< class="prominent-subhead ">

Only use security groups when assigning user rights

This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.


Note: This article applies to the K2 blackpearl (4.8210.3.0) | K2 blackpearl (4.8210.450) release and will be repaired in a future release.

When the setting OnlyUseSecurityGroups is set to TRUE existing processes that have non security groups with process rights or as destination users will work in the following way for destination users:
  1. When resolving roles/groups to users, this option functions as per normal with a non Security group
  2. When the option for slot per role/group is selected, users in the group will not get a worklist item and if there is a distribution group nested inside a security group when the security group is assigned as destination the users in the distribution group will not receive a worklist item


If at design time the setting OnlyUseSecurityGroups is set to TRUE, this will ensure that at runtime only members of security groups will be resolved. However, distribution groups would still have surfaced at design time while assigning user rights for the process.

This creates the potential problem for new processes and existing processes that may have users from Distribution groups assigned as destination users, or where Distribution groups are added because they have surfaced during a search. If the setting OnlyUseSecurityGroups is set to TRUE users from non security groups will not resolve at runtime.

A notice of caution, for when the setting OnlyUseSecurityGroups is applied. If there are existing process instances active and non security groups are included, the users in the group will not be able to Start, Action, Participate or redirect a worklist item.


If the setting OnlyUseSecurityGroups is set to TRUE, then the following should be done:
  • Processes that have non security groups as destination users must be redeployed once the non security groups have been replaced with security groups
  • Distribution groups should be removed from any type of rights assignment, ie Process Rights, Server Rights, Action Rights etc. Distribution groups should never be given rights

To set the OnlyUseSecurityGroups:

  • Browse to SQL Management Studio -> Databases -> K2HostServer -> Tables -> SecurityLabels.
  • Right-click and select Script Table as > SELECT To > New Query Editor window.
  • Run the Query.
  • For the K2 label, click on the “hyperlinked” XML for the RoleInit column.
  • Modify the XML to OnlyUseSecurityGroups=True.
  • Create an update script as shown below:
    RoleInit = ‘[paste modified roleinit xml here]
    SecurityLabelName = ‘K2’
  • Execute script against K2HostServer database.