Workflows and virtual roles

Vote:
 

CMS newbie playing with workflows and all of that involves here, and through this example scenario, I would like to know if I am using the system as intended and/or have a wrong understanding of how roles, memberships, access rights, etc., work within the EPiServer context (or in general).

I have this setup:

  • a sequential approval workflow that is triggered by the PageCheckedIn event
  • the approver is a mapped role (i.e. a virtual role), "PublishApprovers", that maps to the WebEditors role (which is also a group? Still getting used to the terminology)
  • the virtual role has permission to publish all pages.

When I hit the "Ready to Publish" button for a page, I observed that the workflow was not triggered. When I tried to start the workflow manually, I get the following error message: "User PublishApprovers, has not read or publish access for New Page".

After digging through the code a bit, it seems like a significant point of failure is when the mapped virtual role provider checks the following:

// IPrincipal principal = the virtual role as a System.Security.Principal.GenericPrincipal instance
// role = "WebEditors", which is the only role that the MappedRole maps to in the "roles" attribute in web.config in my example
principal.IsInRole(role)

The IsInRole method evaluates to false. Question 1: Does this look like THE reason why my virtual role is not recognized as having publish rights and thus failing to start my workflow?

Taking cues from this thread, I created a group in the Admin view called "PublishApprovers" (to match the virtual role name). I did not make any other changes, such as assigning users to this new group. I check in another page, and the workflow now is triggered as usual (and can successfully be started manually)*.

I could stop here and say that this is the "fix", but I am not 100% sure that this method is the "right" thing to do, primarily because I am having trouble reconciling "virtual" roles with having to create an actual, matching group in the database in order for things to work properly. Some questions:

  • Is this the "right" way to use the system? Is it an "OK" way?
  • Are there any concepts, terms, etc., that I am not understanding in the right way?

* I also observed that 

principal.IsInRole(role)

is never evaluated with the virtual role as a GenericPrincipal during the workflow start process.

#122791
Jun 13, 2015 4:01
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.