Permissions needed for common tasks

The table contains common tasks, permissions required to use them, and examples of error messages you'll see if you do not have the correct permissions.

Task Permission Error if I do not have rights
Access K2 Management as an Administrator

To access the K2 Management site you need Admin or Export rights. With Admin rights, you see all nodes within K2 Management. With Export (deploy) rights you see limited nodes within K2 Management

To set this in K2 Management, go to the Workflow Server node, then select the Server Rights node and assign Admin or Export rights to the user.

For more information on how to set permissions, see the Server Rights topic.

 Message: "You don't have sufficient permissions to access Management".
Access K2 Management as a user

To access K2 Management you need Admin or Export rights. With Admin rights you see all nodes within K2 Management. With Export rights, you see limited nodes within K2 Management

To set this in K2 Management, go to the Workflow Server node, then select theServer Rights node and assign Admin or Export rights to the user.

For more information on how to set permissions, see the Server Rights topic.

 Message: "You don't have sufficient permissions to access Management".
Access K2 Workspace

By default, all users see their Workspace and custom Workspaces.

For more information on Workspace, see the K2 Workspace topic.

 No error message.
Access K2 Designer

To access K2 Designer you need View rights. To set this in K2 Management, go to the Designer node and assign View rights to the user.

For more information on configuration, see the Designer topic.

 Message: "Uh oh… You are missing the required design right to be able to view this page".
Access K2 Workflow Designer

To access K2 Workflow Designer you need Export rights. To set this in K2 Management, go to the Workflow node, and then Server Rights and assign Export (deploy) rights to the user.

For more information on how to set the permission, see the Server Rights topic.

 Message: "Uh oh… You are missing the required design right to be able to view this page"
Install an App from App Catalog

To install an app from the App Catalog, you need Export rights. To set this in K2 Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For more information on how to set the permission, see the Server Rights topic.

You also need to be a member of the Package and Deployment role. To set this in K2 Management, go to the Users node, and then Roles, and select Package and Deployment. Click Edit and add a user to the role

 Error: 30013 [username] is not a member of the Package and Deployment role and/or does not have Export rights on the Workflow server.
App Administration access

To access the App Administration page you need to be added to the Administrators list by your system administrator. From the App page, select the Admin option in the Build section. Then select the Security area and add the user name to the Administrators List.

For more information on administering your Apps, see the Administer Apps topic.

 Message: "You are not authorized to access this page"
Deploy, Edit and Save a Workflow

To deploy, edit or save a workflow, you need Export rights. To set this in K2 Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For more information on how to set the permission, see the Server Rights topic.

 No specific error message shows. Without Export rights you cannot access the K2 Workflow Designer.
Run Reports

To run reports from K2 Management or Workspace, you need View or View Participate rights. To set this in K2 Management, go to the Workflow Server node, and then Workflows and then find and select the workflow. Click Rights and then assign View or View Participate rights to the user.

For more information on how to run reports from K2 Management, see the Reports topic.

For more information on how to run reports from Workspace, see the Reports topic.

 

  
Package and Deployment

To package and deploy K2 solutions you need Export rights. To set this in K2 Management, go to the Workflow Server node, and then Server Rights, and assign Export rights to the user.

For more information on Package and Deployment permissions, see the Package and Deploy Considerations topic.

Error: "30008 'K2:[Domain]\[username]' does not have export rights"
Package and Deployment

To package and deploy K2 solutions you need to be a member of the Package and Deployment role. To set this in K2 Management, go to the Users node, and then Roles, and select Package and Deployment. Click Edit and add a user to the role.

For more information Roles see the Authorization Framework Overview topic.

For more information on Package and Deployment permissions, see the Package and Deploy Considerations topic.

 Error:"30011 [username] is not a member of the Package and Deployment role and cannot create or deploy packages"
Package and Deployment

To package and deploy K2 Solutions you need View right to all K2 objects. The Package and Deployment role grants its members global view rights, however, membership in this role does not override any Deny rights. If you have View rights denied to any item in the category system, you are prompted to update permissions to View the item or items.

To set this in K2 Management, go to Categories and select the K2 object. In the Security section, add the user and set View rights to Allow. This ensures that when dependencies are checked, Package and Deployment knows whether items exist (and need to be updated) or do not exist (need to be created).

For more information on permissions on K2 objects, see the K2 Objects section in the Authorization Framework Overview topic.

