Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue -Approver not associated with workflow allowed

jackiew
Champ in-the-making
Champ in-the-making

‎10-21-2007 07:05 PM

I'm experimenting with the enterprise version of alfresco as part of a proof of concept and I was quite surprised to find that users who have no relationship with a workflow are able to perform actions on that workflow with no immediatelyvisible evidence of their actions.

Rather than raise this as an issue immediately i would be interested to learn if this is intentional behaviour and if so why.

My scenario is this I create a workflow, i've tried both simple and advanced.  For the advanced i assigned the review to a number of users who are all in the same group and able to view the document in question.

I then logged in as another user who is unable to view the document but who is able, via the active workflows dashlet, to view the existence of the workflow.  That user can then if they wish approve or reject the workflow. 

In the workflow history information it is assumed that the user who was meant to perform the review did the approval / rejection.  I was also able, as this same user with no permissions on the document to mark the task as done, again with no evidence of the perpetrator of the deed.   I find this a little worrying ( and it may be enough to tip the balance against  using Alfresco ).     My next step will be to check the audit logs to see if there is evidence of the activity there. 

In the meanwhile has anyone else
a) observed this behaviour
b) suggestions how i might be able to easily disable it
c) explanations as to why this behaviour might be acceptable

thanks, Jackie
Labels:
0 Kudos
3 REPLIES 3

jackiew
Champ in-the-making
Champ in-the-making

‎10-22-2007 02:28 AM

Using the standard audit template there is no evidence that anyone other than the expected reviewer and the task initiator have had anything to do with the document.

i.e. there is no trace of the fact that the active task was approved and closed by another user entirely.
0 Kudos

mabayona
Champ on-the-rise
Champ on-the-rise

‎10-27-2007 05:32 AM

Maybe it has to do with this jBPM bug:

http://jira.jboss.com/jira/browse/JBPM-1022

Any comment?
0 Kudos

jackiew
Champ in-the-making
Champ in-the-making

‎10-29-2007 08:13 PM

Thanks for that - it explains the behaviour.

I suspect that many Alfresco users won't even notice the behaviour - they would assume that they couldn't hijack a workflow so wouldn't even try. 

Because I'm evaluating the product my role is to see what users can do that we would rather they didn't.   Because the hijacking isn't registered in the audit it does rather make the product vulnerable to the malicious or mischievous individual within a company.   

Scenario - Jim has had a row with his boss, looks for a new job.  Just before Jim goes he looks at his  boss's active task list and "tidies up" her task list as a parting present.   The audit trail looks as if the boss herself has performed all the actions.   Jim denies all knowledge of his actions - and in fact may be long gone before his boss realises that something is wrong.

Such behaviour need not be just that of disgruntled underlings - inter-departmental rivalries, managers competing for promotion etc etc.  

I haven't yet checked to see if a guest user can hijack the process ( one seriously hopes not ).
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC