The start workflow operation is a potentially unsecured way users could start a workflow. The only way to secure this operation is to require the connected user to be part of a Windows group.
To secure the start workflow operation
- From your database management program (such as SQL Server Management Studio) locate the workflow_server_options table in the Workflow Server database.
- Add two new rows to the workflow_server_options table.
- For the first row, in the option_name column, type: StartWorkflowDirectlyDemands.
- In the option_value column, enter a pipe-delimited (|) list of the Windows roles containing the Windows groups that contain the Windows users that should be able to use this operation.
- In the second new row, in the option_name column, type StartWorkflowDirectlyDemandsAuthenticated. This column value requires that the user be authenticated.
- Set the option_value column to True.
Note: These rows can also be placed in the workflow_options table.
Example: You could enter the value, "myDomain\admins|myDomain\integrators" to only include users who are both administrators and integrators.