Restrict Users from Locking the Workflow Profile (Review, Base Input, Parent Input) Steps



Is there a way through which OneStream user's ability to use/view the Lock/Unlock options on Workflow Profiles (Review, Base Input, Parent Input) Steps can be restricted/disabled, we have provided below application security roles to Admins Only, still users having access to their respective workflow have the right click - lock/unlock option




Vishal Pai


Valued Contributor

The Security Roles you mention are only really relevant in the batch-mode / multi-period workflow page (where you select the year instead of a month, on a monthly workflow for example):


I am not aware of a way to remove the option for normal users, so they don't see the Lock workflow (for their own workflow steps), however you can use an event handler to block the action of non-administrators from Locking or UnLocking a workflow, and show an error message accordingly:

You can create a WorkflowEventHandler, and add this snippet into it:

If     args.OperationName.Equals(BREventOperationType.Workflow.WorkflowLock) _
OrElse args.OperationName.Equals(BREventOperationType.Workflow.WorkflowUnlock) Then
		If args.IsBeforeEvent
			Dim requiredGroupAccess As String = "Group_LockWF"
			Dim bCanLock As Boolean = BRApi.Security.Authorization.IsUserInGroup(si, si.UserName, requiredGroupAccess, True )
			If Not bCanLock Then
				Throw New XFException(si, "User does not have permission to lock workflows", si.UserName)
			End If
		End If
End If

This intercepts the attempted locking action and causes the locking/unlocking process to fail if the user isn't in the specified security group ("Group_LockWF" in this example).
The drawbacks of this workaround are

a) It doesn't hide the Lock/Unlock options from the user
b) Because it generates an Exception, the information in the system error log will look like a business rule has failed execution, and may raise a few concerns unless you know it's an intentional Exception being thrown.

You may like to raise an idea on IdeaStream so that Lock and Unlock individual workflows are added as new/separate security roles, so they don't even appear if the user doesn't have access to Lock/Unlock. 

Thanks @ChrisLoran