https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46150#M25844 <HTML><HEAD></HEAD><BODY><SPAN>In activiti, there is no way of 'limiting' the process that can be started by a specific user, based on roles/groups. The way the alfresco-integration fixes this (for multi-tennant setups) is prefix the workflow-definitions with the tennant domain. The layer on top of activiti (which alfresco actually uses and exposes) filters the ones out, which are in another domain (based on their name).</SPAN></BODY></HTML> Fri, 29 Apr 2011 09:41:10 GMT frederikherema1 2011-04-29T09:41:10Z https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46149#M25843 Hi,Does BPMN2 foresee a way to secure the start event in a process ? Like you have assignment groups for a task, is there something similar for the start event ? In our case not every user is allowed to start (or even see) all available workflows, they are divided by business department with each th Fri, 29 Apr 2011 09:37:00 GMT https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46149#M25843 heymjo 2011-04-29T09:37:00Z https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46150#M25844 <HTML><HEAD></HEAD><BODY><SPAN>In activiti, there is no way of 'limiting' the process that can be started by a specific user, based on roles/groups. The way the alfresco-integration fixes this (for multi-tennant setups) is prefix the workflow-definitions with the tennant domain. The layer on top of activiti (which alfresco actually uses and exposes) filters the ones out, which are in another domain (based on their name).</SPAN></BODY></HTML> Fri, 29 Apr 2011 09:41:10 GMT https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46150#M25844 frederikherema1 2011-04-29T09:41:10Z https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46151#M25845 <HTML><HEAD></HEAD><BODY><SPAN>yes i had thought about something like that as well, maybe even using the category attribute of a process definition instead of prefixing it. </SPAN><BR /><BR /><SPAN>The issue essentially is that you need to give your users(=applications) a database connection to the schema, so even using a filtering layer and telling them to use only that layer for obtaining process definitions / instances only covers partially the security issues (they can always bypass the filtering layer and use activiti engine directly). Since we have Oracle we can use virtual private databases (VPD) but i did not find a good column in the activiti tables to apply the policy to. For our inhouse products that need to be 'multi-tennant' we always foresee an 'application' column in all tables, so when the user logs on to an application the VPD strips out all data not linked to the current app for all tables - this cannot be circumvented by the schema user.</SPAN><BR /><BR /><SPAN>Maybe the best option is to have an activiti database per application, this makes it easier to evolve versions as well but has the management overhead ofcourse. a tradeoff as always …</SPAN></BODY></HTML> Fri, 29 Apr 2011 10:17:09 GMT https://connect.hyland.com/t5/alfresco-archive/process-definition-security/m-p/46151#M25845 heymjo 2011-04-29T10:17:09Z