Process Supervisor Security


#1

Is it possible to have conditional process supervisors? If not is there a good way to handle the following situation.

We have Holiday Form workflow which staff use to book and keep track of their holiday bookings. The forms are raised by HR, Holiday is requested by the employee and goes to the manager for approval, HR and other CCs are notified of any bookings. HR can also maintain the forms, submit and approve holiday requests. We need HR for each site to be a process supervisor so they can see and maintain all the forms for their site however we don’t want them to see all the holiday forms for every site in the organisation.

So what I would like is…
if the Site Is Bradford, UK then Bradford HR are process supervisors but Bradford HR cant see the holiday forms for Seattle or all the other sites… The only way I can think of doing this is to have multiple processes but with hundreds of sites that will be a maintenance headache. I could probably use code behind to stop them opening the forms but that doesn’t stop them seeing the form archives or reporting on the forms for the entire organisation.

Any help or advise would be gratefully appreciated.


#2

Hi Simon,

This is definitely achievable using the Supervisor Limited Scope.

You can use for example the DEPARTMENT user attribute to filter the requests for process supervisors.

In your form, simply include a process data that contains the department info (eg. FORM_DEPARTMENT)
And in the limited scope query, simply indicate that DEPARTMENT = @FORM_DEPARTMENT

Let me know if this helps.

Regards,
Eddy.


#3

Hi Eddy,

Thanks for that, I simply hadn’t understood the query box at the bottom and wasn’t aware how to use it. This seems exactly what I need and I have set up a test for it. I have a site data populated on the form and I can tie that in with the user’s Office property using the syntax you supplied. I have set up a test for later and will update again.

Can I check that I fully understand this feature?

You can use any of the users properties (providing they are populated in Active Directory) and compare with any data from your form. Can you set these up just on the USERS table or will they be overwritten by what is held in Active Directory for the users?

An alternative is to use one of the three macros.

ISMember is really powerful! If you have a data that is the group name you can populate it from code behind and set the security at whatever level you wish based on the logic in your code and use your own tables etc. { ISMEMBER(@HEADER_GROUPNAME)}. Have I got that right?

IsManager does the same as using the manager property of the user and isstaffmember is very similar but the other way round.

Again, thanks for your help, you have saved me a lot of pain.

Cheers

Simon


#4

Hi Simon,

Exactly. During the synchronization, all the users’ attributes go in the USERS table. If you’re synchronizing your Active Directory, I recommend you to add the user attributes in the Active Directory so that the changes also get applied to the USERS table.

Yes. In that case, process supervisors can see a request only if they belong to the group indicated in that request’s process data (HEADER_GROUPNAME)

It’s a pleasure!

Regards,
Eddy.


#5

Hi Eddy,

I tried to set up the latter and it just didn’t seem to work. I created a global list for groups based on the table in WFGdb. I then added two groups to this “Holiday See All” and “Holiday Admin”. I added these as participants giving the first limited process supervisor rights and the second full rights. I added one user to the first and one to the second putting the condition in in the same syntax we both mentioned based on data in the form selected from the Group list. Neither user could see either form when I expected the first to be able to view it and the second to reassign it.

Judging by your previous reply I have correctly understood this functionality but it just didn’t work. No doubt a mistake I have made somewhere but I don’t know how to track it down. Is it that they need to be AD Groups not groups from my list?

Cheers

Simon


#6

Hi Simon,

Please open a ticket in our Helpdesk site so we can take a look at this issue.

Regards,
Eddy.