loading table of contents...

5.6. Programming Rights Policies

Rights policies protect access to process and task instance operations. They can be performed on the server and client side so a GUI Client component may limit the offered buttons, menus etc. to the actual permitted operations.

The following rights are defined for process instances and can be granted to individual users or groups:

  • Read and write variables exported by the processes client view

  • Create new process instances

  • Start process instances

  • Suspend and resume process instances

  • Abort process instances

The following rights are defined for task instances and can be granted to individual users or groups:

  • Read and write variables exported by the tasks client view

  • Reject, accept, cancel and complete a task instance

  • Assign, delegate and skip a task instance

  • Retry the last transaction of an escalated task instance

The policies are not directly accessible, checks must be performed via WfInstance.hasPermission(), which checks the rights of the current session's user.

Customized rights policies must never access any client or server specific classes, as it will be executed on both sides. It may provide a client and a server-specific implementation of an interface, that gives access to client or server specific classes. Logging must be done to the generic logging facility defined by com.coremedia.workflow.common.Common.

Interface to implement

Rights policies must implement the interface WfRightsPolicy.

Default implementation

If you only want to adapt the default policy to your needs, subclass the default rights policy AclRightsPolicy and override the appropriate methods.

Defining the policy in the workflow definition

Defining your own rights policy in the workflow definition is quite simple. You only need to add the policyClass attribute to the <Rights> tag as shown in Example 5.11, “Integrate own rights policy in the workflow definition”. This class must be available in the classpath of the Workflow Server and Site Manager. That means you need a runtime dependency on this JAR file in your Site Manager application module and Workflow Server web application in the workspace.

<Workflow>
  <Process name="TestWorkflow" startTask="FirstOne">
    <Rights policyClass="myPackage.MyOwnRightsPolicy">
      <!-- ... more elements and attributes ... -->
    </Rights>
    .
    .
  </Process>
</Workflow>

Example 5.11. Integrate own rights policy in the workflow definition