Article last updated on the 6th of July, 2023.
Contents
1. Introduction
Sometimes it is important to control users' ability to run processes in WorkPoint.
An example could be if the ability to run a process to create new projects or cases in a WorkPoint solution only should be available to project- or case managers.
In this article we will discuss permission setups for processes.
2. Requirements
There are no requirements associated with the use of process permissions.
3. Configuration
3.1. Permissions based on Azure Active Directory group
In this configuration example, we will set up a permission rule on a process, such that only users who are members of an Azure Active Directory group called "Managers" can run it.
To control who can run a process, we can set up permission rules in the settings of a process:

- To set up permissions rules for a process, click the "Settings" button in the open process.
- In the "Settings" panel, open the "Permissions" tab.
We can now create a basic permission rule to check if the current user who is trying to run the process is a member of the "Managers" Azure Active Directory group:

- In the "Type" field, we select "User or Group".
- Next, we click the "Value" field and in the browser pop-up, we search for the "managers" group.
- To select the "Managers" group, we click the search result.

- In the "Operator" field, we select "Contains", because we want to check if the "Managers" group contains the user we are about to define.
- In the "Target Type", we select "Context".
- In the "Target Value" field, we select the current user from the context, using the CurrentUser.UserPrincipalName variable.
Using this setup, the system will check if the user trying to run the process is a member of the "Managers" Azure Active Directory group.
If they are, they will be allowed to run the process. If they are not, a message telling them that they lack the necessary permissions to run the process will be displayed.
It is possible to add multiple permission rules:

- To add additional permission rules, click the "Add More" button.

- Use the "And" or "Or" operator to join the permission rules. "And" will require both rules to be true to allow running the process, while "Or" requires just one of the rules to be true to allow the process to be run.
It is also possible to reference an Active Directory group using adaptive expressions. This can be done using the "ContainsUser" function.
This function takes two arguments: the object ID of the group of which you want to check membership, and a user object, such as CurrentUser:
ContainsUser("Group object ID", User Object)
Example:
ContainsUser("5cb8e4ed-6113-450f-bff3-bbe0e92f6bb2", CurrentUser)
3.2. Permissions based on entity field
In this configuration example, we will set up permissions so that only users assigned to a field on an entity will be able to run a given process.
For this purpose, we are using a process which edits the meta data of a company, and the field we want to check for has the internal field name "wpResponsible".
Additionally, we will make use of adaptive expressions to accomplish this task.
We begin by opening the process settings:

- With the process open, click the "Settings" button.

- In the process settings window, open the "Permissions" tab and click "Advanced".
Now, we can type in an adaptive expression to check if the current user trying to run the process is assigned in the wpResponsible field.
First, we need to know whether the field we are checking, the wpResponsible field, allows multiple users to be assigned.
If the wpResponsible field allows multiple users to be assigned, we use the following expression to check if the current user is one of the assigned users in the field:
contains(string(Entity.wpResponsible),CurrentUser.Email)
If instead the wpResponsible field only allows single users, we use the following expression:
Entity.wpResponsible[0].email == CurrentUser.Email
These expressions check if the current user trying to run the process is assigned in the wpResponsible field. If they are, they will be allowed to run the process.
If they are not, they will instead receive the following message in the process window:

In this instance, the wpResponsible field allows multiple users to be assigned, so we use the first expression:
We can now save and publish the process.
Let's take a look at one of our registered companies:

This company has a single user assigned, Chris Butler.
If we log in as Chris Butler, we can run the process as normal:
- Note that we are logged in as Chris Butler, and that we are allowed to run the process.
If we instead log in as e.g. Edward Dean, we are not allowed to run the process:
- Note that we are logged in as Edward Dean, who is not assigned in the wpResponsible field, and therefore not allowed to run the process.
For demonstration purposes, let's assign assign Edward Dean to the wpResponsible field:

Since Edward Dean is now assigned in the wpResponsible field, they are allowed to run the process:
Comments
0 comments
Please sign in to leave a comment.