Basic Administration > Supporting Collaboration > Workflow Administration > Workflow Management > Managing Workflow Security > Restricting Workflow-Embedded Java Code > Administrative Groups
  
Administrative Groups
The Administrators and Workflow Administrators groups are part of the base data loaded with every Windchill installation. However, members of these groups are also granted the permissions necessary to create and modify workflow templates within the Site context. Even though these permissions are not inherited by the domains used for organizations or other contexts, a member of one of these groups could potentially obtain the URL for and access the Site-level Workflow Template Administration utility by typing it directly into a browser address bar.
For this reason, a new group is available in the Site context called Workflow Author. This group will not be granted any access permissions by default, but members of this group will be considered trusted to author Java expressions in locations where they are otherwise granted the permission necessary to author workflow templates.
For example, if a library context manager launches the Workflow Template Administration utility and creates a workflow template in the context of that library, they will be permitted to do so because they have been granted the necessary access control permissions through their membership in the library manager role (Full Control (All) permission on WTObject). However, when the library context manager attempts to access any of the input fields for expression code (for example, the Transitions tab for a workflow activity) in the workflow template, the system will perform an additional check to verify that the user is trusted to author expression code by confirming that the user is a member of either the Workflow Author, Workflow Administrators, or Administrators groups. If so, the expression code input fields will be enabled and the user will be able to edit the embedded expression code. If not, the expression code input fields will be disabled and the user will be able to view but not edit the expression code.
Thus, membership in one or more of these three groups serves as a second layer of permission controlling who is able to create and edit workflow-embedded Java expressions.