If at design time the setting OnlyUseSecurityGroups
is set to TRUE
, this will ensure that at runtime only members of security groups will be resolved. However, distribution groups would still have surfaced at design time while assigning user rights for the process.
This creates the potential problem for new processes and existing processes that may have users from Distribution groups assigned as destination users, or where Distribution groups are added because they have surfaced during a search. If the setting OnlyUseSecurityGroups
is set to TRUE
users from non security groups will not resolve at runtime.
A notice of caution, for when the setting OnlyUseSecurityGroups
is applied. If there are existing process instances active and non security groups are included, the users in the group will not be able to Start, Action, Participate or redirect a worklist item.
If the setting OnlyUseSecurityGroups is set to TRUE, then the following should be done:
- Processes that have non security groups as destination users must be redeployed once the non security groups have been replaced with security groups
- Distribution groups should be removed from any type of rights assignment, ie Process Rights, Server Rights, Action Rights etc. Distribution groups should never be given rights
To set the OnlyUseSecurityGroups:
- Browse to SQL Management Studio -> Databases -> K2HostServer -> Tables -> SecurityLabels.
- Right-click and select Script Table as > SELECT To > New Query Editor window.
- Run the Query.
- For the K2 label, click on the “hyperlinked” XML for the RoleInit column.
- Modify the XML to OnlyUseSecurityGroups=True.
- Create an update script as shown below:
RoleInit = ‘[paste modified roleinit xml here]’
SecurityLabelName = ‘K2’
- Execute script against K2HostServer database.