Business process flows are everywhere these days. Every project I come across have business process flows implemented and why not? A great feature indeed.
However came across this very interesting question that one of my client administrators came up with regarding the security aspect of Business Process flows. The following describes the set-up for client CRM system.
- User A has security role A
- User B has security role B
- There are two business process flows created for the case entity. Process A has been targeted for Security Role A and Process B has been targeted for security role B.
- Both the users belong to the same business unit and their roles provide business unit level write access on the case entity.
User A went ahead and created a case record with Business Process A in place. However the expectation of our client was that since User B has security role B which do not have privilege on the process A, User B would not be able to modify or view Business Process A. However the truth is that User B would be able to modify the fields in the Business Process area of the case record and also move stages.
The reason for this is targeting Business Process flows for security does not prevent a user from accessing and modifying a process already applied to a record. The targeting in effect prevents switching of Business Process flows. If your security role is not targeted for a particular business process, this simply means that the user cannot switch to that process.
Hope this helps in case you are new to the Business Process flows and designing security for the same!