How to block specific user from AEM workflow notification



Hi All,


Is that possible to block a specific user (from a group) when AEM sends an inbox notification from the custom workflow? 


Use Case:

1) I have a user called Thomas and he is part of content-author and qa-approval groups.


2) I have my custom workflow that will send a notification to the qa-approval group once the user (from the content-author group) starts the workflow.


Now, Thomas (content-author) started the workflow and the workflow now sends a notification to qa-approval group. Here, my requirement is,


1) Thomas should not get the notification/I need to block the user from AEM notification (the same person should not approve the notification)


2) He should not able to approve the notification and if he tries to approve we should display a pop-up message stating that you don't have permission (some custom message)

@smacdonald2008 @arunpatidar26 @Ratna_Kumar @kautuk_sahni @Veena_Vikram @Varun_Shakya @Theo_Pasveer @Theo_Pendle 





AEM inbox notification Workflow instance

Accepted Solutions (1)

Accepted Solutions (1)




Hi @vijays80591732,

Per the OOB implementation, Inbox notifications are sent to all members of the group associated with specific participant step in the workflow.

For your use case if the idea is to not let the person approve/complete a step who has initiated the workflow, consider one of the below alternatives.

  • We can make use of "Delegate Step" where "Thomas" in this case, can delegate to any other user part of "qa-approval" group.  (Should be an explicit understanding and to be communicated to business)
  • It is implied that if person initiated the workflow is not destined to approve, then the same user can be removed from qa-approval group. Just in case for any other reason if existing group set up can't be altered, then you can consider creating new group with desired members only for approving and use in Participant Step
  • In custom workflow, instead of Participant step, use "Dynamic Participant Step" wherein custom ParticipantStepChooser implementation, create/return a new group with members of qa-approval except the user who initiated the workflow via a conditional check in the iteration (workflow initiator can be retrieved using workItem.getWorkflow().getInitiator(); )

Thanks, Viji for your inputs. I have proposed the first two approaches to business already, but they are not happy with this approach. So, I made some customization in my workflow and achieved this. Below is my implementation,


1) I have used dynamic participant steps in my custom workflow and used custom dialog in the same.

2) The dialog will call a custom component using sling:resourceType.

3) In component.html, I'm having a jquery to call a custom servlet via ajax.

4) Now, all the users will get the AEM inbox notification. but, when they click the complete button to approve/reject my component will get render and I'm getting the payload path from the AEM inbox page.

5) I'm sending the payload path to servlet via Ajax.

6) Once the workflow started by a user, I'm capturing the user ID and save it to the jcr:content of the payload path.

7) In my custom servlet, I'm getting the payload path from the AEM inbox page. So, using the payload path I'm getting the current user ID (who is trying to approve/reject) and user ID of the user who has started the workflow from the jcr:content and will compare both user ID. If it matches, then I will disable the OK button and showing a custom message (where approve/reject the workflow in inbox page). 


 Below is my Jquery snippet which I'm using in my custom component and servlet snippet.  


div id = "msg"
style = "color: red;font-size: 15px;" > < /div> <
script >

function myFunction() {
var payloadPath = $(".external-dialog-injection").data("payloadpath");

function ajaxCall(payloadPath) {
type: "GET",
url: '' + payloadPath,
success: function(response) {
document.getElementById("msg").innerHTML = "";
error: function(err) {
document.getElementById("msg").innerHTML = " Workflow initator cannot approve the request!";
$(".workitem-complete-dialog-submit").prop('disabled', true);
} <




@SlingServlet(methods = {HttpConstants.METHOD_GET}
, resourceTypes = {ApplicationConstants.DEFAULT_SERVLET_NAME}
, selectors = {"validate"}
, extensions = {"data"}
, name = "")
public class WorkflowApproverValidationServlet extends SlingSafeMethodsServlet {
private static final long serialVersionUid = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(WorkflowApproverValidationServlet.class);

protected void doGet(final SlingHttpServletRequest request,
final SlingHttpServletResponse response) throws ServletException, IOException {

try {
User currentUser = request.getResourceResolver().adaptTo(User.class);
String requestPath = request.getParameter("path");
String[] states = {"RUNNING"};
WorkflowSession wfSession = request.getResourceResolver().adaptTo(WorkflowSession.class);
Workflow[] wfs = wfSession.getWorkflows(states);
for (Workflow wf : wfs) {
if (wf.getWorkflowData().getPayload().toString().equalsIgnoreCase(requestPath)) {
String wfInitiator = wf.getInitiator();
JSONServletUtils.returnResponseWithMessage(response, "\n" +
"Workflow initator cannot approve the request! ", "\n" +
"Workflow initator cannot approve the request!", HttpStatus.SC_FORBIDDEN);
JSONServletUtils.returnResponseWithMessage(response, "Allowed to Approve", "Allowed to Approve", HttpStatus.SC_OK);
} catch (WorkflowException | RepositoryException e) {
LOGGER.debug("WorkflowApproverValidationServlet Completed");

So, if same tries to approve/reject workflow then they will get the error message like below,

Screenshot 2020-10-04 at 10.27.02 PM.png

Hope this will be helpful for someone 🙂






Answers (0)