Workflow creators are permitted to write workflow-embedded Java code to facilitate the execution of the workflow process. This embedded Java code is executed on the server, and there are no restrictions on the APIs available for use.

Considering this capability, an additional level of control has been provided for the site administrator to prevent a user who is not a member of at least one of three specific site context groups (Administrators, Workflow Administrators, or Workflow Author) from embedding Java code in workflows.

A user with permissions to create workflow templates (for example, a project manager) could potentially add malicious code in one of the workflow expressions, causing a possible security threat. For this reason, workflow templates that contain Java expressions must be written, reviewed, and thoroughly tested by individuals that are trusted by the organization.

The following sections provide more detail about the roles that can author workflow processes, the site context groups that allow Java code to be embedded, and the areas that are disabled when a user is prevented from embedding Java code.