You are viewing limited content. For full access, please sign in.

Question

Question

Allow users to build but not Publish Forms

Forms
Updated July 18, 2022
asked on July 14, 2022

Is there a way to set the security so that a User can only create or modify a Form but not Publish it?

Ideally, I would like to be able to restrict a User from Saving a Form once it has been Published.

I realise that I can manually change their role to "Submitter", but was hoping for something more automated 

 

Jono

0 0

Answer

SELECTED ANSWER
replied on July 15, 2022

I don't think there is any role that would grant permissions in this manner.

But here's something to at least help you identify where items need to be updated manually.  This query identifies any users or groups that have "Process Admin" permissions on published processes.  You could set-up a workflow that runs this each day and emails you if any results are found or something similar.

This was tested on Forms 11 Update 2.  

SELECT
  bp.[name] AS [process_name],
  u.[username] AS [username],
  u.[displayname],
  CASE
    WHEN uir.[role_id] = 1 THEN 'Process Admin'
    WHEN uir.[role_id] = 3 THEN 'Submitter'
    WHEN uir.[role_id] = 7 THEN 'Business Manager'
    ELSE CAST(uir.[role_id] AS VARCHAR(20))
  END AS [role]
FROM [LFForms].[dbo].[cf_business_processes] AS bp
LEFT JOIN [LFForms].[dbo].[cf_users_in_role] AS uir ON uir.[bizprocess_applied] = bp.[bp_id]
LEFT JOIN [LFForms].[dbo].[cf_users] AS u ON u.[user_id] = uir.[user_id]
WHERE bp.[is_deleted] = 0       --Exclude deleted processes
  AND bp.[is_activated] = 1     --Only review published processes
  AND uir.[role_id] IS NOT NULL --Exclude processes with no user assignments
  AND uir.[role_id] <> 0        --Exclude deleted assignments 
  AND uir.[role_id] <> 3        --Exclude submitters 
  AND uir.[role_id] <> 7        --Exclude business managers 
  AND u.[username] <> 'matthew'   --Exclude username of employee who is allowed to be Process Admin

UNION 

SELECT
  bp.[name] AS [process_name],
  'GROUP' AS [username],
  g.[full_group_name] AS [displayname],
  CASE
    WHEN gir.[role_id] = 1 THEN 'Process Admin'
    WHEN gir.[role_id] = 3 THEN 'Submitter'
    WHEN gir.[role_id] = 7 THEN 'Business Manager'
    ELSE CAST(gir.[role_id] AS VARCHAR(20))
  END AS [role] 
FROM [LFForms].[dbo].[cf_business_processes] AS bp
LEFT JOIN [LFForms].[dbo].[cf_usergroups_in_role] AS gir ON gir.[bizprocess_applied] = bp.[bp_id]
LEFT JOIN [LFForms].[dbo].[cf_usergroups] AS g ON g.[group_id] = gir.[group_id]
WHERE bp.[is_deleted] = 0       --Exclude deleted processes
  AND bp.[is_activated] = 1     --Only review published processes
  AND gir.[role_id] IS NOT NULL --Exclude processes with no group assignments
  AND gir.[role_id] <> 0        --Exclude deleted assignments 
  AND gir.[role_id] <> 3        --Exclude submitters
  AND gir.[role_id] <> 7        --Exclude business managers
  AND g.[full_group_name] <> 'Forms Administrator'   --Exclude name of group who is allowed to be Process Admin

Update lines 20 and 43 (and/or duplicate the lines if necessary) with the names of any users/groups that are allowed to be process admins on published processes.  Remove (or comment out) lines 19 and 42 if you want to include Business Managers instead of just Process Admins. 

2 0

Replies

replied on July 18, 2022 Show version history

It sounds to me like what you really need is a Change Control/Management process because even if you prevent users from updating an existing form, they still have permission to create whatever new processes they want.

What we do is separate our Production and Test/Dev environments and limit the permissions users have in the production environment.

Many users have the Process Creator role in our Test/Dev environments so they can build, modify, etc. in those environments.

However, when it comes time to publish a new process or update an existing process, they have to go through a change management process to have it pushed to production.

In Production we will probably give them the Business Manager role so they can still do most things like monitoring instances, but they can't make changes in production.

3 0
replied on July 18, 2022

This is the practice we use as well

2 0
replied on July 17, 2022

Thanks Matthew,

I have used your query and added a couple of columns to view the Date_Modified and Unique_ID. 

From that, I can create a form process to monitor that Date_Modified for changes too. 

SELECT
  bp.[name] AS [process_name],
  bp.[date_updated] AS [Last_Updated],
  bp.[unique_id] AS [form_ID],
  u.[username] AS [username],
  u.[displayname],
  CASE
    WHEN uir.[role_id] = 1 THEN 'Process Admin'
    WHEN uir.[role_id] = 3 THEN 'Submitter'
    WHEN uir.[role_id] = 7 THEN 'Business Manager'
    ELSE CAST(uir.[role_id] AS VARCHAR(20))
  END AS [role]
FROM [LFForms].[dbo].[cf_business_processes] AS bp
LEFT JOIN [LFForms].[dbo].[cf_users_in_role] AS uir ON uir.[bizprocess_applied] = bp.[bp_id]
LEFT JOIN [LFForms].[dbo].[cf_users] AS u ON u.[user_id] = uir.[user_id]
WHERE bp.[is_deleted] = 0       --Exclude deleted processes
  AND bp.[is_activated] = 1     --Only review published processes
  AND uir.[role_id] IS NOT NULL --Exclude processes with no user assignments
  AND uir.[role_id] <> 0        --Exclude deleted assignments 
  AND uir.[role_id] <> 3        --Exclude submitters 
  AND uir.[role_id] <> 7        --Exclude business managers 
  AND u.[username] <> 'matthew'   --Exclude username of employee who is allowed to be Process Admin

UNION 

SELECT
  bp.[name] AS [process_name],
  bp.[date_updated] AS [Last_Updated],
  bp.[unique_id] AS [form_ID],
  'GROUP' AS [username],
  g.[full_group_name] AS [displayname],
  CASE
    WHEN gir.[role_id] = 1 THEN 'Process Admin'
    WHEN gir.[role_id] = 3 THEN 'Submitter'
    WHEN gir.[role_id] = 7 THEN 'Business Manager'
    ELSE CAST(gir.[role_id] AS VARCHAR(20))
  END AS [role] 
FROM [LFForms].[dbo].[cf_business_processes] AS bp
LEFT JOIN [LFForms].[dbo].[cf_usergroups_in_role] AS gir ON gir.[bizprocess_applied] = bp.[bp_id]
LEFT JOIN [LFForms].[dbo].[cf_usergroups] AS g ON g.[group_id] = gir.[group_id]
WHERE bp.[is_deleted] = 0       --Exclude deleted processes
  AND bp.[is_activated] = 1     --Only review published processes
  AND gir.[role_id] IS NOT NULL --Exclude processes with no group assignments
  AND gir.[role_id] <> 0        --Exclude deleted assignments 
  AND gir.[role_id] <> 3        --Exclude submitters
  AND gir.[role_id] <> 7        --Exclude business managers
  AND g.[full_group_name] <> 'Forms Administrator'   --Exclude name of group who is allowed to be Process Admin

 

1 0
replied on July 18, 2022

Fantastic!

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...