Automatic Workflows, Security and Scope

Automatic workflows are a whole nother story, as my sister would say. For one thing, since they’re automatic, it’s not so much if you CAN run them…it’s whether you WILL run them by performing one of the triggering events they’re written for (a new record is created, status value changes, etc.). And whether you will trigger one is determined primarily by the “Scope” setting of the workflow:

• If an automatic workflow has its scope set to “User”, it will only run for its owner.
• If its scope is “Business Unit”, it will run for its owner PLUS any other users within the same business unit.
• If its scope is “Organization”, it will run for everybody in the organization.

But security roles are still important for automatic workflows, since these things run “in the security context” of the workflow owner. One way to think about this is that it limits the potential damage an automatic workflow can cause! For example, suppose a sales manager (by default, with “business unit” level privileges on lots of records) creates an automatic workflow and gives it a scope of “organization”. That might seem dangerous, since it will run for anybody in the organization. On the other hand, since the workflow runs with the sales manager’s security, any restrictions her security role places on her will also be placed on whoever runs the workflow!  

I think this is one of those topics, the more I explain it with words the LESS people understand it. Here’s a video that does a good job of ’splaining it. Let me know what you think: