There are concerns that I have that anyone that has access to the Change record can approve a Workflow Task. Although there are logs to show if this happens there are far to many Change Records to track to that level of detail. What can I do to ensure that only the ones in the Group (or specific member if assigned to them) can approve a particular task? I thought of doing a data partition but not certain how I would restrict that since all users need to at least be able to approve their first Workflow task to start the workflow. Any ideas would be appreciated.
We've accomplished this requirement using a pre-update data partition on the Workflow_Task object.
This constraint restricts users from approving workflow not assigned to them, unless the assignee is null OR they are part of the group assigned to the task.
Here's a constraint that should work for your requirement.
assignee = @root.id OR assignee IS NULL OR (group.[group]group_list.member IN @root.id)
with this in place, I am seeing that users cannot add and/or edit new tasks which we have to allow them to create in the workflow. Can we do anything that will not prevent them from accomplishing this?
I got it, the NULL value was off for one of the parameters thanks again.
Thank you very much! I have this in Test now and it is working.
Just a side question... Do you have something in place that restricts them from changing the group to their own group, assigning it to themselves and then approving it? If not they would still be able to approve the task.
This restriction won't allow users to edit workflow if assignee is filled (unless they are in the same group as the assignee) . If assignee is null and group is filled it can be transferred to another group.