I am having an issue with the visibility my service account has on running workflow instances.
I am trying to write a scheduler that will check for running content approval workflows being idle for more than x days and notify their initiator.
This is on AEM 6.1 so I am using resourceResolverFactory.getServiceResourceResolver(p). I've created a system user and mapped it with a service name and my bundle id in the Sling Service User Mapping amendment config.
So far all good, my code gets the session as expected. I want to use the the WorkflowService to manipulate instances and check metadata so I am passing the session to getWorkflowSession() like such:
WorkflowSession workflowSession = workflowService.getWorkflowSession(session);
This is OK as well but the problem I have tis that this session is not able to "see" the running instances. I am understanding that the service account (system user) has to have sufficient privileges on the right nodes to manipulate them but I've tried everything I could think of in terms of ACL up to "allow jcr:all" for the service account user on /etc/workflow.
Just for the sake of knowing where the issue was coming from, I switched the way I am getting the session to use the deprecated
and of course this works. I see the right number of running instances and I am able to get the workflow objects.
So my question is: Is there a magical special place I should open permissions to for my system user so it sees running instances like an admin would?
I was poking around on this forum and found that issue that seems to be somehow related
Quick update: as mentioned in this similar issue, if I add my service account to the administrators group, it works and it is able to see the workflow instances.
Obviously, that is not what should be done but I felt it was a valuable information to this issue. It definitely seems like a permission issue but some help on figuring out what has to be granted where would be greatly appreciated. 😉
I am experiencing all the same issues, when I add the service user to the administrators group it works. Do you have any idea what permission it is causing it to work?