Server Rights

The Server Rights node is used to add, edit, remove and refresh Workflow server permissions for users or groups. These rights will determine which users and groups can administer a workflow server, export new workflows or impersonate a user.

The table below explains each permission in more detail.

Permission	Description	Usually Assigned to
Admin	Use the management console (and management tools in Process Portals sites) to administer an environment, Users with this right can fully administer an environment and may edit server rights for other users.	Administrators/system administrators and (sometimes) helpdesk staff in a production environment. Developers usually have Admin rights to Development environments and (sometimes) Test/QA environments. Depending on your organization’s security, it is usually not recommended to give developers Admin rights to a production environment.
Export	Allows you to deploy workflows from within the Designer for SharePoint as well as Package and Deploy Solutions in your environment.	System administrators/deployment users in production environments, especially in environments that have strict change control procedures. Developers normally have Export rights to development environments. To allow for deployment of workflows created with the Designer and the Designer for SharePoint, the user account associated with an application pool in SharePoint must also have Export permission.
Impersonate	Impersonate another user account after the initial connection. This permission is normally used when user credentials cannot be transferred between machines and Kerberos cannot be used to address this requirement, and is also used for Pass-Through Authentication mechanism . It also allows for connections established in one context to impersonate another user. When the user opens a connection to the server through the client API for an example, you have a method connection ImpersonateUser(Username) which will then open the connection as the userName specified. For example John has impersonate rights. He can now open a connection and impersonate as Sue. With the connection open as Sue, he can do everything as if Sue was logged on.	This permission is reserved for the service account and is configured automatically for the account during onboarding.

Permission

Description

Usually Assigned to

Admin

Use the management console (and management tools in Process Portals sites) to administer an environment, Users with this right can fully administer an environment and may edit server rights for other users.

Administrators/system administrators and (sometimes) helpdesk staff in a production environment.
Developers usually have Admin rights to Development environments and (sometimes) Test/QA environments. Depending on your organization’s security, it is usually not recommended to give developers Admin rights to a production environment.

Export

Allows you to deploy workflows from within the Designer for SharePoint as well as Package and Deploy Solutions in your environment.

System administrators/deployment users in production environments, especially in environments that have strict change control procedures.
Developers normally have Export rights to development environments.
To allow for deployment of workflows created with the Designer and the Designer for SharePoint, the user account associated with an application pool in SharePoint must also have Export permission.

Impersonate

Impersonate another user account after the initial connection. This permission is normally used when user credentials cannot be transferred between machines and Kerberos cannot be used to address this requirement, and is also used for Pass-Through Authentication mechanism .

It also allows for connections established in one context to impersonate another user. When the user opens a connection to the server through the client API for an example, you have a method connection ImpersonateUser(Username) which will then open the connection as the userName specified. For example John has impersonate rights. He can now open a connection and impersonate as Sue. With the connection open as Sue, he can do everything as if Sue was logged on.

This permission is reserved for the service account and is configured automatically for the account during onboarding.

Adding Server Rights

Follow these steps to add rights:

Click Add from the Server Rights view.

The Server Rights - Add Users and Groups page opens. Use the image and table below as a guideline for the configuration:

Field	Description
Search	Click the Search drop-down and select to search for users or groups.
Label	Click the Label drop-down and select the Security Provider label you want to search on.
Type	Click the Type drop-down and select the type of search that will be performed.
Search Button	Type a value in the text box provided and click the Search button.
Add Button	The matching users or groups will be returned in the first view. Select a user or group and click Add. The user or group will now be listed in the second view. You can add multiple users or groups by doing a new search and clicking the Add button again.
Remove Button	To remove users, select the user or group from the second view and click Remove.
Next Button	Click Next to continue with the configuration.
Cancel Button	Click Cancel if you no longer want to complete the configuration. This will take you back to the Rights tab.

Select the applicable rights per user or group, and click Finish.