Enabling OnDemand Workflows to be run by specific users

Business Problem
 
Only certain processes can be run by specific users. I.e. a finance person can only run the payment process on demand workflow to update a record status to Paid.
 
Solution
 
The workflow scope refers to the security role privelege of workflow. If a user has organisation view of workflows then they will be able to see all on demand workflows, if the user has business unit view then they will be able to see all ondemand workflows that have been created by users within their business unit. If the user has User view then they will only see ondemand workflows that have been created by them or that they have been shared to.
 
So to enable certain people to see ondemand workflows and some people to not requires playing around with the user privelges and the workflow scope.
 
One way of doing this is giving the majority of roles only user read access to workflows and then setting all ondemand workflows to user scope. Then for each on demand workflow that needs to be assigned to users to run they are shared either directly to the user or by using teams. Using teams will enable you to add and remove users without updating the sharing rights of each and every workflow.
 
Alternatively if you are using business unit structure then you could use a business unit level read access and workflow scope and then only people in that business unit will see the specific ondemand workflows.
 

Workflow Security and Workflow Scope Overview

Workflow Related Security Roles – Customisation Tab
 
  • Minimum User security rights to run workflows
    • To Execute workflows the user must have the mininum setting of "Execute Workflow Job"
    • No other rights are required
  • To see the workflow view
    • To see the workflow associated view within entities the user must have at mininum User read access to "System Jobs"
  • To create or run On demand workflows
    • To run ondemand workflows the user must have at mininum user read access to "Workflow"
    • To create workflows the user must have at mininum user read, write and create to "Workflow"

Then by expanding the visibility of system jobs and workflows will enable the user to view more records via system jobs and to be able to create workflows across the organisation

Workflow Scope

The workflow scope within a workflow record defines who can access the workflow and depending on the trigger the associated security role that is required:

  • If the trigger point for the workflow is anything but OnDemand then the workflow scope determines when the workflow will run based on the current user position within the business unit hierarchy
    • If it is set to Organisation then the workflow will be run for all users that can execute workflows when the trigger is met
    • If it is set to a business unit scope then it will run if the user is within the business unit of the user who owns the workflow
    • If it is set to user then only the owner of the workflow will trigger the workflow
  • If the trigger point is OnDemand then the workflow scope is directly related to the current users workflow read rights on their security record.
    • If it is set to Organisation then the workflow will be selectable via run workflow for all users that have organisation read access to workflow
    • If it is set to business unit scope then it will be selectable via run workflow if the user is within the business unit of the user who owns the workflow
    • If it is set to user then only the owner of the workflow will be able to run via the run workflow option

Hope this clears up the workflow visibility settings!