Workflow authors are permitted to write workflow-embedded Java code to facilitate the execution of the workflow process. This embedded Java code is executed on the server, and there are no restrictions on the APIs available for use.

Considering this capability, a user with permissions to create workflow templates (for example, a project or program manager) could add malicious code in one of the workflow expressions, causing a possible security threat. For this reason, workflow templates that contain Java expressions must be written, reviewed, and thoroughly tested by individuals that are trusted by the organization. The site administrator has an additional level of control to prevent a user who is not a member of at least one of three specific site context groups (Administrators, Workflow Administrators, or Workflow Authors) from embedding Java code in workflows.

For more information about workflow security, see Workflow.