Controlling User Access to Monitor Workflows in SAP Cloud Platform
Monitor Workflow applications are pre-packaged applications in SAP Cloud Platform Workflow service. These applications are meant to be used for administrative activities by the process administrator who is authorised to view and monitor the progress of the workflow instances, view the metadata, context and other details of the workflow instance, view erroneous processes and take actions on the workflow instances and control other work items.
There could be different workflows running from across different departments of the company. There could be finance related workflows, PR/PO approvals, human resources-based workflow like employee onboarding or off-boarding, leave approvals etc. As these workflows are build and deployed in same SAP Cloud Platform account, all of them are seen in Monitor Workflow application. This means that the user having the workflow administrative (WorkflowAdmin) role will be able to see all the data related all these workflows irrespective of the department – and this might lead to conflicts as there could be different administrators for different line of businesses and not every admin is authorised to interact with the workflows across departments.
In this blog, I will explain you how to restrict the access of the administrators to monitor the workflow instances of the permitted workflows. This customisation in Monitor Workflow application can be achieved by instance-based-authorization feature. Using this capability, each instance of the workflow can be assigned to one or more users or groups. Only these user and groups will then be able to see view and monitor the respective workflow instances.
Prepare your administrator users
- The user or group should have only WorkflowParticipant role
- If you have any other workflow admin related roles already assigned to the user or group, then remove them.
In this example, I am using IDP to set up the groups and users. Ideally, group is always recommended to be used as it is easy to maintain, but if you want to work with list of users then also the same concept applies.
For that, I did the following:
1. Created set of groups in the IDP. You can create different groups based on the line of businesses or departments.
2. Create a set of administrative users in the IDP
3. Add these users to the respective groups in IDP
4. In SAP Cloud Platform,
- create role collections
- assign WorkflowParticipant role
- map them to respective IDP groups
Prepare your workflow model
5. Add a script task at the start of the workflow
6. In the script task, assign the group as shown here:
$.roles.adminGroups = ['mwa-instancebased-group2'];
You can use other options as well as defined here in help documentation depending upon what kind of access you want to give to the users.
You can also find different authorization options for instance-based here in the standard documentation.
7. Build and deploy the workflow.
Note: this user access will be rolled out for all the newly created workflow after you have deployed this change. This means, that after you deploy the change, all the workflow instances created with this new version of workflow will automatically be assigned to the respective users and groups.
Monitor workflow with controlled access
8. To test this, open Monitor Workflow app to start the workflow and then open to the instances app to see the filtered list of the workflow instances as per the group assignments.
I have logged in as myself (note: I have full admin rights) and you can see that I can monitor all different kind of workflow instances:
Now, I have logged in as an administrative user who has limited access, and you see that he can only monitor the instances he is authorised to:
We have also published APIs to assign instance-based roles to the workflow instances. This would be helpful if you want to assign user roles to historical instances or if you want to assign these roles from outside the workflow definition.
Note: It is OAuth 2.0 based API and you can get the needed credentials from workflow service instance as mentioned in the help documentation.
When you run the API, you get 204 No Content response if the roles are set successfully.
Note: if you want to be sure what roles are actually assigned, you get use Get API to get all the roles assigned to a workflow instance
This is the easiest way available for controlling user-based access to monitor workflow application. There are plans to introduce easy configuration options in the application itself but until that comes you can use this to cater to your requirements. If you have any questions or queries please do write back to me.
very nicely described 🙂
Thanks Archana for the post. I believe this approach is bit raw and crude given the kind of solution we built for the customer. Isn't it should be like a soft configuration so that you can change them on the go, something like this workflow this is the admin group etc. With the current approach in case i need to change then i will have to redeploy the application.
I believe a solution with mix of SAP Business rules etc. will make the solution robust and flexible.
Yes, what you suggest is also another solution and that is why I mentioned about APIs in my last section. Ofcourse combining this with business rules which maintains the user groups and workflow definitions will add more customisation and robustness. So, it depends at what stage of your project development do you want to introduce this and how much changes you can do to your existing project. Modifying the workflow definition or using APIs to do the changes in the application in conjuction with business rules are the available options. Few of my customers liked the former way (as script task) as they find it easiest to do - so again it depends on the permissible change. The idea was to introduce this instance-based-authorization to the community with the available options.
Hi Archana Shukla ,
Perfect and detailed explanation with steps. This is exact use case we were looking for and got clarity.