Workflow Reserved Actions

Description of reserved states and actions that can be defined in a workflow definition.

Workflow Management Workflow Library

Table of Contents

  1. Introduction
  2. Generic Reserved Actions
  3. Service-Specific Reserved Actions
  4. Contract-Specific Reserved Actions

Introduction

The Policy Manager Workflow Library includes a Reserved Actions that are arbitrary states and actions that can be defined in a Workflow Definition. The following reserved actions have special meaning to be interpreted by Policy Manager's Workflow Engine. All Reserved Actions have @ as prefix. A reference to a Workbench Object means the service or contract under the control of a Workflow Instance.

Note: Policy Workflow does not include policy-specific actions.

Generic Reserved Actions

Action Name Description

@read

This reserved action is used to specify additional set of users who can read the workbench objects.
  • By default, any Administrator who can perform any non-reserved Workflow action automatically has permission to read the underlying object.
  • In some cases, an Administrator may want to allow other users who cannot directly invoke Workflow actions to have the read-only access to the underlying objects. This can be achieved using the @read action.
  • The @read action will never be invoked by Workflow Engine; only the restriction rules defined in it will be evaluated to decide whether the caller has the read permission to the object.

The following rules are used to decide if a specific user can read a Workflow object at any moment:

  • If a user has permission to invoke any non-reserved actions under current Workflow state, the user can read the content of the Workflow object.
  • Otherwise, if the current state of the Workflow instance has a read action and the user has permission to invoke it, the user can read the content of the Workflow object.

In summary, the reserved @read action provides a mechanism for Administrators to grant a set of users the ability to track/monitor the progress of the Workflow object without allowing those users the ability to influence the Workflow process.

@modify

This reserved action is used to specify who can modify the Workflow document. Similar to @read, @modify will never be directly invoked by the Workflow Engine—only the restriction rules defined in it will be evaluated.

The following rules are used to decide if a specific user can modify a Workflow object:

  • If a user does not have permission to invoke any non-reserved action of the current Workflow state, he cannot modify the content of the Workflow object.
  • Otherwise, if the current Workflow state has an @modify action and the user can invoke it, he can modify the content of the Workflow object.

Customers can use the @modify action to restrict the rights of modifying the Workbench objects to only a subset of Workflow participants. For example:

  • If a Workflow state does not have an @modify action, then this object is read-only in this state.
  • If a Workflow state has an @modify action with no restriction rules, then whoever has the permission to invoke any non-reserved Workflow action can modify the content of the Workflow object.
  • If a Workflow state has an @modify action with an authorizeByRole restriction against developer, then only developer can modify the content of workbench objects.
@reset

This reserved initial action is invoked when a new version of a Workflow definition is uploaded and user has selected to reset all the active Workflow instances associated with that Workflow definition. Users can use this action to reset the object to the proper initialized state.

Note that only users with System Administrator role can modify a Workflow definition, thus the caller of the @reset action may not be normal business users. In general, a Workflow definition should not put restriction on the caller of the @reset action and should not set the caller of the @reset action as the owner of the Workflow.

back to top

Service-Specific Reserved Actions

Action Name Description

@create

This reserved initial action is invoked when a new service is created. Multiple @create actions can be defined.

@discover

This reserved initial action is invoked when a new service is discovered. Since service is always discovered automatically by Policy Manager, the user who invokes the @discover action is always Policy Manager instead of normal business users.

In general, a Workflow definition should not put a restriction on the caller of the @discover action and should not set the caller of @discover action as the owner of the Workflow.

@updateInterface The @updateInterface action identifies the ability to change the schemas, portTypes, or bindings of a service.
@updateBinding The @updateBinding action identifies the ability to change the bindings of a service.

back to top

Contract-Specific Reserved Actions

Action Name Description
@CreateOffer This reserved initial action is invoked when a new offer is created. Multiple @CreateOffer actions can be defined.
@CreateRequest This reserved initial action is invoked when a new request is created. Multiple @CreateRequest actions can be defined.

back to top