Monitoring Workflow Processes

Assigning Specialized Workflow Monitoring Privileges

You can designate certain users as administrators only for particular types of workflows by assigning those users specialized workflow monitoring privileges with restricted access to workflow data. You can base the restrictions on a defined set of item types or on criteria specific to a particular functional area.

Ensure that users who act as specialized workflow administrators have access to the administrator version of the Status Monitor, either through an Oracle Workflow responsibility or from another application. See: Oracle Workflow Administrator Navigation Paths and Providing Access to the Status Monitor from Applications.

You must also grant permissions to specialized workflow administrators to enable them to perform administrative actions within the Status Monitor for workflows to which they have access. However, note that users cannot perform any actions on workflows that they own themselves, irrespective of any permissions granted to them. Only users with full workflow administrator privileges assigned in the Workflow Configuration page can perform administrative actions on workflows that they own themselves.

Note: If a user has full workflow administrator privileges assigned in the Workflow Configuration page, then those privileges override any specialized workflow monitoring privileges assigned to that user. That is, a user with full workflow administrator privileges can access all workflows, irrespective of any restrictions defined for any specialized privileges. See: Setting Global User Preferences.

To Grant Restricted Access to Workflow Monitoring Data:

You can restrict access to workflow monitoring data based only on item types, only on functional criteria, or on both item types and functional criteria. However, because grants based on functional criteria depend on item attribute values, these grants are most effective when combined with grants for item types that share the same item attributes.

For more information about creating instance sets and grants, see: Defining Data Security Policies and Assigning Permissions to Roles.

If you want to restrict access based on item types, perform the following steps.
- Create an instance set on the object WORKFLOW_ITEMS with a predicate that includes the parameters in which you will specify the item types you want. For example, the following excerpt shows a sample predicate for granting access to a single item type:
```
&TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER1
```
  You can also grant access to multiple item types, up to a maximum of ten, which is the maximum number of parameters you can specify for a grant. For example, the following excerpt shows a sample predicate for granting access to ten item types:
```
&TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER1 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER2 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER3 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER4 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER5 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER6 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER7 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER8 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER9 
OR &TABLE_ALIAS.ITEM_TYPE = &GRANT_ALIAS.PARAMETER10 
```
  The following excerpt shows another alternative for a sample predicate for granting access to ten item types:
```
&TABLE_ALIAS.ITEM_TYPE in (&GRANT_ALIAS.PARAMETER1, 
                           &GRANT_ALIAS.PARAMETER2, 
                           &GRANT_ALIAS.PARAMETER3, 
                           &GRANT_ALIAS.PARAMETER4, 
                           &GRANT_ALIAS.PARAMETER5  
                           &GRANT_ALIAS.PARAMETER6, 
                           &GRANT_ALIAS.PARAMETER7, 
                           &GRANT_ALIAS.PARAMETER8, 
                           &GRANT_ALIAS.PARAMETER9, 
                           &GRANT_ALIAS.PARAMETER10)
```
- Create a grant using the instance set you created. First, specify appropriate security context information such as grantee and responsibility. Then specify the following data context information:
  - Object - WORKFLOW_ITEMS
  - Data Context Type - Instance Set
  - Instance Set - The instance set you created on WORKFLOW_ITEMS.
  - Parameter 1 through Parameter 10 - The internal names of the item types to which you want to grant access, such as WFDEMO. You can specify one item type name in each parameter that is referenced in the predicate of your instance set, up to the maximum of ten.
    
    Note: You must explicitly reference each grant parameter you want to use in the predicate of your instance set. Any grant parameters that are not referenced in the instance set predicate are ignored, even if you enter values in the parameter fields in the Create Grant pages.
  - Set: Business workflow item permission set
If you want to restrict access based on criteria specific to a particular functional area using item attributes, perform the following steps.
- Create an instance set on the object WORKFLOW_ITEM_ATTR_VALUES with a predicate that defines those criteria. For example, the following excerpt shows a sample predicate defining criteria for HR data, using the CURRENT_PERSON_ID item attribute:
```
&TABLE_ALIAS.NAME='CURRENT_PERSON_ID' 
and EXISTS (SELECT 'Y' FROM per_people_f 
            WHERE person_id = &TABLE_ALIAS.TEXT_VALUE 
            AND TRUNC (SYSDATE) BETWEEN effective_start_date 
              AND effective_end_date)
```
  As another example, if the workflows for a particular organization are marked with an item attribute named ORG_ID, the following excerpt shows a sample predicate that allows access only to workflows associated with the user's current organization context.
```
&TABLE_ALIAS.NAME = 'ORG_ID' 
and &TABLE_ALIAS.TEXT_VALUE = substr
  (sys_context('USERENV','CLIENT_INFO'),1,10)
```
- Create a grant using the instance set you created. First, specify appropriate security context information such as grantee and responsibility. Then specify the following data context information:
  - Object - WORKFLOW_ITEM_ATTR_VALUES
  - Data Context Type - Instance Set
  - Instance Set - The instance set you created on WORKFLOW_ITEM_ATTR_VALUES.
  - Set - Business workflow item attribute permission set

To Grant Permissions for Administrative Actions within the Status Monitor:

If you want to assign a user privileges for all administrative actions within the Status Monitor, assign that user the role WF_ADMIN_ROLE. This role by default is granted the seeded permission set "Business workflow item permission set" (WF_ADMIN_PSET), which includes the permissions for all the administrative actions.

If you want to assign a user privileges only for specific administrative actions, create a custom permission set with the permissions you want to assign, and grant that permission set to the user. The following table lists the permission names and codes that correspond to the administrative actions.

Permissions for Administrative Actions in the Status Monitor

Action	Permission Name	Permission Code
Skip	Skip Workflow Activity	WF_SKIP
Retry	Retry Activity	WF_RETRY
Rewind	Rewind Workflow	WF_REWIND
Suspend	Suspend Workflow	WF_SUSPEND
Cancel	Cancel Workflow	WF_CANCEL
Update	Update Workflow Item Attributes	WF_UPDATE_ATTR
Monitor	Monitor Data	WF_MON_DATA

See: Assigning Permissions to Roles.