Actions on workflows can be undertaken if:
- you are working with the admin account
- the account has been assigned to the default group workflow-users:
- this group holds all the privileges necessary for your users to perform workflow actions.
- when the account is in this group it only has access to workflows that it has initiated.
- the account has been assigned to the default group workflow-administrators:
- this group holds all the privileges necessary for your privileged users to monitor and administer workflows.
- when the account is in this group it has access to all workflows.
These are the minimum requirements. Your account must also be either the assigned participant or a member of the assigned group to take specific steps.
Workflow models inherit a default access control list (ACL) for controlling how users can interact with workflows. To customize user access for a workflow, modify the Access Control List (ACL) for the workflow model node in the repository.
For information about using CRXDE Lite to configure ACLs, see Access Control.
The following example restricts content authors from starting a workflow called mymodel. To restrict access, the Authors group is denied read access to the node:
The following diagram shows the default ACL for mymodel (the default ACL for all new models). The Authors group is a member of the contributor group, so Authors are allowed the jcr:read privilege for the node.
Because authors have read-access to the model, the workflow is available in Sidekick when authoring pages:
The following procedure adds an access list entry (ACE) that denies the jcr:read privilege for the content-author group.