Change ACL on a workflow step

Hello,

We have a different ACL per class. Example : AlexK can read and thuet has full access

  

THIS ACL is assigned to a class :

Then this class is linked to a very simple workflow :

On the draft step we want only the creator to have read / write rights, We have an ACL on the draft stage with "created by" which gives reader / write access to creator :

Next step is "Diffusion", on this step we want to use the ACL defined in the automatic authorization of the class.

We on the diffusion step have not declared anything, hoping that it is the authorization of the class that is taken into account :

On the draft step, the ACL linked to the workflow step is applied, but when the document passes through the distribution step, the ACL of the class is not applied and it is the ACL of the previous stage that remains .

 Progress of the workflow at the delivery step    the rights remain on the access rights of the previous step.

is there a way to no longer apply the rights of the previous step and to apply the rights of the class if nothing is defined on the workflow step ?

Thanks 

Thomas

  • Hi Thomas, 

    You would need to apply specific NACL on workflow step if you want to change access rights on that specific workflow step. If you don't apply anything you would as you have experienced have same access rights from previous workflow step.

    Access rights that you have defined on class level is related to rights who can create new documents of that specific class, search for specific documents of that class etc. It is in no relation with rights that you set dynamically through workflow and that relate concretely to specific document and not a class as a construct. 

    Hope this helps.

    Dejan

  • Thank you for your reply.

    I understand that once a right has been applied from a worfklows step, it is no longer possible to revert to the rights of the class.

    Could a specific script help on the second workflow step ? find the document class, find the acl associated with this class and apply it ?

    Thomas

  • Hi Thomas,

    If you want give permissions back to NACl you originally used on class level then you would just need to use that NACL on specific (second) workflow step. It is simple as that. You don't need to code, this would be simple configuration in your workflow.

    If you want to explore setting/updating NACLs options, you can check following: https://www.m-files.com/api/documentation/index.html#MFilesAPI~VaultObjectOperations~ChangePermissionsToNamedACL.html.

    Be aware that for those actions in most cases you do need to be admin to execute it successfully (usual user would not have rights to run those actions!).

    Bottom line: I would stick with configuration on workflow step.

    Hope helps you further in your examinations.

    Dejan

  • Thanks for your help, it works the way we want it to now

  • if it can help someone here is the solution.

    1. create a list of values ​​corresponding to your workflow steps and on each value in the list set the desired ACL, except for the last step where we want to apply the rights of the class

    2. Enable automatic permissions for this new property 

    3. Apply this property to all the desired classes

    4. On each step of the workflow apply the corresponding value in the list of values. The goal is for the list values ​​to drive the ACL and not the workflow step

    5. On the draft step apply the script allowing to deactivate the ACL of the class and to activate the ACL of the value in the list of values

    'option explicit
    ' Enable automatic permissions again
    dim i
    ' Get the current object ACL
    Dim oObjectVersionPermissions: Set oObjectVersionPermissions = Vault.ObjectOperations.GetObjectPermissions(Objver)
    Dim oACL: Set oACL = oObjectVersionPermissions.AccessControlList
    Dim oACLListKeys: Set oACLListKeys = oACL.AutomaticComponents.GetKeys()
    For i = 1 To oACLListKeys.Count
    'Now lets make this automatic component Active.
    if oACL.AutomaticComponents.At(oACLListKeys.Item(i)).NamedACLLink = Vault.NamedACLOperations.GetNamedACLIDByAlias("NACL.EnRédaction") then
    oACL.AutomaticComponents.At(oACLListKeys.Item(i)).IsActive = true
    else
    oACL.AutomaticComponents.At(oACLListKeys.Item(i)).IsActive = false
    end if
    Next
    'Now we update the Objects ACL.
    Dim oObjectVersion: Set oObjectVersion = Vault.ObjectOperations.ChangePermissionsToACL(ObjVer, oACL, True)
    

    6. On the last step to return to the ACL of the class apply the same code but reverse to deactivate the rule linked to the value of the list and activate the ACL of the class

    'option explicit
    ' Enable automatic permissions again
    dim i
    ' Get the current object ACL
    Dim oObjectVersionPermissions: Set oObjectVersionPermissions = Vault.ObjectOperations.GetObjectPermissions(Objver)
    Dim oACL: Set oACL = oObjectVersionPermissions.AccessControlList
    Dim oACLListKeys: Set oACLListKeys = oACL.AutomaticComponents.GetKeys()
    For i = 1 To oACLListKeys.Count
    'Now lets make this automatic component Active.
    if oACL.AutomaticComponents.At(oACLListKeys.Item(i)).NamedACLLink = Vault.NamedACLOperations.GetNamedACLIDByAlias("NACL.EnRédaction") then
    oACL.AutomaticComponents.At(oACLListKeys.Item(i)).IsActive = false
    else
    oACL.AutomaticComponents.At(oACLListKeys.Item(i)).IsActive = true
    end if
    Next
    'Now we update the Objects ACL.
    Dim oObjectVersion: Set oObjectVersion = Vault.ObjectOperations.ChangePermissionsToACL(ObjVer, oACL, True)