Roles

Use the Roles node to create, edit, delete or save K2 Roles. Roles are essentially groups defined in K2, and are most often used for assigning tasks or setting security in K2. For example, perhaps it is not possible to define groups in Active Directory (AD) for workflow task allocation, because the AD administrators are unwilling to define groups used only by applications. Or perhaps you to create a group that contains users authenticated through different authentication mechanisms, in which case you cannot define the group in AD.

As an administrator, you define roles using the K2 Management site and they are stored on your K2 server. You can modify the Role membership without needing to modify the design of workflows or authorization rules that use those roles. Roles can contain one or more users and groups, from multiple user managers.

For more information on using Roles in workflows, see the Recipients topic. For more information on using Roles for security, see Role Authorization and Authorization Overview.

The Roles screen

See the following resources for more information:

Follow these steps to add Roles:

  1. Click New from the Roles view.
  2. The Add Role view opens.

    Use the table below as a guideline for the configuration:

    Field NameDescription
    NameThe name for the Role being created. Type a value in the field provided.
    DescriptionDescribe the Role being created. Type a value in the field provided.
    Refresh with Worklist
    The Refresh with Worklist is no longer available from K2 Cloud Update 10 and onwards

    If this option is enabled, when you add a new user to the role, the new user will see existing worklist items assigned to the role when they log in or when the worklist refreshes. If this option is disabled, any changes you make to the role's membership only affects new worklist items. Select the check box if you want the K2 server to refresh worklist items based on the latest role membership; in other words when a new user joins the group, they should also see any available tasks that were assigned to the role before the new user joined the role.

    This option only applies to User Task steps where you do not check the Resolve Groups to individuals check box. When you check this option, the role is resolved to individual users as if you assigned the task to those users instead of the role, which causes the step to essentially not use the role or the Refresh with Worklist option. By default, Refresh with Worklist is unchecked because it does result in additional load on the server. You should only use this option if you have dynamic roles (such as in a call center scenario where users are continually rolling into and out of the queue) and your workflow tasks are assigned to the role without resolving the role to individual users.
    SearchClick the Search drop-down and select to search for users or groups.
    LabelClick the Label drop-down and select the Security Provider label you want to search on.
    TypeClick the Type drop-down and select the type of search that will be performed.
    Search ButtonType a value in the text box provided and click Search.
    Add ButtonThe matching users or groups will be returned in the first view. Select a user or group and click Add. The user or group will now be listed in the second view. You can add multiple users or groups by doing a new search and clicking the Add button again.
    Remove ButtonTo remove Role Members, select the user or group from the second view and click Remove. The user or group will no longer be part of this Role.
    Include check boxEach Role Member is set to be included in the Role by default. Select the check box to exclude the Role Member from the Role.
    OK ButtonClick OK to complete the configuration. This will take you back to the Roles view and the new Role will be listed.
    Cancel ButtonClick Cancel if you no longer want to complete the configuration. This will take you back to the Roles view.
  3. Specify Role Security if required.

Follow these steps to edit a Role:

  1. Select the Role you want to edit.
  2. The Edit button becomes available. Click Edit.
  3. The Edit Role view opens.
  4. Edit the information as required. Use the table provided in the Adding Roles section as a guideline.
  5. Click OK to save the changes.

Follow these steps to delete a Role:

Take care when deleting Roles, since doing so may break applications that rely on those Roles. See How to: clean your K2 environment by deleting application artifacts for more information about deleting application artifacts.
  1. Select the Role you want to delete using the check box in front of the Role. You can select multiple Roles to delete.
  2. The Delete button becomes available. Click Delete.
  3. Click OK on the confirmation message.

This option is only applicable when changing the Refresh with Worklist option for the Role. Follow these steps to save changes to a Role:

  1. Change the behavior for the Role by clicking the Refresh with Worklist check box. Click Save.

Role Authorization allows you specify rights to users and groups within your custom role via the Security tab. These rights allow users or groups to modify and delete and apply security to the membership of the custom role. For more information see the Authorization Overview topic.

Role Rights Description
Modify Allows you to modify the role.
Delete Allows you to delete the role.
Security As the creator of Roles you can assign Security rights to Roles, which allows others the manage the object's security, including assigning Modify, Delete and Security rights.

Follow these steps to add role authorization to a Role:

  1. Select a custom role and click Security.
  2. On the Security page, add a user or group by clicking the Add button.
  3. On the Add Users, Groups, And Roles page search and add a user or group. Click OK.
  4. Specify the user or group's Modify, Delete and Security rights. Three options are available: Allow, Deny and None.
  5. Add more users and groups to the Security page if required. Click Close.
    When specifying users and groups for role authorization, the Everyone role is added by default, providing all authenticated users in your organization, the ability to modify and delete the role membership. Best practice would be to remove the Everyone role from the role authorization (By clicking the Break Inheritance button, select everyone role and clicking the Trash Can icon) and add users and groups according to your organizations requirement.

Follow these steps to edit role authorization in a Role:

  1. Select a custom role and click Security.
  2. On the Security page, add a new user or group or edit existing rights.
  3. Click Close.

Follow these steps to remove authorization in the Role:

  1. Select a custom role and click Security.
  2. Select a required user or group and click Remove.
  3. Click Close.
  • If you are a member of the Data Administrators role you have full access to all data, irrespective of the settings in SmartBox Data Access policies.
  • There must always be at least one user in a role
  • A role can only contain users and groups
  • You cannot remove yourself from a role for security reasons; another user with sufficient rights on the role or an administrator can remove you from a role
  • When you delete a role in K2 Management, K2 removes the role from the Roles list, but behind the scenes the role is marked as disabled and is still refreshed and cached by the K2 system. This is by design to prevent workflow instances that use the role from entering an error state
  • K2 runs a refresh every ten minutes and updates and applies changes to your roles, whether you have renamed, removed, or updated role memberships
  • If you delete a role (remember that the role is disabled behind the scenes), and you then create a new role with the same name, K2 uses the disabled/deleted role until the role cache refreshes, and then K2 starts using the new role. K2 recommends that you use unique names for your roles to avoid this potential confusion
  • If users within the new role are different to role membership of the deleted role, and the role is used in running workflow instances, tasks are sent to the members of the deleted role until K2 refreshes the role. After the refresh, the role membership updates and tasks sent to the users in the new role. If any user in the deleted role opens a task before the refresh occurs, the task is allocated to them and they must release the task to make it available to the correct users