@Ankur Swami Please take care if you use the method of setting 'itil' role so that it contains the role 'flow_operator'. I too used this solution to allow 'itil' users to view Flow Contexts (to help them understand if things go awry for end users' requests) and realized tonight that this inadvertently lets them create new Flows.

I am currently working on giving read access to 'itil' users without giving them the 'flow_operator' role. I am trying now to modify the ACLs. I have already modified the UI Action 'Flow Context' (this is what ours is called, but we went live back in 2017 and are on Rome now, not sure if it's called 'Show Flow' now or what).

Anyway good luck! Please feel free to mark this helpful if it saved you any troubles. 🙂

@Ankur Swami I'm at a stand-still now on this. I cannot find a good solution here. I believe the role flow_operator has too much access to create a new Flow, but I cannot find any ACLs that allow this for the role. I am going to submit a case to HI support on this issue.

Note I tried giving the itil role access to read sys_flow_context and sys_hub_flow tables does not work properly; when impersonating an itil role user, I can see Flow Contexts in some cases, but not in all. I am getting errors still using this method. I was getting the error "Security restricted when invoking processor".

I searched that, and found a similar issue here. That lead me to the Processor [sys_processor] record called "CatalogFlowContextUIProcessor". I added the 'Roles' column to the form and added 'itil' role, but that just changed the error from the "Security restricted..." message to this one: "Flow Designer requires special privilege. Please contact system administration for assigning appropriate user roles." So that is a dead end I am afraid.

That caused me to go back and add 'flow_operator' to the list of roles contained by the 'itil' role, but I have now confirmed that this gives 'itil' role users access to create Flows, not to mention access to the entire Process Automation nav menu and modules.

/sigh

CORRECTION: The flow_operator role does not give create Flow rights.

However, the 'asset' role DOES contain (indirectly) the flow_designer role. So basically I found out through testing and digging through roles that we have 42 users who could create new Flows and they've had this access for WAY TOO LONG.

This is so frustrating.

Hi Ankur,

Your response seemed exactly like what I'm looking for, as I am also trying to allow itil users to view/use the Flow Context related link, but:

* I've added flow_operator role to itil role...

* I've added read ACL access for itil to sys_flow_context, sys_flow_context.*, sys_hub_flow.*, and sys_hub_flow...

* I've added itil to the Requires role section of the Flow Context ui action for the [task] table...

I still can't impersonate an itil user and see the Flow Context option?

Any idea what I might be doing wrong?