Rights

The Process Rights section is used to set rights and security for individual processes, to determine who may administer, start or report on instances of that process.

You normally have to assign security rights for workflows designed in the legacy K2 Studio or K2 for Visual Studio the first time the workflow is deployed to a new environment. (K2 Designer for SharePoint and K2 Designer gathers permission settings from the user when the process is designed, but these permissions can be subsequently modified with the Process Rights screen.). Permissions for subsequent deployments of the process do not need to be set, unless you want to modify permissions for each deployment manually. By default, K2 grants the deploying user account Admin rights to the process.

Users do not require any particular permission to complete worklist items assigned to them. The fact that the task is assigned to the user implies that the user has permission to complete the task. Therefore, it is not necessary to give any permission to a user who may receive a task somewhere in the workflow and who does not need to start the workflow or report on the workflow.

K2 Security generally follows a permissive-optimistic approach. This means that the higher level of permission takes precedence, so if a user had both “Admin” and “Start” permission on a process through different groups, the Admin permission takes precedence and the user will be able to administer the workflow as well as start the workflow. Also, workflow permissions are not version-specific: any rights defined for a workflow will apply to all versions of that workflow.

The following steps describe how to add rights for a user or group to a workflow:

  1. On the Process Details page, click the Rights tab.
  2. Click Add from the toolbar.
  3. The Workflow Rights - Add Users and Groups page opens.
  4. Click the Search drop-down and select to search for users or groups.
  5. Click the Label drop-down and select the Security Provider label you want to search on.
  6. Click the Type drop-down and select the type of search that will be performed.
  7. Type a value in the text box provided and click Search.
  8. The matching users or groups will be returned in the top list. Select a user or group and click Add.
  9. The added user or group will be added to the bottom list. You can add additional users or groups by doing a new search and clicking Add again, for each of the users and groups you wish to configure rights for..
  10. Click Next.
  11. Select the required rights per user or group, using the table below for more information on what the rights allow

    PermissionDescriptionNotes
    Admin

    Can administer instances of the process (such as Start, Stop, Delete and Redirect) and manage process versions (such as deleting versions of the workflow or setting permissions for a workflow).

    • Normally assigned to the K2 administrator, and sometimes to helpdesk staff and the process owner.
    • Also allows the user to Start and View process instances.

    • This right is automatically added for the user that deployed the workflow.

    Start Allows the user to start a process - without it the user will receive an error if attempting to start a process.
    • Normally given to a large group like “Domain Users” so that anyone can start the process , unless you specifically want to restrict start rights to a particular user or group.
    • A common error is “User does not have sufficient rights to start a process”. This usually means that the Start permission has not been configured for the process, but can also indicate a failure to persist security credentials between machines
    View Can run reports against all instances of the process .
    • Normally assigned to the process owner, process administrators, management users and sometimes supervisory users.
    • Can report on all instances of the process even if they are not involved in the process instance.
    View Participate

    When running workflow reports, the user will only see the instances that they were personally involved in (in other words, process instances that they started or where they completed a task item.

    • Normally assigned to the same group of users that can start the process, so that users can run reports on their own instances.

    • The user will only be able to access process reports and the activity instance once it has reached the activity for which they are a destination user, or if they were the originator of the process instance.

    Server Event

    User account may complete an asynchronous K2 server event. Asynchronous server events wait for a call-back from the external system to finish the server event. The user account used by the external system must be granted Server Event permissions for it to be allowed to finish the server event.

    		Used in more advanced scenarios where a specific user account (usually, some other system) will complete an asynchronous server event in the workflow. This normally requires the server event code to include the statement K2.Synchronous = false; so that the server event will not complete until this external account connects to K2 and completes the item.
  12. Click Finish.The users or groups will be listed in the Rights tab of the Process Details page.

Use the Remove button to remove the assigned rights for a user or group from the workflow. Follow these steps to remove rights:

  1. Select the user or group you want to remove from the Rights tab.
  2. Click Remove.
  3. The user or group is removed from the list in the Manage Workflow Rights page and will no longer have any rights on the workflow.

The Save button is used to save any rights changes made. Follow these steps to edit and save rights:

  1. Double-click the user or group you want to make changes for, The Workflow Rights - Add Users and Groups page opens.
  2. Check or uncheck the check boxes to edit the user or group rights as needed.
  3. Click Finish to apply the changes.

Click the Refresh button to refresh the list of users and/or groups.