London Dev Meetup Rescheduled! Due to unavoidable reasons, the event has been moved to 21st May. Speakers remain the same—any changes will be communicated. Seats are limited—register here to secure your spot!

AI OnAI Off

Workflows and virtual roles

Vote:
 

CMS newbie playing with workflows and all of that involves here, and through this example scenario, I would like to know if I am using the system as intended and/or have a wrong understanding of how roles, memberships, access rights, etc., work within the EPiServer context (or in general).

I have this setup:

  • a sequential approval workflow that is triggered by the PageCheckedIn event
  • the approver is a mapped role (i.e. a virtual role), "PublishApprovers", that maps to the WebEditors role (which is also a group? Still getting used to the terminology)
  • the virtual role has permission to publish all pages.

When I hit the "Ready to Publish" button for a page, I observed that the workflow was not triggered. When I tried to start the workflow manually, I get the following error message: "User PublishApprovers, has not read or publish access for New Page".

After digging through the code a bit, it seems like a significant point of failure is when the mapped virtual role provider checks the following:

// IPrincipal principal = the virtual role as a System.Security.Principal.GenericPrincipal instance
// role = "WebEditors", which is the only role that the MappedRole maps to in the "roles" attribute in web.config in my example
principal.IsInRole(role)

The IsInRole method evaluates to false. Question 1: Does this look like THE reason why my virtual role is not recognized as having publish rights and thus failing to start my workflow?

Taking cues from this thread, I created a group in the Admin view called "PublishApprovers" (to match the virtual role name). I did not make any other changes, such as assigning users to this new group. I check in another page, and the workflow now is triggered as usual (and can successfully be started manually)*.

I could stop here and say that this is the "fix", but I am not 100% sure that this method is the "right" thing to do, primarily because I am having trouble reconciling "virtual" roles with having to create an actual, matching group in the database in order for things to work properly. Some questions:

  • Is this the "right" way to use the system? Is it an "OK" way?
  • Are there any concepts, terms, etc., that I am not understanding in the right way?

* I also observed that 

principal.IsInRole(role)

is never evaluated with the virtual role as a GenericPrincipal during the workflow start process.

#122791
Jun 13, 2015 4:01
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.