TransformationEventHandler and ManageWorkflowProfiles Security Role


We have a TransformationEventHandler that adds missing members that is kicked off by the 


Select Case args.OperationName						

Case Is = BREventOperationType.Transformation.ParseAndTrans.ProcessTransformationRules 
	'Suspense Invalid Members
	If suspenseInvalid Then Me.XFR_HandleProcessTransRules_SuspenseInvalid(si, globals, api, args)
'Create Invalid Members
	If createInvalid Then Me.XFR_HandleProcessTransRules_SuspenseInvalid(si, globals, api, args)

End Select


Our security profile assigns different groups to each workflow's execution group. This prevents users in one entity from seeing or executing workflows for another entity. When a user in an execution group tries to import or retransform data, they get the following error: 

Unable to execute Business Rule 'TransformationEventHandler'.
Security Access Error. User is not authorized to access workflow profile.


We can avoid this error by setting the ManageWorkflowProfile security role to the same group  that executes the workflow or to 'Everyone', but then the members of that group can see all the workflows.

Any ideas on how to allow the workflow's execution group to perform the import or retransform without triggering the error?



Contributor II

It looks like the user needs to have Access to the Workflow right as well. Workflow Execute security access does not give the user Workflow Access security. If you add the Execute group as a child of the Access group that should solve the problem (I think).

The user is assigned to the group that is assigned to the Access, Workflow Execution, and the Certification SignOff groups:

2023-07-19 14_09_12-OneStream.png


This setting triggers the error. However, if we assign the group to the ManageWorkflowProfiles role, the error is not triggered. However, when that is done, the users in that group can see all workflows.

It looks like they need access to the Maintenance group as well. I would create a test security group and assign it to the Maintenance group on a workflow and then assign the user to that group. 

Adding the group to Maintenance doesn't work.

2023-07-20 11_14_22-OneStream.png

Hi @Gidon_Albert
Did you manage to solve this?

Please sign in! Gidon_Albert