Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How To Restrict Access To Workflow Models For A User Or Group

mandeeps2575712
Level 2
Level 2

In AEM 6.4, When a user is on a page, they can start a Workflow by going to Page Properties and selecting Start Workflow. Next a pop up is displayed which list the available workflows the user can start as shown below.

listofworkflows.png

I would like to hide certain workflows in this list from certain users/groups. For instance, I want to show only the Download Asset and Project Approval Workflow for a group. Everything else should be hidden.

In the following article, How to hide workflow models in the start workflow list?

It states that I should be able to add the workflow:system tag to a workflow model to hide it. However, adding that tag did not work.

What is the recommended way of restricting the list of workflow models that appear when a user selects start workflow?

1 Accepted Solution
Gaurav-Behl
Correct answer by
Community Advisor
Community Advisor

I've verified that this link How to hide workflow models in the start workflow list?  still works for 6.4

1) Open workflow properties in Touch UI

2) Add the tag 'workflow:system' and remove other tags, if any.

3) Save the changes and close the properties dialog

4) Click on Sync button to propagate the changes to corresponding workflow model definition under /var/workflow/models/<name>/metaData node.

5) Validate that you can see "tags" property as "system" on the metaData node

6) That specific model with "system" tag would stop appearing in the dropdown on your content page.

View solution in original post

16 Replies
Gaurav-Behl
Correct answer by
Community Advisor
Community Advisor

I've verified that this link How to hide workflow models in the start workflow list?  still works for 6.4

1) Open workflow properties in Touch UI

2) Add the tag 'workflow:system' and remove other tags, if any.

3) Save the changes and close the properties dialog

4) Click on Sync button to propagate the changes to corresponding workflow model definition under /var/workflow/models/<name>/metaData node.

5) Validate that you can see "tags" property as "system" on the metaData node

6) That specific model with "system" tag would stop appearing in the dropdown on your content page.

View solution in original post

mandeeps2575712
Level 2
Level 2

Adding the system tag hides the workflow model for all users.

Is there a way to only hide the workflow models for certain groups or a user?

Gaurav-Behl
Community Advisor
Community Advisor

"Adding the system tag hides the workflow model for all users."  -- this is correct

"Is there a way to only hide the workflow models for certain groups or a user?" -- Never tried that but, in theory, you could remove the read access to /var/workflow/models/<wf_name> and corresponding model paths in /conf or /lib for that specific user/group and it should stop populating in the drop-down. This should work.

mandeeps2575712
Level 2
Level 2

That was my approach initially but, when you go to /useradmin to set permission not all of the workflow models show up individually.

In the useradmin console when setting permissions, if you open the /var/workflow/models node you will not see all of the models that you see in crx/de under the /var/workflow/models. Essentially you cannot set permissions per workflow model.

Now my approach was to create a two sets of folders under the /var/workflow/models node. One for the restricted workflow models, /var/workflow/models/restricted, and another for the non-restricted workflow models /var/workflow/models/non-restricted. I would move the OOB workflow models to the restricted folder and deny read permissions. This works fine! But, the problem is when I update a workflow model and press Sync, it will create the updated workflow model under /var/workflow/models not the restricted or nonrestricted folder. I would also need to move the /conf or /lib configurations for the workflows to a new path. Next I have to consider these changes need to be propagated to multiple environments (Dev, QA, Prod). And of course there will be issues during upgrades.

The whole thing seemed really messy/buggy and I was looking for a more elegant solution.

Arun_Patidar
Community Advisor
Community Advisor

Hi,

Please check Adobe Experience Manager Help | Common Repository Restructuring in AEM 6.4

I believe workflows are getting read from conf and var

you can simply restrict those models.

vesankar
Level 1
Level 1
Hello Arun, We have a requirement where specific custom workflows should be accessible to specific user groups. We tried following approach. But no luck
vesankar
Level 1
Level 1
We added the permission for group at conf/global/workflow/models level. But, it does not provide the required permission.
Gaurav-Behl
Community Advisor
Community Advisor

If /useradmin doesn't work, then there is another tool for more granular permissions -- /crx/de

Create multiple groups and restrict the model paths for each group per your use case using this console. I would update this thread, if I get a better solution.

1712452_pastedImage_0.png

mandeeps2575712
Level 2
Level 2

I'm adding the workflow:system tag to hide the workflows, as recommended earlier. I can add the workflow:system tag for some of the models but not for all.

For some models the UI for adding tags is grayed out.

Screen Shot 2019-03-22 at 10.11.56 AM.png

And if I try to add the tags property through crx/de I get an error.

Screen Shot 2019-03-22 at 10.11.37 AM.png

How do I add the system tag for these workflows?

Gaurav-Behl
Community Advisor
Community Advisor

You cannot add it via /crx/de unless you tweak permissions.

The tag must be there OOB either in /etc/tags or /content/cq:tags, pick it and apply from page properties/Touch UI editor

mandeeps2575712
Level 2
Level 2

I couldn't add the tag to the OOB workflows under /libs.

I got it to work by copying the model from /libs to /conf.

Thanks for your help.

mandeeps2575712
Level 2
Level 2

I have one more issue that came up. I am unable to edit the OOB Workflow Model called, Activation Model. Not sure, if this is just an issue in my local (AEM 6.4).

Screen Shot 2019-03-22 at 6.13.29 PM.png

http://localhost:4502/editor.html/libs/settings/workflow/models/activationmodel.html

I get an error stating No Resource found.

Arun_Patidar
Community Advisor
Community Advisor

Any new or modified Workflow Models must be migrated to /conf/global/workflow/models.

When migrating modified AEM-provided Workflow Models

With the Workflow Model Editor open, modify the browser's address URL, and replace the path segment /libs/settings/workflow/models with /etc/workflow/models.

For example, change: http://localhost:4502/editor.html/libs/settings/workflow/models/dam/update_asset.html to http://localhost:4502/editor.html/etc/workflow/models/dam/update_asset.html

Enable Edit mode in the Workflow Model Editor which will copy the Workflow Model definition to /conf/global/workflow/models.

Tap the Sync button to sync the changes to the Runtime Workflow Model under /var/workflow/models.

Export both the Workflow Model (/conf/global/workflow/models/<workflow-model>) and Runtime Workflow Model (/var/workflow/models/<workflow-model>) and integrate into the AEM project.

For example, export:

/config/settings/workflow/models/dam/my_workflow_model

and

/var/workflow/models/dam/my_workflow_model

Workflow Model resolution occurs in the following order:

/conf/global/settings/workflow/models

/libs/settings/workflow/models

/etc/workflow/models

Thus, any customizations of AEM-provided Workflow Models persisted in the Previous location must be moved to /conf/global/settings/workflow/models if they are to be retained, otherwise they will be superseded by the AEM-provided Workflow Model definition in /libs/settings/workflow/models.

mynitumail
Level 2
Level 2

Hi Mandeep,

I am facing the same issue you have faced for ActivationModel.

Getting error as - Resource at /libs/settings/workflow/models/activationmodel.html not found.

https://aemdamauth1d.healthehostt.com:4443/editor.html/libs/settings/workflow/models/activationmodel...

Tried with below path as well (Per Arun Patidar post), but same result (resource not found).

https://aemdamauth1d.healthehostt.com:4443/editor.html/etc/workflow/models/activationmodel.html

did you get a chance to resolve this issue, if so, can you please share resolution steps.

Thanks n Regards,

Nitu

Arun_Patidar
Community Advisor
Community Advisor

I think the model is missing from AEM, Try creating new workflow with same name 'activationmodel' and title 'ActivationModel' and add tag workflow:system to hide workflow.