Provide Read Only access to Workflow Editor

Matt Cordero1 · ‎07-18-2023

Hello,

I have a request to be able to provide read only access to the Workflow Editor.

I have created a "workflow_viewer" role and added ACLs to the wf_workflow and wf_workflow_activity tables, but the user is not able to get into the Workflow Editor itself. The new role has access to the module, but when going to the Workflow Editor, the user gets this error:

You do not have the appropriate privileges to view the Workflow Editor.

To use the Workflow Editor, please contact your system administrator.

I want the user to be able to visually see Workflows in the Workflow Editor, but not see the "New Workflow" button.

Matt Cordero1 · ‎07-21-2023

Hello all,

So, the solution was to create a "workflow_viewer" role. I have to assign the "workflow_publisher" role ONLY to allow access to the Workflow Editor. A ServiceNow group will be assigned both roles and Users who want View Only access to the Workflow Editor will be added to the group.

I have also added an ACL to the wf_workflow_activity table. This allows users to see the Workflow Activity, explore nodes along the workflow and see any code/logic inside.

On the "workflow_editor_welcome" UI page, the "New Workflow" button is hidden when the user has both "workflow_publisher" AND "workflow_viewer" roles.
Otherwise, the "New Workflow" button is shown, as intended.

JELLY CODE:

<g:evaluate var="jvar_value" jelly="true">
var show = 'false';
if(gs.hasRole('workflow_publisher')) {
if(gs.hasRole('workflow_viewer')) {
show = 'false';
} else {
show = 'true';
}
}

if(gs.hasRole('admin')) {
show = 'true';
}

if(gs.hasRole('workflow_admin')) {
show = 'true';
}

if(gs.hasRole('workflow_creator')) {
show = 'true';
}

if(gs.hasRole('activity_creator')) {
show = 'true';
}

show;
</g:evaluate>
<j:if test="${jvar_value == 'true'}">
<a id="new-workflow-btn" role="button" class="btn btn-primary new-btn" onClick="top.workflowIDE.newWorkflow()" tabindex="0">${gs.getMessage("New Workflow")}</a>
</j:if>

Users with BOTH roles are thus able to navigate to the Workflow Editor and browse workflows, but unable to checkout/edit AND create new workflows.

Thus, read-only access to the Workflow Editor done!

View solution in original post

valalves · ‎10-02-2024

tried this but when the read-only user gets the error below when double-clicking any step in the workflow. does this work for you? perhaps I'm doing something wrong

Matt Cordero1 · ‎10-02-2024

@valalves

Ensure that you have added a "read" ACL on the "wf_activity" table.

Within that ACL, specify the new "workflow_viewer" role has read access. 😃

That should allow your User (with the roles) read only access to view logic/code within the Workflow's Activity.

valalves · ‎10-08-2024

Thank you @Matt Cordero1 ! I went back to my PDI to verify what I had done. Here are some screenshots:

The user:

when impersonating this workflow.user, I get that same error when double-clicking a step in a workflow to view its settings. I'm sure I'm missing something, and am grateful for any guidance.

Matt Cordero1 · ‎10-08-2024

@valalves

Make this change to the "read" ACL:

Respond back and let us know if that fixes it! 😎