Expand my Community achievements bar.

Join us in celebrating the outstanding achievement of our AEM Community Member of the Year!
SOLVED

Permissions for workflow / change default new workflow model

Avatar

Level 1

Hello,

I am using CQ 5.6.1. I want my content authors to be able to create workflow.

I have added the group 'workflow-editors' to the groups of the 'Authors' group, so now I can see permissions have been added on '/etc/workflows'.

But unfortunately this still does not allow members of the 'Authors' group to create a workflow.

When adding a new workflow model, a popup appears: 'Could not generate workflow model'.

In the logs I see the following Exception:

Context com.adobe.granite.workflow.console.servlet.ModelGenerateServlet: Could not create workflow model java.lang.IllegalStateException: Can't overwrite cause
        at java.lang.Throwable.initCause(Throwable.java:456)
        at org.apache.sling.api.SlingException.<init>(SlingException.java:73)
        at com.adobe.granite.workflow.console.servlet.ServletUtil.getAuthorizable(ServletUtil.java:83)
        at com.adobe.granite.workflow.console.servlet.ModelGenerateServlet$ContentVisitor.copyMetaData(ModelGenerateServlet.java:405)
        at com.adobe.granite.workflow.console.servlet.ModelGenerateServlet$ContentVisitor.handleStep(ModelGenerateServlet.java:328)
        at com.adobe.granite.workflow.console.servlet.ModelGenerateServlet$ContentVisitor.entering(ModelGenerateServlet.java:287)
        at javax.jcr.util.TraversingItemVisitor.visit(TraversingItemVisitor.java:182)
        at org.apache.jackrabbit.core.NodeImpl.accept(NodeImpl.java:1735)
        at javax.jcr.util.TraversingItemVisitor.visit(TraversingItemVisitor.java:191)
        at com.adobe.granite.workflow.console.servlet.ModelGenerateServlet.doPost(ModelGenerateServlet.java:161)
        at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:148)
        at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:344)
        at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:375)
        at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:508)

But the model does seem to be created though. As an author I cannot edit it. An error occurs on the page. The last part of the stacktrace is

Caused by: com.day.cq.security.NoSuchAuthorizableException: No Authorizable with ID admin
        at com.day.cq.security.impl.CQUserManagerImpl.get(CQUserManagerImpl.java:140)
        at org.apache.jsp.libs.cq.workflow.components.model.participant.details_jsp._jspService(details_jsp.java:176)
        at org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:502)
        ... 218 more

But as an admin I can edit that workflow and that's how I discovered what the problem is (while I was describing this issue here on the forum):

The newly created workflow contains a participant step, assigned to 'admin' (hence the error when opening the workflow as an Author I assume). If I remove the participant step (or assign it to a group the 'author' user belongs to like 'Contributors' or 'workflow-editors') the 'author' can edit the workflow model.

So my question now is: how can I change the default workflow model created, so that an author user can create a workflow model all by himself without interaction from an Admin?

Thanks in advance for any suggestions.

 

Luc Feys

1 Accepted Solution

Avatar

Correct answer by
Level 10

As a workaround Make sure the user/group has to have read access to is /home/users/a/admin. This is because initially the workflow is created with a default Participant step that gets assigned to Administrator.

If workaround not acceptable file daycare & in that mention the internal bug CQ5-13363

View solution in original post

2 Replies

Avatar

Correct answer by
Level 10

As a workaround Make sure the user/group has to have read access to is /home/users/a/admin. This is because initially the workflow is created with a default Participant step that gets assigned to Administrator.

If workaround not acceptable file daycare & in that mention the internal bug CQ5-13363

Avatar

Level 9

Hi,

Couple of things you can try

1. workflow-editors or workflow-users group (using the same name principal "ACL") has defined read only access (from principal). So if you have inherited group workflow-editor to Author it means it only applies the read access to author (until you modify manually). The group inheritance looks like as below (OOTB)

Author-->workflow-editors-->workflow-users-->contributor (and the contributor only setup read access)

2. Now if you need to have write access to users/groups then you have to either create a new principal with desired permission and create a new group using this principal and then inherit it to Author/any group you want or manually changes the permission

 

Observation

1. Now sure how it is creating the model even though you don't have write permission. may be some broken link their.

 

Thanks,

Pawan