Controlling User Access to Monitor Workflows in SAP Cloud Platform
Monitor Workflow applications are pre-packaged applications in SAP Cloud Platform Workflow service. These applications are meant to be used for administrative activities by the process administrator who is authorised to view and monitor the progress of the workflow instances, view the metadata, context and other details of the workflow instance, view erroneous processes and take actions on the workflow instances and control other work items.
There could be different workflows running from across different departments of the company. There could be finance related workflows, PR/PO approvals, human resources-based workflow like employee onboarding or off-boarding, leave approvals etc. As these workflows are build and deployed in same SAP Cloud Platform account, all of them are seen in Monitor Workflow application. This means that the user having the workflow administrative (WorkflowAdmin) role will be able to see all the data related all these workflows irrespective of the department – and this might lead to conflicts as there could be different administrators for different line of businesses and not every admin is authorised to interact with the workflows across departments.
In this blog, I will explain you how to restrict the access of the administrators to monitor the workflow instances of the permitted workflows. This customisation in Monitor Workflow application can be achieved by instance-based-authorization feature. Using this capability, each instance of the workflow can be assigned to one or more users or groups. Only these user and groups will then be able to see view and monitor the respective workflow instances.
Prepare your administrator users
- The user or group should have only WorkflowParticipant role
- If you have any other workflow admin related roles already assigned to the user or group, then remove them.
In this example, I am using IDP to set up the groups and users. Ideally, group is always recommended to be used as it is easy to maintain, but if you want to work with list of users then also the same concept applies.
For that, I did the following:
1. Created set of groups in the IDP. You can create different groups based on the line of businesses or departments.
2. Create a set of administrative users in the IDP
3. Add these users to the respective groups in IDP
4. In SAP Cloud Platform,
- create role collections
- assign WorkflowParticipant role
- map them to respective IDP groups
Prepare your workflow model
5. Add a script task at the start of the workflow
6. In the script task, assign the group as shown here:
$.roles.adminGroups = ['mwa-instancebased-group2'];
You can use other options as well as defined here in help documentation depending upon what kind of access you want to give to the users.
You can also find different authorization options for instance-based here in the standard documentation.
7. Build and deploy the workflow.
Note: this user access will be rolled out for all the newly created workflow after you have deployed this change. This means, that after you deploy the change, all the workflow instances created with this new version of workflow will automatically be assigned to the respective users and groups.
Monitor workflow with controlled access
8. To test this, open Monitor Workflow app to start the workflow and then open to the instances app to see the filtered list of the workflow instances as per the group assignments.
I have logged in as myself (note: I have full admin rights) and you can see that I can monitor all different kind of workflow instances:
Now, I have logged in as an administrative user who has limited access, and you see that he can only monitor the instances he is authorised to:
We have also published APIs to assign instance-based roles to the workflow instances. This would be helpful if you want to assign user roles to historical instances or if you want to assign these roles from outside the workflow definition.
When you run the API, you get 204 No Content response if the roles are set successfully.
Note: if you want to be sure what roles are actually assigned, you get use Get API to get all the roles assigned to a workflow instance
This is the easiest way available for controlling user-based access to monitor workflow application. There are plans to introduce easy configuration options in the application itself but until that comes you can use this to cater to your requirements. If you have any questions or queries please do write back to me.