Provide Read Only access to Workflow Editor

Matt Cordero1 · ‎07-18-2023

Hello,

I have a request to be able to provide read only access to the Workflow Editor.

I have created a "workflow_viewer" role and added ACLs to the wf_workflow and wf_workflow_activity tables, but the user is not able to get into the Workflow Editor itself. The new role has access to the module, but when going to the Workflow Editor, the user gets this error:

You do not have the appropriate privileges to view the Workflow Editor.

To use the Workflow Editor, please contact your system administrator.

I want the user to be able to visually see Workflows in the Workflow Editor, but not see the "New Workflow" button.

Matt Cordero1 · ‎07-21-2023

Hello all,

So, the solution was to create a "workflow_viewer" role. I have to assign the "workflow_publisher" role ONLY to allow access to the Workflow Editor. A ServiceNow group will be assigned both roles and Users who want View Only access to the Workflow Editor will be added to the group.

I have also added an ACL to the wf_workflow_activity table. This allows users to see the Workflow Activity, explore nodes along the workflow and see any code/logic inside.

On the "workflow_editor_welcome" UI page, the "New Workflow" button is hidden when the user has both "workflow_publisher" AND "workflow_viewer" roles.
Otherwise, the "New Workflow" button is shown, as intended.

JELLY CODE:

<g:evaluate var="jvar_value" jelly="true">
var show = 'false';
if(gs.hasRole('workflow_publisher')) {
if(gs.hasRole('workflow_viewer')) {
show = 'false';
} else {
show = 'true';
}
}

if(gs.hasRole('admin')) {
show = 'true';
}

if(gs.hasRole('workflow_admin')) {
show = 'true';
}

if(gs.hasRole('workflow_creator')) {
show = 'true';
}

if(gs.hasRole('activity_creator')) {
show = 'true';
}

show;
</g:evaluate>
<j:if test="${jvar_value == 'true'}">
<a id="new-workflow-btn" role="button" class="btn btn-primary new-btn" onClick="top.workflowIDE.newWorkflow()" tabindex="0">${gs.getMessage("New Workflow")}</a>
</j:if>

Users with BOTH roles are thus able to navigate to the Workflow Editor and browse workflows, but unable to checkout/edit AND create new workflows.

Thus, read-only access to the Workflow Editor done!

View solution in original post

Ankur Bawiskar · ‎07-18-2023

@Matt Cordero1

what's the purpose just to view?

What's the business requirement?

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Matt Cordero1 · ‎07-18-2023

@Ankur Bawiskar They want to be able to graphically view Workflows, but I want to restrict that access to a read only capacity and not give them workflow_admin or similar OOB roles. I also don't want them to be able to click "New Workflow" to create a workflow.

Ankur Bawiskar · ‎07-18-2023

@Matt Cordero1

read only access to workflow editor doesn't make any sense. what is the business use-case to allow them to see but not edit?

the page which opens up is workflow_ide.do which is an UI page which comes from platform level. we don't have access to it.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

sushantmalsure · ‎07-18-2023

@Matt Cordero1 As ankur said we do not have visibility to control he behaviour. But isnt it sufficient for users to look workflow from record using 'show workflow' related link? or they want to get more details from activities ?

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.
Regards,Sushant Malsure