Permissions and Rights Node

This node, under Security in the Workflow Administration Console, allows you to define the general permissions a user or group has for accessing Workflow features. You can also grant or deny rights to specific workflows.

Security rules and hierarchy

  • Permissions and rights can only be granted to Active Directory users, not to Laserfiche users.
  • After assigning permissions and rights for a user or group, you can later remove the permissions and rights.
  • General Permissions

    • Permissions are either given or absent, and they are absent by default. If a permission is absent for a user or group they will not have the permission unless they are part of a group that has been given the permission. ClosedShow me an example. You can have one or more of the following permissions.

    Workflow Rights

    • Workflow Rights are specified per workflow. Users and groups can have one of the following rights for each workflow.
      • Editor: Can view, modify, and delete a workflow.
      • Viewer: Can search for and view a workflow. This right effectively makes a workflow read-only. This is the default when Only allow specified users to access the workflow has not been selected in the workflow options dialog.
      • No Access: Cannot search for or view a workflow. Users with No Access to a workflow will not be able to see that the workflow exists. This is the default if Only allow specified users to access the workflow has been selected in the workflow options dialog.
      • Note: A user with Manage Trustee permissions will be able to view or modify security settings for all workflows regardless of having No Access to some or all workflows.

    • If a user is given different rights than a group the user is part of, the user's specific rights will take precedence. If a user is not given any rights specifically, but is part of two or more groups with different rights, the more restrictive rights will be applied to the user. ClosedShow me an example.

    Workflow Rights Hierarchy

    • This flow diagram illustrates how actual rights are determined based the hierarchy of group and user rights. ClosedShow me the diagram.
    • Individually (User) assigned rights over-ride group inherited rights.
    • Administrators have all permissions and Editor rights to all workflows. You cannot delete the only user or group with Administrator privileges because you must have at least one Administrator.
    • Group rights are cumulative in that:
      • If any group has No Access to a workflow, users in that group will have No Access regardless of any other group rights (except Administrators), and is the default if Only allow specified users to access the workflow has been selected in the workflow options dialog..
      • If any group has Editor Access to a workflow, users in that group will have Editor Access unless another group is set to No Acces.
      • Viewer Access has the lowest rank in the hierarchy, and is the default when Rights are Not Set, and when Only allow specified users to access the workflow has not been selected in the workflow options dialog.
    • Users or groups not listed in this node will have the default permissions (none) and rights (Not Set) unless they are part of a group listed in this node.
    • If a permission conflicts with a right, the more restrictive of the two takes precedent. ClosedShow me an example.
    • Note: By default, all users are part of the Everyone group which has Administrator (full) permissions and rights. If a user is part of the Everyone group and the Everyone group has administrator privileges, you can only restrict their rights, not their permissions. Because permissions cannot be denied, only absent, the user's absent permissions will default to the permissions granted to the groups the user is in. In this case, if the user is part of the Everyone group, they will have full (administrator) permissions. To avoid this situation, make another user or group an administrator and remove the administrator setting from the Everyone group. Then only the user or group specified will have full permissions and rights and everyone else will have no permissions and Viewer rights, unless otherwise specified.

    External Object Rights

    External objects include the following resource types listed in the Actions pane of the Permissions and Rights node; Attachments, Email Servers, Trustee Directories, Data Sources, Certificates, Web Services, and Distributed Computing Clusters.

    • External object rights are specified per object. Users and groups can have one of the following rights for each object.
      • Allowed: Can view, modify, make use of, and delete an object.
      • Inherit: This is the default. Equivalent to Allowed if not otherwise Denied.
      • Denied: Cannot search for or make use of an object. Users with Denied access to an object will not be able to see that the object exists.
      • Note: A user with Manage Trustee permissions will be able to view or modify security settings for all objects regardless of having been Denied access to some or all objects.

    • If a user is given different rights than a group the user is part of, the user's specific rights will take precedence. If a user is not given any rights specifically, but is part of two or more groups with different rights, the more restrictive rights will be applied to the user. ClosedShow me an example.

    Note: The user must have the Modify Settings permission in order to create external objects. When a user creates a new external object, they and Administrators will be granted Allowed rights while all others will be granted Inherit rights for that object. These rights are only honored at design-time. A user that has been Denied access to an external object can still run a workflow that uses the object.

Permisions and Rights Node Details

ClosedShow me this node.

