Using Roles and Authorization in the Workflow Builder
Creating Workflows with Proper Access Controls
When you build a workflow, you'll need to make two important decisions about access control:
1. Who can access this workflow?
You'll select which roles can see and start the workflow. For example, if you select "Employee" and "Manager," both employees and managers will see this workflow in their available workflows list.
2. Which departments or groups should this workflow be restricted to?
You'll select authorization channels to control which specific departments or groups can access the workflow. For example, if you select "HR," only users with HR authorization will see this workflow, even if they have the correct role.
Step-by-Step: Creating a Workflow with Access Controls in OSPROV
Step 1: Basic Workflow Settings
- Navigate to the OSPROV Workflow Builder section
- Click "Create New Workflow"
- Enter the workflow name and basic details
Step 2: Configure Access Controls
In the OSPROV workflow settings panel, you'll find these important options:
-
Roles: Select which roles can access this workflow
- Check all roles that should be able to see and start this workflow
- Users must have at least one of these roles to see the workflow in OSPROV
-
Authorization Channel: Define which departments or groups can access this workflow
- Enter the authorization channels that should have access
- Users must have at least one matching authorization channel to see the workflow
-
Ignore Authorization Channel: Special option for workflows that need broader access
- When checked, the workflow will be visible to all users with the selected roles in OSPROV, regardless of their authorization channels
- Use this option carefully for workflows that need to be available across all departments
Step 3: Configure Individual Tasks
For each task in your workflow, you can set specific role assignments:
- Form Tasks: Select which roles can fill out forms
- Approval Tasks: Select which roles can approve requests
- Review Tasks: Select which roles can review items
- Process Tasks: Select which roles can process items
Each task also has special authorization options:
-
Allow Initiator to Choose: Lets the person who starts the workflow select who should handle this task
- Useful when the workflow starter knows best who should handle a specific task
- The initiator will see a dropdown of eligible users when starting the workflow
-
Allow Previous Task Handler to Choose: Lets the person who completed the previous task select who handles this task
- Useful when the previous task handler has the context to decide who should handle the next step
- The previous task handler will see a dropdown of eligible users when completing their task
Workflow Examples in Practice
From simple to complex, here are examples of how roles and authorization channels work in different workflow scenarios:
Example 1: Basic Time-Off Request (Simple)
OSPROV Workflow Configuration:
- Roles: Employee, Manager
- Authorization Channels: HR, IT, Finance, Marketing, Sales
- Tasks:
- Time-Off Request Form (Employee role)
- Manager Approval (Manager role)
How It Works in OSPROV:
-
For Emma (Marketing Employee with Marketing authorization channel):
- Emma logs into OSPROV and fills out the Time-Off Request form
- OSPROV automatically routes her request to her department's manager (Marketing Manager)
- Emma can only see her own time-off requests in her OSPROV dashboard
-
For Robert (Marketing Manager with Marketing authorization channel):
- Robert sees time-off requests only from Marketing employees in his OSPROV task list
- He cannot see or approve time-off requests from other departments
- After approval, the OSPROV workflow completes and notifies Emma
This is the simplest workflow pattern in OSPROV, where both roles and authorization channels work together to ensure that requests stay within their respective departments. Each department manager only sees requests from their own team members.
Example 2: Equipment Purchase Request (Moderate)
Workflow Configuration:
- Roles: Employee, Manager, Finance
- Authorization Channels: HR, IT, Finance, Operations
- Tasks:
- Request Form (Employee role)
- Manager Approval (Manager role)
- Finance Processing (Finance role, with "Ignore Authorization Channel" checked)
How It Works:
-
For Sarah (HR Employee with HR authorization channel):
- Sarah sees the Purchase Request workflow because she has the Employee role and HR authorization
- When she submits a request, it goes to HR Managers only
- She cannot see purchase requests from other departments
-
For Mike (IT Manager with IT authorization channel):
- Mike sees purchase requests only from IT employees
- He cannot see or approve HR purchase requests
- When he approves a request, it goes to Finance for processing
-
For Lisa (Finance with Finance authorization channel):
- Lisa sees all approved purchase requests from all departments
- This is because the Finance Processing task has "Ignore Authorization Channel" checked
- She can process payments regardless of which department submitted the request
This workflow demonstrates how the "Ignore Authorization Channel" option allows certain roles (like Finance) to process requests from all departments while still maintaining departmental boundaries during the initial submission and approval stages.
Example 3: Project Approval with Custom Routing (Moderate)
Workflow Configuration:
- Roles: Project Manager, Department Head, Executive
- Authorization Channels: Marketing, Sales, Operations
- Tasks:
- Project Proposal (Project Manager role)
- Department Review (Department Head role, with "Allow Initiator to Choose" checked)
- Executive Approval (Executive role)
How It Works:
-
For Alex (Project Manager with Marketing authorization channel):
- Alex fills out the Project Proposal form
- At submission, Alex is asked to select which Department Head should review the proposal
- Alex can choose any Department Head, even from other departments
- The selected Department Head receives the task, regardless of their authorization channel
- Alex only needs at least one matching authorization channel (in this case, Marketing) to see and initiate this workflow
-
For David (Department Head with Sales authorization):
- If selected by Alex, David receives the review task
- After reviewing, the workflow automatically routes to an Executive
- David doesn't need to have the same authorization channel as Alex
This workflow shows how "Allow Initiator to Choose" enables flexible routing across departments when needed, while still maintaining role-based restrictions (only Department Heads can be selected).
Example 4: IT Service Request (Moderate)
Workflow Configuration:
- Roles: Employee, IT Support, IT Manager
- Authorization Channels: HR, IT, Finance, Marketing, Sales, Operations
- Tasks:
- Service Request Form (Employee role)
- Initial Assessment (IT Support role, with "Ignore Authorization Channel" checked)
- Complex Issue Approval (IT Manager role, with "Ignore Authorization Channel" checked)
How It Works:
-
For James (Sales Employee with Sales authorization channel):
- James submits an IT service request for a software issue
- The request is automatically visible to all IT Support staff, regardless of their authorization channel
- James can only see his own IT requests
- Note: This workflow has "Ignore Authorization Channel" checked at the workflow level, so James only needs his Sales authorization channel to see and use it
-
For Tina (IT Support with IT authorization channel):
- Tina sees all IT service requests from all departments
- She can handle simple requests directly
- For complex issues requiring budget approval, she escalates to the IT Manager
-
For Greg (IT Manager with IT authorization channel):
- Greg sees all escalated IT service requests from all departments
- He can approve complex requests that require additional resources
This workflow demonstrates how IT support functions typically need to operate across authorization channels, as they provide services to the entire organization.