Restrict user to open workflows from userapp

Hi,
uaadmin and all the users in eDirectory can see and run all the workflows by default. Our requirement is to give permission to run workflows to few specific users of eDirectory. Can anyone tell how to restrict / allow specific users for workflows. In a NetIQ document it stated that "use NetIQ eDirectory to add an Inheritance Rights Filter (IRF) on the AppConfig container, which is located under the User Application driver" .
We have put permisison to object [public], entry rights for a trustee --> inherit and mention that user in workflow trustee option. But it is not working.
Can anyone help?
  • On 6/12/2019 3:54 AM, prasenjitmass wrote:
    >
    > Hi,
    > uaadmin and all the users in eDirectory can see and run all the
    > workflows by default. Our requirement is to give permission to run
    > workflows to few specific users of eDirectory. Can anyone tell how to
    > restrict / allow specific users for workflows. In a NetIQ document it
    > stated that "use NetIQ eDirectory to add an Inheritance Rights Filter
    > (IRF) on the AppConfig container, which is located under the User
    > Application driver" .
    > We have put permisison to object [public], entry rights for a trustee
    > --> inherit and mention that user in workflow trustee option. But it is
    > not working.
    > Can anyone help?


    If you can see the workflow, via eDir permissions from your logged in
    user, you can run it.

    So, in eDir (via LDAP or iManager) find the Driver Set, then the User
    App object (whatever you named it), then there is an AppConfig
    container. Now they say block it at the AppConfig level, I would have
    though you could do it at the RequestDefs container, but follow the docs.

    First, make sure to grant uaadmin and admin SRWECMA permissions directly
    at the level you wish to fiddle with. Make this object and attribute
    permissions, just to be safe. I.e. Explicitly grant them permissions.

    Then you can set an IRF that blocks inheritance of Read and Browse
    permissions. This way, the default permission that everyone gets to see
    the entire tree is blocked.

    Now when you add trustees specifically, the users get permissions to see
    it, and it should block everyone, allow only those you chose.