How to manage the new workflow permissions

To help you fine tune workflow management, Collibra version 2024.05 introduces two new global permissions that are designed to give you more control over who in your environments can use workflows. This allows administrators to restrict the ability of users to trigger workflows, which incurs a cost for the organization.

The new workflow permissions require administrator action to maintain existing user functionality. Users who leverage workflows must be assigned to a role that has the Start workflow permission, the Participate in workflow permission, or both based on their needs.

Permission Description Required license type** New license type
Start workflow
  • Only users that have a role with this permission can start a workflow.
  • Users that do not have a role with this permission can not see any global or resource workflows in Collibra.
  • Users that have a global role with the Workflow Administration or System administration permission do not require this permission explicitly.
  • Workflows triggered by an event, another workflow, or a cron expression do not require this permission.
Read-only

Contributor

Participate in workflow
  • Only users that have a role with this permission can be assigned a workflow user task.
  • If a task is assigned to a role or group, only members that have a role with this permission get the new task assigned and not any other members.*
  • If a task cannot be assigned to any user because they do not have a role with this permission, the workflow generates an error and cannot start or progress.
  • Users that have a global role with the Workflow Administration or System administration permission do not require this permission explicitly.
Read-only

Contributor

* The out-of-the-box Voting Sub-Process creates a separate voting task for each of the participants. If any of the participants do not have a role with the Participate in workflow permission, the process fails, without creating any voting task. If you are using the Approval Process, Simple Approval, the Issue Management workflow, or a custom workflow that calls the Voting Sub-Process, either ensure that all the voting participants have a role with the Participate in workflow permission or download version 2024.05 or newer of the Voting Sub-Process.

** When a user that does not consume a Standard license participates in or starts a workflow, they retain their Read-only license but are counted against a Standard license for the current calendar month. This number is then reset at the start of the following calendar month.

Users without the Start workflows permission might not be able to see the Plus icon global create button anymore.

To take full advantage of the new permissions, add them just to the roles that require them.

A good starting point for this analysis is the Latest Workflow Participation column of the Users table. You can add the column to see the data in Collibra or you can download a CSV file for greater sorting flexibility:

  1. On the main toolbar, click Products icon, and then click Cogwheel icon Settings.
    The Collibra settings page opens.
  2. Click Users.
    The user table appears.
  3. Above the table, to the right, click Export icon.

    The Export users activity starts.

  4. When the Export users activity is finished, you can download the CSV file:
  5. On the main toolbar, click Activity iconShow more.

    Your profile page opens on the Activities tab page.

    1. In the Results column of the Export users activity, click Results.

      Depending on your browser and browser settings, the files are downloaded to a default location or a dialog box appears to specify the location for the downloads.

By analyzing how users participate in workflows and the global roles of their groups, you can identify which global roles need the new workflow permissions in your organization.

Setup for keeping current functionality

To keep the current functionality as it is and allow all users to start and participate in workflows:

  1. Create a new global role, for example Workflow user:
    1. On the main toolbar, click Products icon, and then click Cogwheel icon Settings.
      The Collibra settings page opens.
    2. Click Roles and Permissions.
      The roles and permissions settings appear on the Global Roles tab page.
    3. Above the table, to the right, click Add.
      The Create Roles dialog box appears.
    4. Enter one or more role names.
    5. Click Submit.
  2. Assign the Start workflow and Participate in workflow global permissions to the new global role:
    1. On the main toolbar, click Products icon, and then click Cogwheel icon Settings.
      The Collibra settings page opens.
    2. Click Roles and Permissions.
      The roles and permissions settings appear on the Global Roles tab page.
    3. In the tab pane, click Global Permissions.
      The matrix of global permissions and roles appears.
    4. If required, add or remove columns:
      • On the content toolbar, click Legend icon and select or clear the role checkboxes.
    5. Above the table, to the right, click Edit.

      You can now edit the matrix of permissions and roles.

    6. Select or clear the checkboxes for a role to add or remove permissions.
    7. Above the table, to the right, click Save.
  3. Add the Everyone group as a member of the Workflow user role:
    1. On the main toolbar, click Products icon, and then click Cogwheel icon Settings.
      The Collibra settings page opens.
    2. Click Roles and Permissions.
      The roles and permissions settings appear on the Global Roles tab page.
    3. Hover over the name of the role you want to manage and click Preview.

      The Members sidebar appears.

    4. Click Add Member.

      The Add Member dialog box appears.

    5. Select one or more users or user groups and click Add Member.