Managing Workflow Security
Workflow creators are permitted to write workflow-embedded Java code to facilitate the execution of the workflow process. This embedded Java code is executed on the server, and there are no restrictions on the APIs available for use.
Considering this capability, an additional level of control has been provided for the site administrator to prevent a user who is not a member of at least one of three specific site context groups (Administrators, Workflow Administrators, or Workflow Author) from embedding Java code in workflows.
A user with permissions to create workflow templates (for example, a project manager) could potentially add malicious code in one of the workflow expressions, causing a possible security threat. For this reason, workflow templates that contain Java expressions must be written, reviewed, and thoroughly tested by individuals that are trusted by the organization.
The
Workflow Template Administration link is available on the
Utilities page of
Site ,
Organizations ,
Libraries , and
Products . Although it is not available on the > page, a Project Manager could potentially obtain the URL for the utility and access it by typing the URL directly into a browser address bar.
The following sections provide more detail about the roles that can author workflow processes, the site context groups that allow Java code to be embedded, and the areas that are disabled when a user is prevented from embedding Java code.