How To Restrict Access To Workflow Models For A User Or Group

mandeeps2575712

12-03-2019

In AEM 6.4, When a user is on a page, they can start a Workflow by going to Page Properties and selecting Start Workflow. Next a pop up is displayed which list the available workflows the user can start as shown below.

listofworkflows.png

I would like to hide certain workflows in this list from certain users/groups. For instance, I want to show only the Download Asset and Project Approval Workflow for a group. Everything else should be hidden.

In the following article, How to hide workflow models in the start workflow list?

It states that I should be able to add the workflow:system tag to a workflow model to hide it. However, adding that tag did not work.

What is the recommended way of restricting the list of workflow models that appear when a user selects start workflow?

Accepted Solutions (1)

Accepted Solutions (1)

Gaurav-Behl

MVP

12-03-2019

I've verified that this link How to hide workflow models in the start workflow list?  still works for 6.4

1) Open workflow properties in Touch UI

2) Add the tag 'workflow:system' and remove other tags, if any.

3) Save the changes and close the properties dialog

4) Click on Sync button to propagate the changes to corresponding workflow model definition under /var/workflow/models/<name>/metaData node.

5) Validate that you can see "tags" property as "system" on the metaData node

6) That specific model with "system" tag would stop appearing in the dropdown on your content page.

Answers (13)

Answers (13)

Arun_Patidar

MVP

01-07-2019

I think the model is missing from AEM, Try creating new workflow with same name 'activationmodel' and title 'ActivationModel' and add tag workflow:system to hide workflow.

mynitumail

01-07-2019

Hi Mandeep,

I am facing the same issue you have faced for ActivationModel.

Getting error as - Resource at /libs/settings/workflow/models/activationmodel.html not found.

https://aemdamauth1d.healthehostt.com:4443/editor.html/libs/settings/workflow/models/activationmodel...

Tried with below path as well (Per Arun Patidar post), but same result (resource not found).

https://aemdamauth1d.healthehostt.com:4443/editor.html/etc/workflow/models/activationmodel.html

did you get a chance to resolve this issue, if so, can you please share resolution steps.

Thanks n Regards,

Nitu

Arun_Patidar

MVP

22-03-2019

Any new or modified Workflow Models must be migrated to /conf/global/workflow/models.

When migrating modified AEM-provided Workflow Models

With the Workflow Model Editor open, modify the browser's address URL, and replace the path segment /libs/settings/workflow/models with /etc/workflow/models.

For example, change: http://localhost:4502/editor.html/libs/settings/workflow/models/dam/update_asset.html to http://localhost:4502/editor.html/etc/workflow/models/dam/update_asset.html

Enable Edit mode in the Workflow Model Editor which will copy the Workflow Model definition to /conf/global/workflow/models.

Tap the Sync button to sync the changes to the Runtime Workflow Model under /var/workflow/models.

Export both the Workflow Model (/conf/global/workflow/models/<workflow-model>) and Runtime Workflow Model (/var/workflow/models/<workflow-model>) and integrate into the AEM project.

For example, export:

/config/settings/workflow/models/dam/my_workflow_model

and

/var/workflow/models/dam/my_workflow_model

Workflow Model resolution occurs in the following order:

/conf/global/settings/workflow/models

/libs/settings/workflow/models

/etc/workflow/models

Thus, any customizations of AEM-provided Workflow Models persisted in the Previous location must be moved to /conf/global/settings/workflow/models if they are to be retained, otherwise they will be superseded by the AEM-provided Workflow Model definition in /libs/settings/workflow/models.

mandeeps2575712

22-03-2019

I have one more issue that came up. I am unable to edit the OOB Workflow Model called, Activation Model. Not sure, if this is just an issue in my local (AEM 6.4).

Screen Shot 2019-03-22 at 6.13.29 PM.png

http://localhost:4502/editor.html/libs/settings/workflow/models/activationmodel.html

I get an error stating No Resource found.

Gaurav-Behl

MVP

22-03-2019

You cannot add it via /crx/de unless you tweak permissions.

The tag must be there OOB either in /etc/tags or /content/cq:tags, pick it and apply from page properties/Touch UI editor

mandeeps2575712

22-03-2019

I'm adding the workflow:system tag to hide the workflows, as recommended earlier. I can add the workflow:system tag for some of the models but not for all.

For some models the UI for adding tags is grayed out.

Screen Shot 2019-03-22 at 10.11.56 AM.png

And if I try to add the tags property through crx/de I get an error.

Screen Shot 2019-03-22 at 10.11.37 AM.png

How do I add the system tag for these workflows?

Gaurav-Behl

MVP

15-03-2019

If /useradmin doesn't work, then there is another tool for more granular permissions -- /crx/de

Create multiple groups and restrict the model paths for each group per your use case using this console. I would update this thread, if I get a better solution.

1712452_pastedImage_0.png

mandeeps2575712

15-03-2019

That was my approach initially but, when you go to /useradmin to set permission not all of the workflow models show up individually.

In the useradmin console when setting permissions, if you open the /var/workflow/models node you will not see all of the models that you see in crx/de under the /var/workflow/models. Essentially you cannot set permissions per workflow model.

Now my approach was to create a two sets of folders under the /var/workflow/models node. One for the restricted workflow models, /var/workflow/models/restricted, and another for the non-restricted workflow models /var/workflow/models/non-restricted. I would move the OOB workflow models to the restricted folder and deny read permissions. This works fine! But, the problem is when I update a workflow model and press Sync, it will create the updated workflow model under /var/workflow/models not the restricted or nonrestricted folder. I would also need to move the /conf or /lib configurations for the workflows to a new path. Next I have to consider these changes need to be propagated to multiple environments (Dev, QA, Prod). And of course there will be issues during upgrades.

The whole thing seemed really messy/buggy and I was looking for a more elegant solution.

Gaurav-Behl

MVP

15-03-2019

"Adding the system tag hides the workflow model for all users."  -- this is correct

"Is there a way to only hide the workflow models for certain groups or a user?" -- Never tried that but, in theory, you could remove the read access to /var/workflow/models/<wf_name> and corresponding model paths in /conf or /lib for that specific user/group and it should stop populating in the drop-down. This should work.