Process Model

RE: Process Model

davel001150 — Thu, 19 May 2022 17:29:12 GMT

Yep, I would say in general rule of thumb is to use user credentials as much as possible. If it absolutely cannot possibly work unless you set it to run as whoever designed this PM, then you may use that feature.

You have the potential to allow for vertical privilege escalation attacks if you abuse it or utilize it too much.

RE: Process Model

Stefan Helzle — Thu, 19 May 2022 16:20:53 GMT

Adding to this, I recommend to try to not use this configuration except of very rare cases. The reason is, that the process model is typically deployed to the production environment by a technical user which is of type system admin.

When you now configure a node to run in the designer context, you basically run this node with unlimited permissions.

Use this only for nodes which explicitly need that, like Create Group.

RE: Process Model

davel001150 — Thu, 19 May 2022 15:38:26 GMT

1. You're taking essentially no effort to not show this is an interview or test question.

When you run as whoever started this Process, you're using your own credentials. So if the user who clicked the action or related action, or however the process got started can't do the particular thing, it can't be done. This enforces security and is good in some situations. However, you'll find that users frequently aren't allowed to do much at all; security can be very, very tight. Run as whoever designed this process model let's you do a lot more if the person who designed the process model was a System Administrator, for instance. In the cases where you need to, you still define security by defining who can start the process model.