The routing mechanism for work items uses roles and organizational assignments to determine who receives which work item. However the routing does not provide extra authorization checks based on the routing configuration. If you want to ensure that the tasks are executed within the workflow, and not via the standard transaction, service or MiniApp, then you will have to apply your own protection.
The simplest way of doing this is to remove the standard transaction from the user's menu or Workplace role (but include it in the supervisor's role, just in case).
If you want to allow the user to execute the task from the menu if and only if they have received the work item then you should replace the standard transaction with your own custom built transaction. Your own transaction simply calls the standard transaction but performs it's own authorization check first, based on the routing mechanism used in the workflow. Tip: Add a second (ored) authorization check to make sure that a supervisor can execute the transaction in an emergency.
No comments:
Post a Comment