Im confused by Process Model security for Initiator. From Appian Docs below, Ini

... X           X
          

@greggl Hi, could you please exactly elaborate on 'I want to View the process model but not be an Initiator of the process via actions.'? My understanding is that users should know (i.e. able to view) the Actions available, but they shouldn't be able to initiate it, please correct me if I am wrong.

Thanks for responding. I mean I want some users to be able to view the data of a process instance, via the Records, Reports, News, etc., I grant them access to via groups; but not have rights to initiate the process. If process model Viewers also have Initiator rights, how do you create viewers you don't want to have initiator rights? Users with Viewers process model rights can currently see the Action and execute the Action and Initiate the process. This is supported by the docs, which leaves me wondering how to allow users to view the process model data and not be able to initiate the model?

I answered my own question. They don't need to be Viewers of the Process Model at all. As long as they can view the Records, Data Store, News Feed, etc., they will see the Process Model process instances data without any rights to the Process Model.

@greggl As per my knowledge, I would like to add few more points to you understanding as follows:

The users whom you are expecting to see the process instances should have 'Viewer' access to the process instance if they aren't given the Process model security. So you should probably think of a mechanism where the users to whom you are expecting to view the instance data (after initiation by other groups) should be added to Process instance's security role map dynamically(by making use of 'Modify Process Security Smart Service'.) .

There is not an easier way? If what you are saying is true, than shouldn't there be a role on the process model security to grant users View rights but Not Initiator rights?

@greggl True, unfortunately there isn't such possibility AFAIK.

But I guess still there are few ways as follows for accomplishing your requirement:

1. Implementation of Modify Process Security Smart Service and adding the roles dynamically after the initiation. This isn't a tedious task, as it's just one node configuration.

2. Add the desired groups (People who are and aren't able to initiate) as 'Viewers' to the security role map of Process Model. But wrap the process models in the 'Application' object and expose the 'Application' only to the groups who should be able to initiate the 'Action'. This way, there wouldn't be a need to implement dynamic security using 'Modify Process Security Smart Service' and also the 'Application' takes care of exposing the 'Actions' to right set of groups, thereby providing the initiation capability to the desired groups.

In either of the ways, you should be doing some background work in order to expose the initiation of 'Action' only to few groups but to expose the instance's data to other groups.

@greggl Also it would be worth to give thoughts over the things being discussed above, ONLY IF you are trying to query and surface the process analytics to users who actually are not a part of the Viewers in the process instance's security role map.