Novell Doc: Novell Teaming 1.0 Administration Guide

3.2 Setting Access Controls

Using the access control feature, you can specify which participants can participate in causing an entry to transition from one state to another. Also, if the entry contains sensitive information at any time during the workflow process, you can restrict who can view the entry. This feature implements “per entry” access control, checking privileges for individual entries at each state in the workflow process.

The following sections describe how to set up access control in Novell Teaming as well as using various approaches with the workflow tools that set access control for one or more states:

3.2.1 What is Access Control?

When you create a workflow process using default settings, every user who can enter the discussion forum has access to view the entry and to participate in state changes. For almost all production-ready workflow systems, it is necessary to alter this default access control, so that:

Only members of the team assigned to the business process can participate in the workflow process.
Only designated responsible individuals participate in changing states.

NOTE:Access control is the term used to identify which users have the right to perform specific tasks at each state within the workflow process.

3.2.2 Planning Access Control

Before configuring access, identify the following:

States: You defined these in Section 3.1.2, Adding States to a Workflow.
Access rights: For each state, define who can view, modify or delete, respond to, and participate in state transitions.
Users or Groups: Map “participants” to usernames and group names within Novell Teaming.

Create a table to use for access-control planning as follows:

Table 3-1 Access Control Planning

State	Participant	Access Required
Submit	The employee, or individual requesting time off	Only the manager and employee can see an employee's request. The manager is the only one allowed to transition the work to Review.
Review	The manager	The manager is the only one allowed to transition the work to Approve or Deny. Employees can review only their own pending requests in this state.
Approve	The manager and employee	The manager, employee, and HR may view the request in this state. Only HR can transition to Record.
Deny	The manager and employee	The manager and employee can review requests in the Deny state.
Record	Human Resources	The manager, employee, and HR can view the work in this completed state.

Subsequent topics in this section describe how to implement this plan for access control.

3.2.3 Setting Access Rights

Entries in the Submit state need to be viewable by the users who created the PTO Requests, but not by any of their peers. In addition, only a manager can transition an entry from Submit to Review, and from Review to Deny or Approve. Human Resources needs to transition each entry from Approve to Record.

From the Teaming Administration portlet on the initial Liferay portal window, click the plus sign (+) to the left of Form and view designers to expand this section and view the available designers. To add the Teaming Administration portlet to the Liferay portal window, click the Add Content link in the upper right corner. This brings up a panel of portlets along the left margin. Expand the Teaming section to add more Novell Teaming features, such as the Teaming Administration portlet.
Click Workflow designer.
Expand Workflow processes.
Click PTO Request.
Expand Workflow process.
Add the Access controls to the workflow states:
1. Click State - Submit.
2. In the options dialog on the right, click Add.
3. Click Access controls.
  
  Access controls is added below Transitions.
4. Repeat Step 6.a through Step 6.c for each state to add the Access controls.
Set the Read access rights:
1. Under State - Submit, click Access controls.
2. Click Add.
3. Click Read access.
4. Deselect the Folder default access option, select the Entry creator option, add the Managers group, then click OK.
  
  Now only the entry creator and managers can view these entries.
  
  The Select an entry type drop-down list allows you to add any user lists that might be assigned to specific entry types.
5. Repeat Step 7.a through Step 7.d for each state to add the Read access rights (make sure to give the Human Resources group Read access rights in the Approve and Record states).
Set the Transition out of this state access controls:
1. Under State - Submit, click Access controls.
2. Click Add.
3. Click Transition out of this state.
4. Deselect the Folder default access option, add the Managers group, then click OK.
  
  Now only a Manager can transition the entry out of the Submit state.
5. Repeat Step 8.a through Step 8.d for the Review and Approve states with the following rights:
  - Review: Managers group only
  - Approve: Human Resources group only
Set the Transition into this state access controls:
1. Under State - Review, click Access controls.
2. Click Add.
3. Click Transition into this state.
4. Deselect the Folder default access option, add the Managers group, then click OK.
  
  Now only a Manager can transition the entry into the Review state.
5. Repeat Step 9.a through Step 9.d for the Approve, Deny, and Record states with the following rights:
  - Deny: Managers group only
  - Approve: Managers group only
  - Record: Human Resources group only
  The access rights for this workflow are now set. You can log in as the members of the various groups to walk through the workflow and test it.
  
  NOTE:To map the business process correctly, you must set the Transition out of this state and the Transition into this state access rights correctly for all states in your workflow.

3.2.4 Summary

Access control is an important aspect of workflow, because it allows a workflow designer to set levels of security and access to each task within the workflow.

While developing a workflow process, you can use workflow tools to set access for one state at a time or to work with more than one state simultaneously. Access control is comprised of who can see, modify or delete, respond to (a workflow question), or transition into or out of a specified state. When defining access control, you can specify all users, entry creators, or specific users and groups.

When you consider granting workflow access to an individual, make a distinction between times when more than one individual can use the workflow and when a specific individual always uses the workflow. The Entry creator individual applies to any Novell Teaming user who can create entries in that folder. However, there might be occasions when a specific user should be the only user who has certain access rights every time the workflow runs for an entry.