Expand my Community achievements bar.

SOLVED

How To Restrict Access To Workflow Models For A User Or Group

Avatar

Level 2

In AEM 6.4, When a user is on a page, they can start a Workflow by going to Page Properties and selecting Start Workflow. Next a pop up is displayed which list the available workflows the user can start as shown below.

listofworkflows.png

I would like to hide certain workflows in this list from certain users/groups. For instance, I want to show only the Download Asset and Project Approval Workflow for a group. Everything else should be hidden.

In the following article, How to hide workflow models in the start workflow list?

It states that I should be able to add the workflow:system tag to a workflow model to hide it. However, adding that tag did not work.

What is the recommended way of restricting the list of workflow models that appear when a user selects start workflow?

1 Accepted Solution

Avatar

Correct answer by
Level 10

I've verified that this link How to hide workflow models in the start workflow list?  still works for 6.4

1) Open workflow properties in Touch UI

2) Add the tag 'workflow:system' and remove other tags, if any.

3) Save the changes and close the properties dialog

4) Click on Sync button to propagate the changes to corresponding workflow model definition under /var/workflow/models/<name>/metaData node.

5) Validate that you can see "tags" property as "system" on the metaData node

6) That specific model with "system" tag would stop appearing in the dropdown on your content page.

View solution in original post

16 Replies

Avatar

Correct answer by
Level 10

I've verified that this link How to hide workflow models in the start workflow list?  still works for 6.4

1) Open workflow properties in Touch UI

2) Add the tag 'workflow:system' and remove other tags, if any.

3) Save the changes and close the properties dialog

4) Click on Sync button to propagate the changes to corresponding workflow model definition under /var/workflow/models/<name>/metaData node.

5) Validate that you can see "tags" property as "system" on the metaData node

6) That specific model with "system" tag would stop appearing in the dropdown on your content page.

Avatar

Level 2

Adding the system tag hides the workflow model for all users.

Is there a way to only hide the workflow models for certain groups or a user?

Avatar

Level 10

"Adding the system tag hides the workflow model for all users."  -- this is correct

"Is there a way to only hide the workflow models for certain groups or a user?" -- Never tried that but, in theory, you could remove the read access to /var/workflow/models/<wf_name> and corresponding model paths in /conf or /lib for that specific user/group and it should stop populating in the drop-down. This should work.

Avatar

Level 2

That was my approach initially but, when you go to /useradmin to set permission not all of the workflow models show up individually.

In the useradmin console when setting permissions, if you open the /var/workflow/models node you will not see all of the models that you see in crx/de under the /var/workflow/models. Essentially you cannot set permissions per workflow model.

Now my approach was to create a two sets of folders under the /var/workflow/models node. One for the restricted workflow models, /var/workflow/models/restricted, and another for the non-restricted workflow models /var/workflow/models/non-restricted. I would move the OOB workflow models to the restricted folder and deny read permissions. This works fine! But, the problem is when I update a workflow model and press Sync, it will create the updated workflow model under /var/workflow/models not the restricted or nonrestricted folder. I would also need to move the /conf or /lib configurations for the workflows to a new path. Next I have to consider these changes need to be propagated to multiple environments (Dev, QA, Prod). And of course there will be issues during upgrades.

The whole thing seemed really messy/buggy and I was looking for a more elegant solution.

Avatar

Community Advisor

Hi,

Please check Adobe Experience Manager Help | Common Repository Restructuring in AEM 6.4

I believe workflows are getting read from conf and var

you can simply restrict those models.



Arun Patidar

Avatar

Level 2
Hello Arun, We have a requirement where specific custom workflows should be accessible to specific user groups. We tried following approach. But no luck

Avatar

Level 2
We added the permission for group at conf/global/workflow/models level. But, it does not provide the required permission.

Avatar

Level 10

If /useradmin doesn't work, then there is another tool for more granular permissions -- /crx/de

Create multiple groups and restrict the model paths for each group per your use case using this console. I would update this thread, if I get a better solution.

1712452_pastedImage_0.png

Avatar

Level 2

I'm adding the workflow:system tag to hide the workflows, as recommended earlier. I can add the workflow:system tag for some of the models but not for all.

For some models the UI for adding tags is grayed out.

Screen Shot 2019-03-22 at 10.11.56 AM.png

And if I try to add the tags property through crx/de I get an error.

Screen Shot 2019-03-22 at 10.11.37 AM.png

How do I add the system tag for these workflows?

Avatar

Level 10

You cannot add it via /crx/de unless you tweak permissions.

The tag must be there OOB either in /etc/tags or /content/cq:tags, pick it and apply from page properties/Touch UI editor

Avatar

Level 2

I couldn't add the tag to the OOB workflows under /libs.

I got it to work by copying the model from /libs to /conf.

Thanks for your help.

Avatar

Level 2

I have one more issue that came up. I am unable to edit the OOB Workflow Model called, Activation Model. Not sure, if this is just an issue in my local (AEM 6.4).

Screen Shot 2019-03-22 at 6.13.29 PM.png

http://localhost:4502/editor.html/libs/settings/workflow/models/activationmodel.html

I get an error stating No Resource found.

Avatar

Community Advisor

Any new or modified Workflow Models must be migrated to /conf/global/workflow/models.

When migrating modified AEM-provided Workflow Models

With the Workflow Model Editor open, modify the browser's address URL, and replace the path segment /libs/settings/workflow/models with /etc/workflow/models.

For example, change: http://localhost:4502/editor.html/libs/settings/workflow/models/dam/update_asset.html to http://localhost:4502/editor.html/etc/workflow/models/dam/update_asset.html

Enable Edit mode in the Workflow Model Editor which will copy the Workflow Model definition to /conf/global/workflow/models.

Tap the Sync button to sync the changes to the Runtime Workflow Model under /var/workflow/models.

Export both the Workflow Model (/conf/global/workflow/models/<workflow-model>) and Runtime Workflow Model (/var/workflow/models/<workflow-model>) and integrate into the AEM project.

For example, export:

/config/settings/workflow/models/dam/my_workflow_model

and

/var/workflow/models/dam/my_workflow_model

Workflow Model resolution occurs in the following order:

/conf/global/settings/workflow/models

/libs/settings/workflow/models

/etc/workflow/models

Thus, any customizations of AEM-provided Workflow Models persisted in the Previous location must be moved to /conf/global/settings/workflow/models if they are to be retained, otherwise they will be superseded by the AEM-provided Workflow Model definition in /libs/settings/workflow/models.



Arun Patidar

Avatar

Level 4

Hi Mandeep,

I am facing the same issue you have faced for ActivationModel.

Getting error as - Resource at /libs/settings/workflow/models/activationmodel.html not found.

https://aemdamauth1d.healthehostt.com:4443/editor.html/libs/settings/workflow/models/activationmodel...

Tried with below path as well (Per Arun Patidar post), but same result (resource not found).

https://aemdamauth1d.healthehostt.com:4443/editor.html/etc/workflow/models/activationmodel.html

did you get a chance to resolve this issue, if so, can you please share resolution steps.

Thanks n Regards,

Nitu

Avatar

Community Advisor

I think the model is missing from AEM, Try creating new workflow with same name 'activationmodel' and title 'ActivationModel' and add tag workflow:system to hide workflow.



Arun Patidar