You're viewing help content for version:

Configure user accounts to allow (or disable) starting, and participating in, workflows. 

Required User Permissions for Workflows

Actions on workflows can be undertaken if:

  • you are working with the admin account
  • the account has been assigned to the default group workflow-users:
    • this group holds all the privileges necessary for your users to perform workflow actions.
    • when the account is in this group it only has access to workflows that it has initiated.
  • the account has been assigned to the default group workflow-administrators:
    • this group holds all the privileges necessary for your privileged users to monitor and administer workflows.
    • when the account is in this group it has access to all workflows.


These are the minimum requirements. Your account must also be either the assigned participant or a member of the assigned group to take specific steps.

Configuring Access to Workflows

Workflow models inherit a default access control list (ACL) for controlling how users can interact with workflows. To customize user access for a workflow, modify the Access Control List (ACL) for the workflow model node in the repository.


For information about using CRXDE Lite to configure ACLs, see Access Right Management.

The following example restricts content authors from starting a workflow called mymodel. To restrict access, the Authors group is denied read access to the node:


The following diagram shows the default ACL for mymodel (the default ACL for all new models). The Authors group is a member of the contributor group, so Authors are allowed the jcr:read privilege for the node. As authors have read-access to the model, the workflow is available when authoring pages.


The following procedure adds an access list entry (ACE) that denies the jcr:read privilege for the content-author group.

  1. Open CRXDE Lite in your web browser (for example, http://localhost:4502/crx/de).

  2. In the node tree, select the node for the workflow model (/etc/workflow/models/mymodel).

  3. Click the Access Control tab.

  4. In the Applicable Access Control Policy table, click the plus icon.

  5. In the Access Control List table, click the plus icon to add a new ACE with the following properties:

    • Principal: content-authors
    • Type: Deny
    • Privileges: jcr:read

    The Effective Access Control Policies table now includes the restriction for content-authors.

  6. Click Save All.

    The mymodel workflow is no longer available to members of the content-author group.