1. Implementing Product Management
  2. Access Control Lists for Workflows

Access Control Lists for Workflows

You can define which actions a user can perform in a workflow through criteria-based access control.

Workflow access can be granted to individual users or to groups of users created through filtered lists, which organize users by attributes such as location or business unit within a Team. Access is managed by setting conditions based on basic or extensible flexfield attributes and assigning permissions to specific workflow groups. Also, you can control visibility by choosing to hide or display attribute groups, including extensible attribute groups.

Enable Access Control for Workflows

Enable the profile option named Enable Access Control List for Workflows. By default, the profile option is set to No. On enabling the profile option, the workflow continues to honor the existing security settings till you create a permission and permission set.

Note: Once the profile option is enabled and any workflow is secured using teams, all workflows in the application will become private, regardless of their current public or private settings. You must manually assign user permissions to these workflows.

Grant Permission Set for Workflows

As an administrator, you can define specific teams and permission sets, with tailored conditions for workflows. Permissions can be granted for various workflow actions such as create, discover, delete, view, manage, update, and publish.

To grant permission set for workflows:

  1. Define workflow access rules using attribute conditions. Set the relevant attribute (Created By, Assigned To, and Requested By) to $User in the workflow conditions.
  2. Associate these conditions with a permission set and team to grant access to team members to all workflows assigned to them.
Example: Assign a rule such as Assigned To = $User to ensure that each team member can access workflows where they're the assigned user.

For example, you can create a permission set for a workflow that lets you:

  • Create workflow in the change type Design Change Orders.
  • Discover all workflows in the application.
  • Delete all Engineering Change Orders.
  • View basic attributes, affected items, and relationships on all engineering change orders.
  • Manage only Basic Attributes on all Engineering Change Orders.
  • Change the status on all problem reports.
  • Publish all commercial change orders.
You can create conditions to group workflows based on the following:
  • Change header attributes.
  • Customer, source, supplier, and manufacturer attributes.
  • Change extensible flexfield attributes - single row.
  • Workflow presence indicators, has attachments, has tasks, and has relationships.
  • Multiselect extensible attributes and add multiple rows in the condition.
    Note: Only the Any operator is supported for conditions on multiselect values—users matching any chosen attribute gain access.​ The All operator—requiring all selected values—isn’t supported on access control list for workflows.

Here are some more details on access control lists for workflows:

  • Workflows on REST APIs and SOAP services are secured when you enable access control.
  • Adding a change type in conditions on workflows is required to provide a create permission. This means that a user can create workflows only on those change types.
  • The application validates whether the user has the manage permission to access affected objects, while an item is added to the workflow using the following options:
    • Add to Change Order ( or Change Request, Problem Report, or Corrective Actions).
    • Save to Workflow.
  • Users can add relationships on items and workflows only if they’re assigned the view or manage permission to that object.
    • Users can create or edit the relationship rule if they've manage permission for workflow activity.

Secure Item Attachments for Workflows

You can secure item attachments for workflows using the view and manage permissions. Click More Actions > Download Attachments from the global actions on the workflow page according to the security defined on the item.

The following table shows the access provided to users on item attachments from workflows, depending on the download attachment options and permissions.

Download Attachment Option Required Permission Provide Access To Result
Affected Objects - Redlined View or Manage Attachments User can download and view attachments for the affected objects
Affected Objects - All View or Manage Structure, Attachments User can download and view attachments for the parent item and all its structure components
Affected Objects - None NA NA No attachments can be downloaded on the affected objects
From AML - Redlined View or Manage Attachments User can download and view attachments for the manufacturer part numbers of the parent item
From AML - All View or Manage Structure, Attachments User can download and view attachments for the manufacturer part number for the parent item and all its structure components
From AML - None NA NA No attachments can be downloaded on the manufacturer part numbers

Permissions Required to Add Affected Objects

To add affected objects on the workflow, you'll require the Manage Permission on Affected Objects.

To create a new change order, you'll require the Create Permission.

To assign the item to an existing change you'll require the Manage permission on the Affected Objects tab for the specific workflow.

Secure Access for Workflows in Clipboard and Recently Viewed

Contents in the clipboard and recently viewed items are secured using workflow access control lists. You can add workflows to the clipboard only if you've the view or manage permission.

To navigate to a specific tab of a workflow, select the desired tab from the drop-down list in the Clipboard panel or the Recently Visited panel. The tabs available in the list depend on the View or Manage permissions assigned to you for that workflow object.