Documentation AEM 6.4 Administering Guide

Managing Access to Workflows

Last update: May 3, 2023

Topics:
Administering

CREATED FOR:

Admin

CAUTION

AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.

Configure ACLs according to user accounts to allow (or disable) starting, and participating in, workflows.

Required User Permissions for Workflows

Actions on workflows can be undertaken if:

you are working with the admin account
the account has been assigned to the default group workflow-users:
- this group holds all the privileges necessary for your users to perform workflow actions.
- when the account is in this group it only has access to workflows that it has initiated.
the account has been assigned to the default group workflow-administrators:
- this group holds all the privileges necessary for your privileged users to monitor and administer workflows.
- when the account is in this group it has access to all workflows.

NOTE

These are the minimum requirements. Your account must also be either the assigned participant or a member of the assigned group to take specific steps.

Configuring Access to Workflows

Workflow models inherit a default access control list (ACL) for controlling how users can interact with workflows. To customize user access for a workflow, modify the Access Control List (ACL) in the repository for the folder containing the workflow model node:

NOTE

For information about using CRXDE Lite to configure ACLs, see Access Right Management.

Apply an ACL for the specific workflow model to /var/workflow/models

If the workflow model is stored within /var/workflow/models then you can assign a specific ACL, relevant to only that workflow, on the folder:

Open CRXDE Lite in your web browser (for example, http://localhost:4502/crx/de).
In the node tree, select the node for the workflow models folder:

/var/workflow/models
Click the Access Control tab.
In the Local Access Control Policies (Access Control List) table, click the plus icon to Add Entry.
In the Add New Entry dialog add a new ACE with the following properties:
- Principal: content-authors
- Type: Deny
- Privileges: jcr:read
- rep:glob: reference to the specific workflow
The Access Control List table now includes the restriction for content-authors on the prototype-wfm-01 workflow model.
Click Save All.

The prototype-wfm-01 workflow is no longer available to members of the content-authors group.

Create a subfolder in /var/workflow/models and apply the ACL to that

Your development team can create the workflows in a sub-folder of

/var/workflow/models

Comparable to the DAM workflows stored under

/var/workflow/models/dam/

You can then add an ACL to the folder itself.

Open CRXDE Lite in your web browser (for example, http://localhost:4502/crx/de).
In the node tree, select the node for the individual folder in the workflow models folder; for example:

/var/workflow/models/prototypes
Click the Access Control tab.
In the Applicable Access Control Policy table, click the plus icon to Add an entry.
In the Local Access Control Policies (Access Control List) table, click the plus icon to Add Entry.
In the Add New Entry dialog add a new ACE with the following properties:
- Principal: content-authors
- Type: Deny
- Privileges: jcr:read
NOTE
As with Apply an ACL for the specific workflow model to /var/workflow/models you can include a rep:glob to limit access to a specific workflow.

The Access Control List table now includes the restriction for content-authors on the prototypes folder.
Click Save All.

The models in the prototypes folder are no longer available to members of the content-authors group.

recommendation-more-help