You are viewing limited content. For full access, please sign in.

Question

Question

Workflow Web Interface Security

Workflow
Updated July 18, 2016
asked on July 14, 2016

I've discovered that all users in our domain appear to have access to the Laserfiche Workflow Web interface.  I can't figure out where the permissions are coming from.  According to the help link "Laserfiche Workflow Web uses Windows authentication to determine your current Windows account. Your current Windows user account also determines which workflows are visible in Laserfiche Workflow Web."

Not all users should be able to get to this page.  Once at the page they can all see everything.  Can someone point me in the direction of the specific location of where to configure the permissions?

0 0

Replies

replied on July 15, 2016

Thanks for the additional info Carl.  I see several issues that I think should be addressed.

  • It seems that the default permissions for the Workflow install are Everyone...Administrator.
  • Everyone shouldn't have access to the website.
  • I shouldn't have to re-add a group to remove permissions.
  • How can I see all the permissions to a workflow without re-adding a group?  How do I even know what groups that I may have to re-add?
  • Should removing a user or group from the Permissions and Rights menu also remove the permissions and rights to previously published Workflows?
  • After re-adding a group it is cumbersome to have to assign Workflow Rights to each and every Workflow.

 

I'm very new to Workflow so maybe I'm missing some concepts, but these are my initial thoughts.

Rob

1 0
replied on July 15, 2016

I agree with all of your points.

 

My suspicion is individual workflow rights are assigned based on the General Permissions set in workflow admin console. Whatever is set at the time of publishing, is inherited by the workflow and stays with it until republished, or individually changed.

 

Which would mean, another option is to re-publish all of your workflows so the new general permissions are inherited. I haven't tested this theory yet.

0 0
replied on July 18, 2016

Another tidbit. It looks like the workflow schedule monitor will run under an account which also needs access to the individual workflow otherwise it will not recognize the workflow exists.

 

 

Laserfiche.Workflow.Objects.WfsoObjectNotFoundException: Workflow 137 does not exist. [0516-WF10]
   at Laserfiche.Workflow.Objects.Database.GetPublishedWorkflow(Int32 workflowId, Boolean throwIfNotFound)
   at Laserfiche.Workflow.ScheduleMonitor.Program.StartWorkflow(String configFile, Int32 workflowId, String scheduleName)

 

It's resolved by returning view access to the specific workflow.

0 0
replied on July 18, 2016

The schedules run under the WF Server's service account. And yes, that user needs rights to see the workflows.

1 0
replied on July 14, 2016

Under Workflow Administration -> Security -> Permission and Rights 

0 0
View 3 previous replies
replied on July 15, 2016

I did check the permissions in the location that you mentioned.  Originally "Everyone" was set to be Administrator.  That seems to be the default which is a concern.

I had removed the everyone group and only have a couple of users specified as having access.  I restarted the services, rebooted the server, but all users can still access the site.

0 0
replied on July 15, 2016

Hi Rob, As you mentioned earlier

 

"...Your current Windows user account also determines which workflows are visible in Laserfiche Workflow Web"

 

Since admin was defaulted and left on for some time, I think each already published workflow, will have them as allowed viewers. You can check by selecting the user or group and then clicking on workflow rights.

 

 

See if that does the trick?

 

The users will still be able to access the workflow site, but they shouldn't see any workflow which they don't have permissions for.

 

Cheers,

Carl

0 0
replied on July 15, 2016

Carl, that's not quite right. If Everyone was removed, the users wouldn't have viewer rights anymore unless directly granted to them. You are correct though that the site would be accessible in all cases and the user would only see workflows they have at least "viewer" rights on.

0 0
replied on July 15, 2016

I'm working in my development environment so I only have 3 users all of whom are assigned as administrators.  I have attached a screenshot of the permissions as well as a screenshot of the access to an account called "testing.user" which is not one of the 3 administrators and should not have access to anything.

The testing.user can access all workflows.

Only users with permission should be able to access the site, not all users in my domain.  I don't want them accessing the site even if they couldn't see any workflows.

0 0
replied on July 15, 2016

Miruna and Rob,

 

In my testing as well, even if you remove the Everyone group, the previously set individual workflow rights still apply to the old workflows.

 

To effectively remove their viewing rights, you have to Add the everyone group back, remove their individual workflow rights one by one, and then press OK and set their general permissions to No Access. This will not only ensure they do not inherit rights to new published workflows but allow the visibility to check permissions on all individual workflows.

 

 

 

 

0 0
replied on July 15, 2016

 

Again, if you just remove the Everyone group, all individual workflow permissions which were left on before removal, will remain in effect.

2 0
replied on July 15, 2016

Workflow security defaults are modeled on the Laserfiche repository defaults where you start out with an "admin" user with no password. In other words, it starts out unsecured and you need to restrict access as you let users in. It's done to make it easier for initial configuration. For Workflow, the fact that users could only access it through the Designer in the past obscured the security setup somewhat.

All users get view access to workflows so they can see stats for business processes. If that is not desired, the Workflow Web Designer site can be secured with Windows security on the web application's underlying folder.

In your case, Rob, you can modify permissions on the <WF install folder>\Web\Laserfiche.Workflow.WebDesigner folder to only allow read and write to the 3 users you want to have access and the application pool user used for "WorkflowWebDesignerAppPool". Please ensure that the rights are applied to the folder and all child subfolders and files.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...