 Error: "Deny rights detected. Unable to continue".
Grant rights

To grant rights you need to be a member of the Security Administrators role. To set this in K2 Management, go to the Users node, and then Roles, and select Security Administrators. Click Edit and add a user to the role.

For more information on roles, see the Roles section in the Authorization Framework Overview topic.

Users that are not members of the Security Administrators Role will not see the Security view in K2 Management. The Security view only loads once they become members of the role.
Modify and Delete Roles

To modify and delete custom roles you need Modify and Delete rights. To set this in K2 Management, go to the Users node, and then Roles, and select the role. Click the Security button and add a user to the role.

Security Administrators have Security rights by default for all legacy and new custom roles (except system roles). Users that create their own roles are automatically granted Security rights on those roles.

For more information on roles, see the Roles section in the Authorization Framework Overview topic.

No error message shows. If you do not have security rights to a role, the Security button is disabled.

If you decide to deny Modify and Delete rights to someone's role the following messages show:

  • User was not granted permissions to modify the role. Error: "K2:[domain]\[username] cannot perform Modify on custom role."
  • User was not granted permission to delete the role. Error: "K2:[domain]\[username] cannot perform Delete on custom role."
Browse to and use Forms, Views and SmartObjects using the Category Tree in K2 Designer or K2 Management

To browse to K2 objects using the category tree in K2 Designer or K2 Management, you need View rights. To set this in K2 Management, go to the Categories node and select the K2 object. In the Security section add the user and set the View rights to Allow.

For more information on permissions on K2 Objects, see the K2 Objects section in the Authorization Framework Overview topic.

 No error message shows. The node does not appear in the Category Tree if you don't have View Rights
Interact with Forms and run Forms at Runtime.

To interact with forms and run them, you need Execute rights. To set this in K2 Management, go to the Categories node and select the form. In the Security, section add the user and set the Execute rights to Allow.

For more information on permissions on K2 Objects, see the K2 Objects section in the Authorization Framework Overview topic.

 Error: "Form [name] could not be found. Ensure that the Form exists, that it is checked in and that you are authorized to run the Form."
Add, register and deploy the K2 for SharePoint App

To add, register and deploy the K2 for SharePoint App you need the following permissions:

  • Global Admin (also known as the Tenant Admin)
  • Site Collection Admin for the App Catalog site

  • SharePoint Online Administrator or Site Collection Administrator for each site collection where the app is deployed to

 

 No error message show. You will not see any Administration Links for the K2 for SharePoint App on the App Catalog level.
Add a K2 web part in SharePoint

To add a K2 web part in SharePoint you need the following permissions:

  • App Catalog: Read

  • SharePoint site: Edit Permission level and Add and Customize Pages

 If you don't have permission, the Edit Permission level and the Add and Customize Pages shows with the following:

For more information, refer to the SmartForm not displayed by Page Viewer Web Part Knowledge Base article (KB001408).
Create and deploy applications with the K2 for SharePoint App

To create and deploy applications you need to configure the following:

K2 Permissions: Assign K2 Designer Edit rights in K2 Management site > Designer.

SharePoint Permissions:

Error: "Access Denied. You need Solution Designer and K2 Designer permissions to design K2 artifacts."
Permissions required using applications created with the K2 for SharePoint App. To Start and View a Workflow

To Start and View a workflow you need to configure the following:

In K2 Management, go to the Workflow Server node, and then Workflow, and select the workflow. Select Rights and assign Start and View rights to the user.

In SharePoint:

  • App Catalog: Read

  • SharePoint site: Read
  • SharePoint site go to K2 Solution Participants Group: Read

  • SharePoint lists and libraries: Read and Edit permissions for users as required by the functions performed by the application on the SharePoint Lists and Libraries

  
Sharing K2 Applications with external users

To share K2 applications with external users you need to configure the following SharePoint permissions:

  • Permission based on Site Collection Group membership
  • Global Admin required to enable sharing on the App Catalog
  
Permissions to administer K2 for SharePoint App

To administer K2 for SharePoint app you need to configure the following:

K2 Permissions: Admin

SharePoint Permissions: Global Admin

 No error message show. You will only see the following on Site Collection level:
Read data from Azure Active Directory

To read data from Azure Active Directory the K2 for AAD app is granted Read on configuration of the app by a Global Tenant administrator

  
Write data to Azure Active Directory

To write data to Azure Active Directory, the K2 for AAD Management app needs Write permissions granted on configuration of the app by a Global Tenant administrator