To open this node

  1. In the Workflow Administration Console's Console Pane, expand the Security node.
  2. Select Permissions and Rights. The node will list of all the Windows and Active Directory users configured to have Workflow permissions and rights.
  3. Tip: You can refresh this list to reflect recent changes by clicking the Refresh link below Permissions and Rights in the Actions Pane. Alternatively, right-click the Permissions and Rights node and select Refresh.

To add a new user or group

  1. In the Console Pane, select the Permissions and Rights node. Alternatively, select any user listed in the center Details Pane when the node is selected.
  2. Click New User in the Actions Pane, or right-click and select New User.
  3. In the ClosedAdd Secured User dialog box, select Browse.
  4. The ClosedSelect User or Group dialog box will open.
  5. Optional: Click Object Types and choose whether you want to search for Users, Groups, or Built-in security principals. User is selected by default. Click OK.
  6. Optional: Click Locations to choose where Workflow will search for users and groups. Choose a location, and click OK.
  7. Under Enter the object name to select, enter the name of an existing Windows or Active Directory user or group. Click examples to see the syntax that can be used.
  8. Note: Workflow will only respect users and groups permissions defined in this node for Windows and Active Directory users and groups. You cannot search for Laserfiche users.

  9. Click Check Names. The Workflow Administration Console will search for the name according to the Object Types and Locations specified above. If the name is valid, it will become underlined.
  10. Optional: To perform a more advanced search, click ClosedAdvanced.
    1. Select Object Types to determine the type of object to search for (e.g., users or groups).
    2. Select Locations to define where the search should be performed (e.g., the local machine, across the active directory, a portion of the active directory).
    3. Under Common Queries, configure your search. Select Columns to build a more specific query based on specific properties.
    4. Click Find Now to perform the search.
    5. Select a result in the bottom pane.
    6. Click OK.
  11. Once the desired user or group has been found (underlined), select OK.
  12. Grant permissions to the selected user or group in the Add Secured User dialog box.
    • Select Administrator (All Permissions) to give the user or group all general permissions and access rights to all workflows and starting rules.
    • Select Individual Permissions to only grant certain permissions. Check the permissions you want to grant.
    • Note: Selecting Individual Permissions and none of the permissions below will not grant the user or group any permissions.

  13. Click OK.

To modify user or group permissions

  1. In the Details Pane, select the user or group whose permissions you want to modify.
  2. In the Actions Pane, click General Permissions
  3. Grant permissions to the selected user or group in the Modify Secured User dialog box.
    • Select Administrator (All Permissions) to give the user or group all general permissions and access rights to all workflows and starting rules.
    • Select Individual Permissions to only grant certain permissions. Select the permissions you want to grant.
  4. Click OK.

To grant or deny rights to specific workflows

Note: Users with Administrator permissions have Editor rights (full rights) to all workflows.

  1. In the Details Pane, select the user or group whose permissions you want to modify.
  2. In the Actions Pane, click Workflow Rights.
  3. In the ClosedModify User Workflow Rights dialog box, select a workflow.
  4. Tip: You can search for workflows by typing a workflow name in the text box that says Search for workflows. Click the red X to clear a search.

  5. In the Rights column choose to give the user or group one of the following rights to the workflow.
    • Editor: The user or group can change and/or delete the workflow.
    • Viewer: The user or group can open the selected workflow but not make any changes to it.
    • No Access: The user or group cannot search for or see that the workflow even exists.
  6. Configure all desired workflow rights for the user or group.
  7. Click OK.
  8. Tip: You can modify these rights at any time by selecting the user in the Details Pane and clicking Workflow Rights in the Actions Pane.

To delete a user or group from this node

  1. In the Details Pane, select the user or group you want to delete permissions and rights for.
  2. In the Actions Pane, click Delete.
  3. Note: Removing a user or group does not delete it from your machine or active directory. Instead, the user or group will be removed from this node and their security settings will be reverted to the default (no permissions and Viewer rights).

Note: Security changes are recorded in the service log, which is found at <Workflow Install Directory>\logs. (The default location is C:\Program Files\Laserfiche\Laserfiche Workflow 9\Logs.)

To export the contents of this node in a .csv, .xml, or .txt file

  1. Select the node in the Console Pane.
  2. Select View from the main menu.
  3. Click Export Contents.
  4. In the Export data dialog box, name the exported file.
  5. Select CSV File, XML File, or Tab Delimited Text File from the drop-down menu.
  6. Click Save.