cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using Instance-specific roles in SAP Cloud workflow

thejk
Explorer

on ‎06-18-2018 3:56 PM

Hi,

I have a User Task UI developed for my SAP Cloud Workflow. In this UI, I want to give the users the possibility to delegate a task to somebody else.

For this I am trying to change the "recipientUsers" of the task like this:

	$.ajax({url: "/bpmworkflowruntime/rest/v1/task-instances/" 
                                    + oWorkflowData.taskData.InstanceID,
		method: "PATCH",
		contentType: "application/json",
		async: false,
		data: "{\"recipientUsers\":\"" + oProcessor.ID + "\"}",
....

This works perfectly as long as the acting user has the global role "WorkflowAdmin". Of course, this role is not given to a "normal" user.

So I came up with the idea to assign "instance-specific" roles to every workflow instance right after it has been created. For this I am using this:

$.ajax({url: "/bpmworkflowruntime/rest/v1/workflow-instances/" + 
                 workflowInstanceId + "/roles",
	method: "PATCH",
	contentType: "application/json",
	async: false,
	data: "{\"adminGroups\": \"MyWFAdminGroup\",
               \"contextAdminGroups\":\"MyWFContextAdminGroup\"}",
...

This also works perfect if the acting user is "WorkflowAdmin". A task modified like this can be delegated by every "WorkflowParticipant" without Admin privileges

But this makes no sense because the Tasks are not created by an Admin...

With this approach, it is for a normal WF User not possible to create a Task that can be delegated to somebody else. But this it what you would expect to do with a Task assigned to you...

So how to solve this? Being able to delegate a task i crucial for our process.

Regards,

Jürgen

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Astrid
Advisor
Advisor
‎06-19-2018 6:01 AM

Hi Jürgen,

We will shortly publish an updated version of the REST API documentation for the workflow service, stating that for instance-specific and task-specific roles users need to have the WorkflowParticipant global role assigned.

Best regards,
Astrid

Show replies
Show replies
thejk
Explorer
‎06-25-2018 8:35 AM
0 Kudos

Hello Astrid,

do you have further Information for me? As you can see from my answers, it seems to be a problem with authorizations. Having the role "WorkflowParticipant" is not sufficient. Everything works perfect if the users have the role "WorkflowAdmin"

Regards

Jürgen

thejk
Explorer
‎06-25-2018 8:29 AM
0 Kudos

Hi,

thanks Sesh for your hint. I will try it. But if I got the first answer from Astrid right, It should work with the API.

Now we assigned all user groups the role "WorkflowAdmin" and it works perfect with the API. So it is definitely a problem with authorizations.

Regards,

Jürgen

Show replies
Show replies
Sesh_Sreenivas
Product and Topic Expert
Product and Topic Expert
‎06-22-2018 5:52 AM
0 Kudos

Hi

How about using the new feature to set instance-specific roles from a script task?

https://help.sap.com/viewer/f85276c5069a429fa37d1cd352785c25/Cloud/en-US/40044265e1754c50b9f0be890e3...

var admins = $.roles.adminUsers;
admins.push('Julie');

This way you can avoid the API calls to set the roles in the UI.

Regards,

Sesh

Show replies
Show replies
thejk
Explorer
‎06-19-2018 8:24 AM
0 Kudos

Hello Astrid,

If I understand you right, it should work if the users have the "WorkflowParticipant" role.

My Users have these roles: "WorkflowContextAdmin", "WorkflowInitiator", "WorkflowParticipant"...

When I call the role API with one of those Users, I always get a response code 403.

Best Regards

Jürgen

Show replies
Show replies
tobias_breyer
Employee
Employee
‎06-19-2018 8:32 AM
0 Kudos

Hello Jürgen,

403 is a code coming for invalid or missing CSRF-tokens.

From your code snippets, it is not clear whether you send a CSRF-token. PATCH APIs are modifying, so that they need CSRF-tokens.

Best regards,

Tobias

thejk
Explorer
‎06-19-2018 8:39 AM
0 Kudos

Hello Tobias,

yes, I am sending a CSRF-token. My Code works perfect if the acting user has the role "WorkflowAdmin". So I suppose my Code is basically correct.

Best Regards

Jürgen

Ask a Question