In my last blog post, I explained how to give permanent access to a document using a shortcut (a.k.a. live proxy). But what if you simply want to delegate temporary access, and keep control over who you will give access to? Then you can also use a workflow.

2 matches in 1 file

Searching 20438 files for "/blog/meet-team-frederic-vadon/" (regex)

Giving Temporary Access


In a workflow, temporary rights can be granted when you assign a task on a document. The goal is normally to let users achieve some work on a restricted document. In this example we will be taking advantage of this possibility.

The workflow initiator will first select users he wants to delegate access to, and for what duration. Then, we will assign the selected users a task, thereby granting them temporary access. Of course this task is merely created for technical reasons. We won't ask the users to actually achieve something, but we will still display them a "revoke" button. Clicking this button will end the task and the workflow, removing their access during the process.

For security reasons, we will also assign a task to the workflow initiator. The goal is to let him review who he gave access to, and eventually revoke their access by clicking on a button. Finally, an escalation rule will be added. Past the specified duration, this rule will apply automatically and end the workflow.

To build this workflow, we will make use of Nuxeo Studio. Reminder: you can try Nuxeo Studio for free!

The final result looks like this:
Temporary Access Workflow - Final Graph
And here is the step by step method to achieve it.

Create Your Workflow


  1. In Nuxeo Studio, create a new workflow and name it.

  2. In the variables tab, create the following variables:


    1. days (Integer). This will store the access duration.

    2. delegates (String, multivalued). This will store the chosen users list.




Temporary access workflow variables

Start Designing Your Graph


  1. In the graph tab, drag a start node and a simple node from the node library on the left.

  2. Link them together.

  3. Save your work.

Configure User Selection


  1. Hover your mouse on the simple node and edit it.

  2. In the general tab, fill in the information as following:
    Temporary access workflow - User selection general tab

  3. In the form tab, select var_yourWorkflowId in the dropdown list on the right.

  4. Drag and drop the delegates and the days variables.

  5. You can set the properties as in the captures below.
    Days Widget Delegates Widget

  6. The user will need buttons as well, to cancel or confirm his choice. Scroll down to add them, then fill in their id and label:
    User Selection Buttons

  7. Now save your work. Reminder: you need to save the node's properties and the workflow when you are back in your graph tab!

Update Your Graph


If the user confirms his choice, then we will create two tasks:


  • For the selected users, to grant them access and let them revoke it, and

  • For the workflow initiator to revoke the users' access.


Let's update our workflow to reflect that.


  1. Drag and drop a stop node.

  2. Link the cancel transition to it. Now if the user clicks on cancel, it will end the workflow.

  3. Drag a fork 2 ways node.

  4. Link the confirm transition to it.

  5. Edit it, and go to its transitions tab. Rename the transitions with users_revocation and initiator_revocation for better clarity.
    Fork Transitions

  6. Drag a multiple tasks node. Link it to the users_revocation transition.

  7. Drag a simple task node. Link it to the initiator_revocation transition.


Good! Now your graph should look like this:
Graph Before Revocation Config
On to the next step.

Configure Workflow Initiator Revocation


The workflow initiator should be able to know who he granted access to and for how long. Also, he should be able to revoke their access if necessary. That's the purpose of the task we created for him. Let's get it done.


  1. Edit the simple task node linked to the initiator_revocation transition.

  2. In the general tab, configure it as following:
    Initiator Revocation General 1 Initiator Revocation General 2
    Note that the due date expression matches the date after which access will be removed automatically. This is meant to display in the task how long access is delegated.

  3. In the form tab, we will display the selected users. Drag and drop them, and make sure they are shown as read only.
    Initiator Revocation Form 1 Initiator Revocation Form 2

  4. Don't forget to add a revoke button!
    Revoke Button

  5. Save your work (both the node and the workflow) and proceed with the next task.

Users Revocation Configuration


  1. Edit the multiple tasks node linked to the users_revocation transition.

  2. Setup your general tab as following:
    User Revocation General 1 User Revocation General 2
    It is extremely important to fill in the grant permission to task assignees field here. This will determine which access you want to give to the chosen users. In this case, I am giving Read access, but you could choose to give Write access or any other possibility. Note that the same right will be given to all chosen users.

  3. Make sure to copy the node id, as you will need it later.
    Node Id

  4. We will take this opportunity to replace the default button and transition provided by this node as well.


    1. In the form tab, add a revoke button, and remove the default approve button.
      Remove Approve Button

    2. In the transitions tab, remove the approve transition.
      Remove Approve Transition




Note that this is a multiple tasks node. To end the task and revoke access, all users with delegated access need to click on the revoke button. That's why we will setup an escalation rule in order to remove access automatically past a certain date.

Setup automated access removal


  1. While you are still in this multiple tasks node, head to the escalation rules tab. Configure it as following:
    Escalation Rules Definition Escalation Rules Condition

  2. The escalation rule will now launch a chain past the specified date. Which chain, you ask? Well, we didn't add it yet. Click on the create button on the right side of the screen and name it.

  3. Your chain should be composed of the following operations and parameters:


    1. Fetch > Context document(s)

    2. Workflow Context > Get open tasks


      1. nodeId: paste the node id you took from the general tab earlier.

      2. processId: @{Context["workflowInstanceId"]} This one can be inserted easily using the dropdown list in the editor.



    3. Workflow Context > Complete task



  4. Save your chain. One last detail remains and you will be all set.

Finalize your graph


  1. Go back to your workflow.

  2. In the graph tab, drag two stop nodes. Link your tasks to them. Your workflow should now look like this:
    Temporary Access Workflow - Final Graph

  3. Save your work.


There you go! This example is very generic but you can adapt it to your needs and improve it. Let us know in the comments or in answers if you want more details about it.

Enhanced by Zemanta