Workflow Automation supports imported user and group accounts from both Active Directory (AD) and the local Security Account Manager (SAM) database on the Workflow Automation Server computer, as well as internal Workflow Automation users and groups. You cannot modify the imported user and group accounts in Workflow Automation, but you can configure Workflow Automation to automatically synchronize the accounts with any changes made in AD and the SAM database. For more information about account synchronization, see Understanding User and Group Synchronization.
Workflow Automation provides the following default groups, each of which is associated with a default permission set at the global level to determine product access. Domain groups imported from Active Directory must be added to applicable default groups to have their applicable permissions. This includes being added to the Aegis Users group to authorize logins to Workflow Automation.
For information about default permission sets, see Default Permission Sets.
Workflow Automation imports the local Administrators group during the installation procedure and associates the group with the Aegis Administration permission set.
User and group accounts associated with the Aegis Administrators group have the permissions to perform all Workflow Automation functions.
Administrators in this group typically install Workflow Automation and Workflow Automation adapters. Administrators interact with the Configuration Console and the Adapter Configuration Utility to configure, manage, and maintain Workflow Automation, including security and user setup. They might also be responsible for consulting with discipline experts.
User and group accounts associated with the Aegis Managers group have all the permissions associated with the Aegis Management permission set.
User and group accounts associated with the Aegis Users group have all the permissions associated with the Resource Viewing permission set. Workflow Automation adds all imported users to the Aegis Users group.
User and group accounts associated with the Process Authors group have all the permissions associated with the Process Authoring, Process Operation, and Process Viewing permission sets.
Process Authors interact mainly with the Workflow Designer to create and maintain triggers, triggering event definitions, and process workflows.
User and group accounts associated with the Process Operators group have all the permissions associated with the Process Operation and Process Viewing permission sets.
Process Operators interact mainly with the Operations Console to:
View processes and associated work items, including activity details, related events, and supporting analysis.
Manually trigger work items. For example, an HR manager can trigger a workflow to create a new account for a new employee.
Monitor and supply input to active work items.
Terminate work items.
Process Operators can also use the Configuration Console to view processes and workflow revisions.
User and group accounts associated with the Process Viewers group have all the permissions associated with the Process Viewing permission set.
By default, Workflow Automation periodically checks AD and the SAM database for changes to imported user and group accounts. If Workflow Automation detects changes to the attributes it supports, it automatically synchronizes imported accounts with the updated attributes. Workflow Automation also retrieves the groups to which the imported user and group accounts belong in AD and the SAM database, which allows Workflow Automation to correctly handle permission assignments to parent groups.
To synchronize domain accounts, ensure the Aegis Namespace Provider service account has at least read privileges for the specified domain. If the service account does not have proper rights in the domain, Workflow Automation cannot synchronize attributes and parent groups for domain accounts, which prevents Workflow Automation from displaying the associated parent groups in the Configuration Console. For more information about the service account, see Understanding Workflow Automation Application Credentials. For more information about synchronizing user and group accounts in a one-way trust, see Trusted Domains.
NOTE:
If a user account’s group memberships change while the user is logged on to the Configuration Console, the user must log off and log back on to see the changes.
If a group account’s group memberships change while a member of the group is logged on to the Configuration Console, the user must log off and log back on to see the changes.
If you disable automatic synchronization, you must manually synchronize user and group accounts to import any changes.
To manually synchronize imported user and group accounts:
In the Navigation pane, click Security.
In the left pane, click one of the following:
Users
Groups
In the view pane, select the account you want to synchronize.
In the User Tasks or Group Tasks list, click Synchronize Now.
You can import local SAM user accounts from the SAM database on the computer where the Resource Management provider is running, typically the Workflow Automation Server computer.
To import local SAM user accounts:
In the Navigation pane, click Security.
In the left pane, click Users.
In the User Tasks list, click Import Local Users.
On the Import Local Users window, select the local users you want to import into Workflow Automation, and then click Import.
You can import local SAM accounts from the SAM database on the computer where the Resource Management provider is running, typically the Workflow Automation Server computer.
To import local SAM groups:
In the Navigation pane, click Security.
In the left pane, click Groups.
In the Group Tasks list, click Import Local Groups.
On the Import Local Groups window, select the local groups you want to import into Workflow Automation, and then click Import.
You can create internal Workflow Automation groups if there are no AD or SAM groups that suit your needs. Workflow Automation groups allow you to group users and groups without having to modify any AD or SAM settings.
To create a Workflow Automation group:
In the Navigation pane, click Security.
In the left pane, click Groups.
In the Group Tasks list, click Create Aegis Group.
On the General tab of the Create Aegis Group window, provide the appropriate information, and then click OK.