Dispatcher creates PDF’s owned by dba’s which is great because non-dba users have no write permissions to those datasets. I need a way to restrict write access to these dba owned datasets. These datasets become targets of a workflow which allows via an ACL permission to the approver write permissions. They then open the pdf and modify it causing issues.
I need the system generated pdf’s as targets of the workflow. The approval group is not dba.
Solved! Go to Solution.
If you don't want them to have write access to the PDF then why not consider not attaching it as a Target when there is a task that pauses for user input (DO, Review tasks, etc).
Use the epm-remove-objects handler to remove it entirely, or if you want to add it back quickly later then use the epm-move-attached-attached-objects handler to move it to the references and then on the next task use the same handler to put it back.
The PDF's get added as the workflow progresses at stages where there is no pause. When it stops for approval the workflow ACL allows editing to the approver to all targets including the DBA owned items. I couldn't find an ACL rule that says items owned by group in this case dba write deny.
Ok, so if you dont want write access move the pdfs to the references folder using epm-move-attached-objects.
Workflow ACLs apply to all targets, you can't differentiate a target owned by a group.
In a workflow, the tasks that users peform have 2 folders:
1 - Targets
2 - References
Anything that is a Target is acted on - properties changed, queries ran, status set etc. Anything in the references folder is just ignored - its there for reference! (although there are some handlers that will act on References like EPM-create-relation).
Do a test... in a workflow, cut the pdf from the targets folder and paste it to the references folder. Notice the pdf loses the In Process icon. No workflow ACLs are applied to the pdf... No user will be able to edit it (unless ACL in main rule tree allows it).
Note - there are handlers to prevent users cutting and pasting from targets EPM-disallow-adding-targets & EPM-disallow-removing-targets which may be applied...
Revisions have objects related to them using relations... Reference & Specification are 2 typical relations used.
I'm talking about the References folder under a task in a workflow - this is nothing to do with the relation Reference