Cora Knowledge Center

Support

Managing Workflow Security Roles

V8.3-8.4

Understanding Workflow Security Roles

Security workflow roles are a tool that enable developers to achieve segregation of duties. They achieve this by assigning users and groups to a workflow security role depending on the level of access and visibility they need to perform their work.

When you upgrade from a previous product version, you can use the old permission model (organization-based permission) or the new permission model (role-based permission). When you import a workflow to a newly installed Cora SeQuence environment, you can only use the new permissions model.

IMPORTANT: By default, task recipients and form creators are granted read permission on the process, and read and write permission on the relevant activity.

Custom Workflow Security Roles

When you create a custom workflow security role, there are several assignment options for each permission.

OptionDescription
Permission Assignment Options
AllowThe permission is assigned to the workflow security role.
DenyThe permission is restricted to the workflow security role. Cases in which a user or user group are assigned workflow security roles that conflict, the Deny assignment overrides Allow and Not set assignments.
Not setThe permission is not assigned or restricted to the workflow security role.

Working with Permissions

Administrator Console

The place where you create, edit, and remove workflow security roles.

  • Navigate to Administration > Security > Workflow Roles.
  • View all available workflow security roles.
  • Create, edit, and delete custom workflow security roles.

Note: You cannot edit or delete system roles.

App Studio

The place where you assign users and groups to a workflow security roles. Role assignments are applied to all instances of the workflow.

  • Assign users and groups to workflow security roles.
  • Security roles apply to all workflow versions in a single workflow space.
  • For the Sharing Activity, you can define workflow security roles using a group expression or user expression.

V8.5

Understanding Workflow Security Roles

Security workflow roles are a tool that enable developers to achieve segregation of duties. They achieve this by assigning users and groups to a workflow security role depending on the level of access and visibility they need to perform their work.

There are two categories for security workflow roles. The permissions granted and denied for these roles are defined for a specific workflow space. This means that a user can be granted permissions for one workflow space, but denied the same permission for a different workflow space.

  • Workflow Design Time: determines levels of access for developing workflows.
  • Workflow Runtime: determines levels of access in Flowtime.

When you upgrade from a previous product version, you can use the old permission model (organization-based permission) or the new permission model (role-based permission).

IMPORTANT: By default, task recipients and form creators are granted read permission on the process, and read and write permission on the relevant activity.


Working with Permissions

Administrator Console

The place where you create, edit, and remove workflow security roles.

  • Navigate to Administration > Security > Workflow Roles.
  • View all available workflow security roles.
  • Create, edit, and delete custom workflow security roles.

Note: You cannot edit or delete system roles.

App Studio

The place where you assign users and groups to a workflow security roles. Role assignments are applied to all instances of the workflow.

  • Assign users and groups to workflow security roles.
  • Security roles apply to all workflow versions in a single workflow space.
  • For the Sharing Activity, you can define workflow security roles using a group expression or user expression.

V8.7

Overview

You can create security workflow roles to determine access levels for designing workflows or accessing Flowtime processes. You define security role permissions per workflow space. This means that a user can be granted permissions for one workflow space, but denied the same permission for a different workflow space.

You manage workflow security roles in the Administration website, under Administration>Security.

There are two types of security roles: Workflow Design Time and Workflow Runtime.

Role typeDescriptionSystem roles
Workflow Design TimeDetermines levels of access for developing workflows.

  • Business Analyst (View only)
  • Support (View and Set Runtime Permissions)
  • Workflow Developer (All permissions are allowed)
Workflow RuntimeDetermines levels of access in Flowtime.
Security roles apply to all workflow versions in a single workflow space.
  • Administrator (All permissions are allowed)
  • Contributor (Allowed: Start, Execute, View Questions, View Comments, Add Questions, Add Comments. Denied: Abort, Roll Back, Delete, Modify)
  • Manager (Share, Add, Remove, Reassign, View Questions, View Comments, Add Questions, Add Comments)
  • Viewer (View, View Questions, View Comments)

You can assign permissions to security roles from the workflow list in the Administration website, or from the App Studio page, when designing the workflow.

Create or edit security workflow roles

  1. To create or edit workflow roles, go to Administration > Security, and select a type of role. 
    • To edit an existing role, click the edit button next to it.
    • To create a new role, click Add Security Role.
  2. Set the required permission levels.
    To learn about what each permission does, point to the question mark ().

Note: You cannot edit or delete system roles.

Assign workflow runtime permissions

You need to assign security roles for users for each workflow. Role assignments apply for all instances of the workflow.

  1. In the App Studio, select Set Permissions.
  2. In the Set Workflow Runtime Permissions, select one of the options:
    • Assign Everyone: assigns the role to all users.
    • Edit Assigned: enables you to assign the role to specific groups or users.

IMPORTANT: By default, task recipients and form creators are granted read permission on the process, and read and write permission on the relevant activity.

Sharing Activity

When you set up a Sharing Activity, you can use expressions to assign workflow security roles to groups or users.

List of permissions

Workflow Design Time 

GeneralView
Edit
Manage Versions
Set Runtime Permissions
Set Design-Time Permissions
Manage Attached Objects
Check-In On Behalf of Others NEW

Workflow Runtime

GeneralView
Start
Execute
Share
Recipient AssignmentAdd
Remove
Reassign
SocialView Questions
View Comments
Add Questions
Add Comments
Super AdminAbort
Roll Back
Delete
Modify

NOTE: When you upgrade from a previous product version, you can use the previous permission model (organization-based permission) or the new permission model (role-based permission).