Note: This documentation gets updated only when necessary, as the product is in sustained mode. For product updates see the Release Notes.

Process Rights

The Management Console in K2 Workspace is superseded by the K2 Management Site and you should use the K2 Management Site to administer your K2 environment, rather than Management Console in K2 Workspace. (In certain cases you may need to use the Management Console in K2 Workspace to perform tasks that are not exposed in the K2 Management Site.)

The Process Rights section is used to set rights and security for individual processes, to determine who may administer, start or report on instances of that process.

Process Rights can also be set per Group/User on multiple processes, see Process Rights (Users)

You normally have to assign security rights for workflows designed in K2 Studio or K2 for Visual Studio the first time the workflow is deployed to a new environment. (K2 Designer for SharePoint and K2 Designer gathers permission settings from the user when the process is designed, but these permissions can be subsequently modified with the Process Rights screen.). Permissions for subsequent deployments of the process do not need to be set, unless you want to modify permissions for each deployment manually. By default, K2 grants the deploying user account Admin rights to the process

Users do not require any particular permission to complete worklist items assigned to them. The fact that the task is assigned to the user implies that the user has permission to complete the task. Therefore, it is not necessary to give any permission to a user who may receive a task somewhere in the workflow and who does not need to start the workflow or report on the workflow.

K2 Security generally follows a permissive-optimistic approach. This means that the higher level of permission takes precedence, so if a user had both “Admin” and “Start” permission on a process through different groups, the Admin permission takes precedence and the user will be able to administer the workflow as well as start the workflow.

Field	Description
User/Group	The name of the user or group.
Admin	Process Administration permission rights.
Start	Process Start permission rights.
View	Process View permission rights.
View Participate	Process View Participate permission rights.
Server Event	Process Server Event permission rights.
Type	User or Group designation.
Add	Click the Add button to add a user to the Process User list.
Save	Click the Save button to save the user configuration to the K2 Workflow Server.

The following Process Rights are available:

Permission	Description	Notes
Admin	Can administer instances of the process (such as Start, Stop, Delete and Redirect) and manage process versions.	Normally assigned to the K2 administrator, and sometimes to helpdesk staff and the process owner. Also allows the user to Start and Viewprocess instances. This right is automatically added for the user that deployed the workflow.
Start	Allows the user to start a process - without it the user will receive an error if attempting to start a process.	Normally given to a large group like “Domain Users” so that anyone can start the process , unless you specifically want to restrict start rights to a particular user or group. A common error is “User does not have sufficient rights to start a process”. This usually means that the Start permission has not been configured for the process, but can also indicate a failure to persist security credentials between machines
View	Can run reports against all instances of the process .	Normally assigned to the process owner, process administrators, management users and sometimes supervisory users. Can report on all instances of the process even if they are not involved in the process instance.
View Participate	When running workflow reports, the user will only see the instances that they were personally involved in (in other words, process instances that they started or where they completed a task item.	Normally assigned to the same group of users that can start the process, so that users can run reports on their own instances. The user will only be able to access process reports and the activity instance once it has reached the activity for which they are a destination user, or if they were the originator of the process instance.
Server Event	User account may complete an asynchronous K2 server event. Asynchronous server events wait for a call-back from the external system to finish the server event. The user account used by the external system must be granted Server Event permissions for it to be allowed to finish the server event.	Used in more advanced scenarios where a specific user account (usually, some other system) will complete an asynchronous server event in the workflow. This normally requires the server event code to include the statement K2.Synchronous = false; so that the server event will not complete until this external account connects to K2 and completes the item.

Adding Process Rights

The following steps discusses how to add Process Rights for user or group:

On the Process Rights screen, click the Add button.

On the Search for Users, Groups, or Roles screen, search for the required user or group and click OK.

Field Name	Description
Search	Click the Search drop-down and select to search for users or groups.
Security Label	Click the Security Label drop-down and select the Security Provider label you want to search on.
Type	Indidcates whether the searched user is user type or group type.
Label	Indidcates whether the searched user or group is part of the chosen security label.
Domain	Displays the domain where the searched user or group is part of.
Search Button	Type a value in the text box provided and click the Search button.
Select All Button	To remove users, select the user or group and click Clear All.
Clear All Button	Clears all chosen users or groups.
OK Button	Click Next to continue with the configuration.
Cancel Button	Click Cancel if you no longer want to complete the configuration. This will take you back to the Server Rights screen.

On the Process Rights screen, select the required user or group rights and click the Save button.