Access protection is a feature that prevents workflow seed data created by a 'seed data provider' from being modified by a 'seed data consumer'. Here, a 'seed data provider' is any organization that creates 'seed data' for other organizations ('seed data consumers') to use in defining and customizing a workflow process. In Oracle Workflow, seed data refers to either of the following:
Workflow object definitions that can and should be customized to meet a certain consumer's needs.
Workflow object definitions protected against customization because they represent standards that may also be upgraded in the future by the provider.
For example, the Oracle Workflow development team is a provider of seed data called the Standard item type. The Standard item type contains standard activities that can be dropped into any custom workflow process. The development team at your organization's headquarters may create a custom workflow process definition that references activities from the Standard item type. This makes the headquarters team a consumer of the Standard item type seed data.
Now suppose the headquarters team wants to deploy the custom workflow definition that it created to teams at other regional offices. The headquarters team, as seed data providers, may want to do the following:
Identify certain workflow objects in its custom workflow definition as corporate standards that the regional teams should adhere to and not modify.
Designate certain objects in its deployed process as customizable for the regional offices to alter to their offices' needs.
The headquarters team can satisfy both requirement using the access protection feature in Oracle Workflow. Access protection lets seed data providers protect certain data as 'read-only', while allowing other data to be customized. Also during a seed data upgrade, access protection lets the seed data provider overwrite any existing protected seed data with new versions of that seed data, while preserving any customizations made to customizable seed data.
Oracle Workflow assigns a protection and customization level to every workflow object definition stored in the database and requires every user of Oracle Workflow to operate at a certain access level. The combination of protection, customization, and access levels makes up the access protection feature and determines whether a user can modify a given workflow object. The level, in all three cases, is a numeric value ranging from 0 to 1000 that indicates the relationship between different organizations as providers and consumers of seed data.
The following range of levels are presumed by Oracle Workflow:
| 0-9 | Oracle Workflow |
| 10-19 | Oracle Application Object Library |
| 20-99 | Oracle E-Business Suite development |
| 100-999 | Customer organization. You can determine how you want this range to be interpreted. For example, 100 can represent headquarters, while 101 can represent a regional office, and so on. |
| 1000 | Public |
Each user of Oracle Workflow operates the system at a certain access level according to the range of levels listed above. A "user of Oracle Workflow" in this case, represents someone who is operating Oracle Workflow Builder, or the Workflow Definitions Loader program, which loads workflow process definitions from a file into a database. As a seed data provider, you should always operate Oracle Workflow Builder at the same consistent access level because the level you work at affects the protection level of the seed data you create.
You can view your access level as follows:
In Oracle Workflow Builder, select About Workflow from the Help menu.
If you are going to run the Workflow Definitions Loader program to download workflow process definitions from the database to a file, check the value for the environment variable WF_ACCESS_LEVEL on your workflow server. See: Using the Workflow Definitions Loader.
Note: The Workflow Definitions Loader program references the access level stored in the environment variable called WF_ACCESS_LEVEL, which you must define when you install Oracle Workflow on your server. If you do not define this environment variable, the Workflow Definitions Loader simply assumes a default access level of 1.
When you install Oracle E-Business Suite, you need to define this variable in an environment file. The default environment file is APPLSYS.env. If you do not define this environment variable, the Workflow Definitions Loader simply assumes a default access level of 1. Refer to your Oracle E-Business Suite installation documentation for more information about environment files.
Whenever you create a workflow object in Oracle Workflow Builder, you have the option of protecting the object at a certain level. An object's protection level helps control whether other users can modify the object based on their access levels, by allowing only users with an access level equal to or lower than the object's protection level to modify the object.
Note: The range of access levels allowed to modify the object may be further restricted by the object's customization level.
To set the protection level of an object, display the Access tab of the object's property page and either check or clear the Lock at this Access Level check box. The protection level that you set for an object is dependent on the setting of the Lock at this Access Level check box and on your current access level.
If you check the Lock at this Access Level check box, the protection level for the object is set to your current access level. Users with an access level higher than your current access level will not be able to modify the object. These users will see a small lock on the workflow object's icon, indicating that the object can be used but not modified. For users with an access level equal to or lower than your current access level, the customization level for the object will determine whether they can modify the object.
If you do not check the Lock at this Access Level check box, the protection level for the object is set to 1000. In this case all users who are not restricted by the customization level can modify the object.
Every workflow object, in addition to having a protection level, also records a customization level when you modify the object and save it to a database or file. An object's customization level helps control whether other users can modify the object based on their access levels, by allowing only users with an access level equal to or higher than the object's customization level to modify the object.
Note: The range of access levels allowed to modify the object may be further restricted by the object's protection level.
Setting the customization level ensures that a customizable object that has been customized never gets overwritten during a seed data upgrade, because the upgrade always occurs with the Workflow Definitions Loader operating at an access level below the customized object's customization level.
