On Demand Workflows and Security Roles

If you have access to an “on demand” workflow in Dynamics CRM (4.0 on-premise, or Online), you can run it for one or more records from a grid, or for one record at a time from a record’s form.  But the question of who has access to a particular on demand workflows is a little trickier than you might at first think. Plus, it’s easy to misunderstand the important differences between on demand workflows and automatic workflows.  

Here’s a summary of the main issues around on demand workflows, followed by a freshly uploaded YouTube video in glorious HD format.

What does this mean for a user who wants to run one? Here are three examples:

• If your security role has user level access to read workflows, this means you will only have access to (and be able to run) on demand workflows that you are the owner of, OR that have been shared with you.
• If your security role has business-unit level access to read workflows, you will be able to run on demand workflows that you own, OR that are owned by any other user in the same business unit. (or that have been shared to you or anybody in your business unit)
• If your security role has organization level access to read workflows, you will be able to run an on demand workflow owned by anybody in your CRM organization.

I know from experience that it can take a while to develop intuition about the Dynamics CRM security model, but here are three commonly used built-in security roles and what each one grants in terms of workflow access. I think it kind of makes sense — see what you think:

• The Salesperson security role only has user-level access for the read privilege on workflows. Somebody in this role will only see on demand workflows they own themselves.
• The Sales Manager security role has business unit access to read workflows. Somebody in this role will be able to keep track of what everybody else in their business unit is up to (at least in terms of what on demand workflows they’re making) because they will see and be able to run any on demand workflows owned or shared to anybody in their business unit. Generally speaking, this is the case for the other “manager” security roles as well. 
• The CEO/Business Manager security role has organization level access to read workflows. This makes sense, since this security role has the highest level of privileges of any security role apart from the System Administrator role. So the “CEO” will be able to keep track of what everybody in the organization is doing, since they will be able to see and run anybody’s on demand workflows.

 As for a pithy summary, how about this:

The access you have to on demand workflows is determined mainly by your security role: if you’ve got user-level access, you only see your own; if organization-level, you see them all. The “exception” to this is if you’ve got business unit access: in this case, as long as the workflow owner is assigned to your business unit, you will have access to their on demand workflows as well.

Finally, two more important points on the subject:

1. The previous issues have to do with whether you can run an on demand workflow. Whether it will run sucessfully is a different story: an on demand workflow runs in the security context of the user running it, so if you try to run one that does something you don’t have privileges for, it will break. This is different from automatic workflows, and I’ll go into details on that in a separate article. 

2. Another way automatic workflows are different is that it’s the scope property of the workflow — not the security role of the user who runs it — that determines who within an organization will trigger one.

OK…so much for pithy. Anyway, enjoy the video, and watch it at 720 for best results: