administrators from Locking or UnLocking a workflow, and show an error message accordingly:

You can create a WorkflowEventHandler, and add this snippet into it:

If     args.OperationName.Equals(BREventOperationType.Workflow.WorkflowLock) _
OrElse args.OperationName.Equals(BREventOperationType.Workflow.WorkflowUnlock) Then
	
		If args.IsBeforeEvent
			Dim requiredGroupAccess As String = "Group_LockWF"
			Dim bCanLock As Boolean = BRApi.Security.Authorization.IsUserInGroup(si, si.UserName, requiredGroupAccess, True )
			If Not bCanLock Then
				Throw New XFException(si, "User does not have permission to lock workflows", si.UserName)
			End If
		End If
			
End If

This intercepts the attempted locking action and causes the locking/unlocking process to fail if the user isn't in the specified security group ("Group_LockWF" in this example).
The drawbacks of this workaround are

a) It doesn't hide the Lock/Unlock options from the user
b) Because it generates an Exception, the information in the system error log will look like a business rule has failed execution, and may raise a few concerns unless you know it's an intentional Exception being thrown.

You may like to raise an idea on IdeaStream so that Lock and Unlock individual workflows are added as new/separate security roles, so they don't even appear if the user doesn't have access to Lock/Unlock.