Managing Access to Workflows

Configure user accounts to enable or disable users from starting workflows.

Required User Permissions for Workflows

Actions on workflows can only be undertaken if either:

  • you are working with the admin account
  • the account has been assigned to the default group workflow-users, which holds all the privileges necessary for your users to perform workflow actions.

Configuring Access to Workflows

Workflow models inherit a default access control list (ACL) for controlling how users can interact with workflows. To customize user access for a workflow, modify the Access Control List (ACL) for the workflow model node in the repository.

For information about using CRXDE Lite to configure ACLs, see Access Control.

The following example restricts content authors from starting a workflow called mymodel. To restrict access, the Authors group is denied read access to the /etc/workflows/models/mymodel node.

The following diagram shows the default ACL for mymodel (the default ACL for all new models). The Authors group is a member of the contributor group, so Authors are allowed the jcr:read privilege for the node.


Because authors have read-access to the model, the workflow is available in Sidekick when authoring pages:


The following procedure adds an access list entry (ACE) that denies the jcr:read privilege for the content-author group.

  1. Open CRXDE Lite in your web browser (http://localhost:4502/crx/de).

  2. In the node tree, select the node for the workflow model (/etc/workflow/models/mymodel).

  3. Click the Access Control tab.

  4. In the Applicable Access Control Policy table, click the plus icon.

  5. Click the plus icon to add a new ACE with the following properties:

    • Principal: content-authors
    • Type: Deny
    • Privileges: jcr:read

    The Effective Access Control Policies table now includes the restriction for content-authors.

  6. Click Save All.

    The mymodel workflow is no longer available to members of the content-author group.