AX2728

About workflow and plan file security

In order to use workflow to control access to plan files, plan file security permissions for users and roles should be set as follows:

  • For every user whom you want to participate in the workflow, enable the Interacts with Process Management option for the plan file permission in security. This option can be set at the role level or at the user level.

  • The other plan file permissions for the user or role can be set to any level, including No Access. These "baseline" security permissions determine the user's access level when no workflow is active for the file group.

  • However, if a workflow is active for the file group, then workflow will elevate the user's permissions as needed if they are a stage owner. Otherwise, the user's baseline security permissions apply.

When a user is a stage owner for a plan file, workflow will elevate the user's permissions as needed if Interacts with Process Management is enabled. The elevation works as follows, depending on the stage type:

  • Edit Stages: If the user is the current owner of a plan file for an edit stage, that user's rights to the plan file will be temporarily elevated to the equivalent of Read/Write and Save Data for the duration of the stage. Once the plan file is submitted to the next stage, the user's rights to the plan file will revert to their baseline security permissions.

  • Review Stages: If the user is the current owner of a plan file for a review stage, that user's rights to the plan file will be read only, unless the review stage has been configured to allow reviewers to edit the plan file. If reviewers can edit the file, then the user's rights will be temporarily elevated to the equivalent of Read/Write and Save Data for the duration of the stage. Once the plan file is approved or rejected, the user's rights to the plan file will revert to their baseline security permissions.

Keep in mind the following regarding the interaction between security and workflow:

  • Workflow does not grant permissions to plan files, it only elevates existing permissions. If a user is assigned as the stage owner for a plan file, but the user does not have a permission set that includes that plan file, then the user cannot be the stage owner and the plan file will stall in the workflow.

  • Workflow only elevates user permissions, it does not decrease user permissions. If a user has read/write permission to a particular plan file, then that level of permission is always available to the user, regardless of whether a workflow is active and whether the user is the current stage owner.

  • When individual users are assigned as stage owners, the user is not required to have the Interacts with Process Management permission in order to be the stage owner. If the user already has the appropriate level of permissions in security to access the plan file and complete their workflow tasks, then Interacts with Process Management has no effect. However, if you need workflow to elevate the user's permissions, then Interacts with Process Management must be enabled.

  • When roles are assigned as stage owners, then users in the role must have the Interacts with Process Management permission in order to be one of the stage owners. See Role assignments, security, and stage ownership for more information.

Administrators always have full access to plan files and file groups, regardless of their Security or Workflow settings.

Examples of workflow interacting with security permissions

The following examples are intended to help illustrate how workflow works in conjunction with security permissions to control access to plan files.

Example 1: No Access

  • This user's configured access is No Access to plan file 27000, which means that under normal circumstances the user cannot see or open this plan file.

  • Because Interacts with Process Management is checked, when the user is the owner of the active workflow stage, their access will be elevated as appropriate for the stage (for example Read/Write and Allow Save Data for an Edit stage).

  • For the duration of the stage, the user will be able to access and edit the file, and save data from the file (if applicable). Once the user completes the workflow task and the plan file moves on to the next stage, the user will no longer be the stage owner and they will revert to having no access.

  • The user must have a permission set with Interacts with Process Management enabled in order for workflow to elevate the permissions. If the user just has no permissions to a particular plan file, and that user is assigned as a stage owner, then workflow has no impact on the user and the plan file workflow will stall when it enters the stage.

Plan file permissions for Example 1

Example 2: Read-Only Access

  • This user's configured access is Read Only to plan file 27000, which means that under normal circumstances the user can see the plan file and open it as read-only.

  • Because Interacts with Process Management is checked, when the user is the owner of an active workflow stage, their access will be elevated as appropriate for the stage (for example Read/Write and Allow Save Data for an Edit stage).

  • For the duration of the stage, the user will be able to edit the file, and save data from the file (if applicable). Once the user completes the workflow task and the plan file moves on to the next stage, the user will no longer be the stage owner and they will revert to read-only access.

  • If Interacts with Process Management was not checked, then the user could still be assigned as a stage owner, but workflow would not elevate their permissions. If the stage was an Edit stage, the user would be unable to edit the plan file.

Plan file permissions for Example 2

If the user has Read/Write and Allow Save Data permissions, then Interacts with Process Management is not required to be checked if the user is directly assigned as the stage owner, because the user already has the full level of permissions that could be granted by workflow. However, if the stage ownership assignment is through a role rather than for the user directly, then Interacts with Process Management must be checked if you want the user to be a stage owner.

Role assignments, security, and stage ownership

If the assigned stage owner for a plan file is a role, then the specific stage owners are determined as follows:

  • All users assigned to the role are eligible to be stage owners, regardless of the specific role permissions for the plan file and regardless of the role inheritance settings defined for the user. The role assignment simply defines the list of potential owners.

  • If a user within the role has any permission set for the file group that includes the plan file AND has Interacts with Process Management enabled, then that user is assigned as a stage owner. It does not matter whether that permission set is associated with the assigned role. The permission set can be defined at the user level, or defined for any role that the user belongs to, or result from some combination of user and role permissions (when using Combine inheritance).

For example, imagine that a user has Read/Write and Allow Save Data permissions set at the user level, and the user belongs to a role named Budget Workflow. If Budget Workflow is assigned as the stage owner, then the user must have Interacts with Process Management enabled in order to be a stage owner. If Interacts with Process Management is not enabled for the user, then the user will not be a stage owner, even though they have permission to the plan file and they belong to the role.

Now imagine a user who belongs to two roles, Budget Workflow and Finance. The Budget Workflow role does not grant the user any particular plan file permissions, but the Finance role includes the plan file in its filter and also has Interacts with Process Management enabled. If Budget Workflow is assigned as the stage owner, then the user will be a stage owner due to the permission they inherit from the Finance role. The user's membership in Budget Workflow makes the user eligible to be a stage owner, and then at that point all permission sets for the user are evaluated to determine whether they will be a stage owner.

Lastly, imagine that the Budget Workflow role itself includes the plan file in its filter and has Interacts with Process Management enabled. If Budget Workflow is assigned as the stage owner, then all users who belong to the role will be stage owners, because they are all inheriting the permission from the role. The only exception is any user with their role inheritance set to None. However, even in that case the user could be a stage owner if they have another permission set with rights to the file and Interacts with Process Management enabled.

See also