To set the customization level of an object, display the Access tab of the object's property page and either check or clear the Preserve Customizations check box. The customization level that you set for an object is dependent on the setting of the Preserve Customizations check box and on your current access level.
If you check the Preserve Customizations check box, the customization level for the object is set to your current access level. Users with an access level lower than your current access level will not be able to modify the object. These users will see a small lock on the workflow object's icon, indicating that the object can be used but not modified. For users with an access level equal to or lower than your current access level, the protection level for the object will determine whether they can modify the object.
If you do not check the Preserve Customizations check box, the customization level for the object is set to 0. In this case all users who are not restricted by the protection level can modify the object.
You control access to an object by the combined settings of the protection level and the customization level. You can set the Preserve Customizations and Lock at this Access Level check boxes for an object in one of four ways to specify the type of access you want to allow:
Allow access to everyone - By default, all users are allowed access to an object if the Preserve Customizations and the Lock at this Access Level check box are both not checked. That is, the protection level is 1000 and the customization level is 0.
Limit access to users with access levels equal to your own or higher - If you check the Preserve Customizations check box but do not check the Lock at this Access Level check box, you designate the object as being customizable by anyone with an access level equal to or higher than your current access level. However, users with a lower access level will not be able to modify the object. That is, the protection level is 1000 and the customization level is your current access level. You should only mark objects as customizable in this way if you are sure that you will not be providing upgraded versions of this object in the future that would overwrite other users' customizations to it.
Limit access to users with access levels equal to your own or lower - If you check the Lock at this Access Level check box but do not check the Preserve Customizations check box, you protect the object and ensure that the object can only be modified by users with an access level equal to or lower than your current access level. Users with a higher access level will not be able to modify the object. That is, the protection level is your current access level and the customization level is 0. Protect any objects that you want to define as standard components that will not change unless you provide a global upgrade. For this reason, it is important that you always operate at the same consistent access level.
Limit access to users with access levels equal to your own - If you check both the Lock at this Level and Preserve Customizations check boxes, you ensure that the object cannot be modified by anyone other than users operating at your current access level. That is, the protection level and customization level are both set to your current access level.
The following table summarizes which access levels can access an object under different settings of the Preserve Customizations and Lock at this Access Level options.
Object Access Under Combined Customization and Protection Levels
| Preserve Customizations | Lock at this Access Level | Access Level Applied to Object |
|---|---|---|
| Cleared | Cleared | Object may be updated by any access level. |
| Checked | Cleared | Object may only be updated by users with access levels equal to or higher than your current access level. |
| Cleared | Checked | Object may only be updated by users with access levels equal to or lower than your current access level. |
| Checked | Checked | Object cannot be updated by any access level except for your current access level. |
The protection and access levels in Oracle Workflow are present to remind you that certain workflow objects should not be modified or should only be modified by someone accessing the tool at an authorized access level. This feature is not intended as a means of securing or source controlling your workflow objects.
Important: Most workflow objects provided by Oracle Workflow have a protection level of 0, which means the objects can only be modified by the Oracle Workflow team, operating at an access level of 0. If you attempt to alter your access level to 0 and modify the data anyway, your customizations will not be supported, especially if Oracle Workflow provides an upgrade to the seed data that may overwrite the modifications you make to the originally protected data.
See: To Set the Access Level for an Object.
When you install Oracle Workflow Builder on a Windows PC, Oracle Universal Installer assigns a default access level that is global to the PC and the operating system you are installing on. After installing Oracle Workflow Builder, you can have individual users on the PC change their access level to a new setting which overrides the default access level set for the PC. If a user does not define an access level, Oracle Workflow Builder assumes the value of the default access level for the PC. The access levels are stored in the Microsoft Windows registry.
If you are deploying Oracle Workflow Builder and workflow seed data to users in other parts of your organization, and you wish to discourage those users from modifying the seed data that you provide, you can have them operate Oracle Workflow Builder at an access level that is higher than the data's protection level. For example if you, as a seed data provider, are operating at an access level of 100 and the seed data you create is protected at a level of 100, then you should require the access level for your users or seed data consumers to be 101 or higher.
You can set a user's access level in Oracle Workflow Builder by having them choose About Oracle Workflow Builder... from the Help menu. In the About Oracle Workflow Builder window, change the Access Level field to a number higher than your seed data protection level, then choose OK.
You can also set the access level directly in the Microsoft Windows registry by using a registry editor such as regedit to edit the decimal value under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\Workflow\Level.
For the Workflow Definitions Loader program, you set the default access level that the program operates at for downloading process definitions to a file, by defining an environment variable called WF_ACCESS_LEVEL and setting its value using the appropriate operating system command.
Caution: Although you can modify your access level, Oracle Workflow does not support any customizations to seed data originally protected at a level 99 or lower. We STRONGLY RECOMMEND that you not change your access level to an unauthorized level for modifying protected data.