locked
Roles and WWF

    Question

  • I've read the articles that Microsoft have published about the new WWF. I saw only in the article by David Chappel a few words about this issue. In People 2 People Workflows one of the major concernes is how flexible is Role resolution and Role assignment works. Where can i get more info about how WWF is going to address this issue ?
    Friday, September 16, 2005 4:28 PM

Answers

  • Roles can be associated with all activities that interact with users via events or messages. The specific out-of-box activities that support Roles are: EventSink Activity and WebReceive Activity

    Check out Lab 10 in the Hand-on Lab at: http://www.microsoft.com/downloads/details.aspx?FamilyId=35238943-291F-4A37-BB8F-AC09B2E25B2F&displaylang=en

    thanks,

     Krishna

    Program Manager, WWF

    Friday, September 16, 2005 9:09 PM
  • Good questions! I will answer your questions by categorizing them:

    Extensibility/Management of Roles
    The Roles repository for WWF is designed to be pluggable so that it can used with existing or new Roles implementations. The way to do this is extend the WorkflowRole abstract class. The AspRoles sample illustrates how the SQL Role provider implementation  (in Whidbey) can be plugged into WWF workflow
    The management of Roles (creating Roles, adding and removing users) is upto to the implementation of each Role infrastructure provider and not something WWF provides explicit support or guidance.

    Active Directory support
    WWF has out-of-the-box support for ActiveDirectory Roles (aka Group). The ActiveDirectoryRole is the class that has support for resolving AD Roles and support for relationship Roles like Manager, DirectReports and Peers for a AD entity. ActiveDirectoryRoleFactory is the class for creating ActiveDirectoryRole objects (via constructor parameter of domain or email alias name)
    If the ActiveDirectory Role is composed of other Groups then all of them are expanded to check if the user is contained in them.
    Beta1 bits of WWF has the above support for AD Roles. There is sample for AD Roles in the Beta1 bits - it shows only the AD groups support.  The other aspects of AD Role support like GetManager, GetPeers and GetDirectReports are based on the information in the Active Directory. The APIs should be easy to use and should follow the other Roles samples. If you think it is necessary I can post a sample for relationship based Roles. 

    Runtime semantics of Role(s) association with EventSink/WebReceive Activity
    An event is associated with an user (via IIdentity parameter) by the host when raising an event. If this user is part of the Roles associated with the activity then the activity executes normally - else an WorkflowAuthorizationException is thrown which will need to be handled by the workflow logic.
    The WebReceive activity behaves in a similar way except the user is extracted from the HttpContext of the session.
    In short, the Roles associated with an activity control the execution of an activity and if an user is contained within the Role(s) the workflow progresses.

    I hope I have clarified all your issues. Let me know if you have any other questions or issues regarding Roles.

    thanks,
    Tuesday, September 20, 2005 6:50 AM

All replies

  • Roles can be associated with all activities that interact with users via events or messages. The specific out-of-box activities that support Roles are: EventSink Activity and WebReceive Activity

    Check out Lab 10 in the Hand-on Lab at: http://www.microsoft.com/downloads/details.aspx?FamilyId=35238943-291F-4A37-BB8F-AC09B2E25B2F&displaylang=en

    thanks,

     Krishna

    Program Manager, WWF

    Friday, September 16, 2005 9:09 PM
  • Thank you for your answering so promptly to my question.

    But nevertheless this addresses the question from a developer point of view, but from a Workflow/ Business Process designer it does not, from this person the question is where and how do i define roles, what is the Role repository ? is it in AD ? if it is in AD, a Role is a Group ? and how is an activity delivered (logically) to the User ? is it in pool mode, i.e., the first user that belongs to the bind AD Group/ Role is the one that gets the activity ? and how Group hierarchy in AD afects WWF Activity/ Role resolution ?

    I don't know if i was more clear in explaining what i've sense that is missing from the white papers, the developer point of view is well documented but the process designer point of view on Role resolution/ management is missing.....

    Thanks

     

     

    Monday, September 19, 2005 4:09 PM
  • Good questions! I will answer your questions by categorizing them:

    Extensibility/Management of Roles
    The Roles repository for WWF is designed to be pluggable so that it can used with existing or new Roles implementations. The way to do this is extend the WorkflowRole abstract class. The AspRoles sample illustrates how the SQL Role provider implementation  (in Whidbey) can be plugged into WWF workflow
    The management of Roles (creating Roles, adding and removing users) is upto to the implementation of each Role infrastructure provider and not something WWF provides explicit support or guidance.

    Active Directory support
    WWF has out-of-the-box support for ActiveDirectory Roles (aka Group). The ActiveDirectoryRole is the class that has support for resolving AD Roles and support for relationship Roles like Manager, DirectReports and Peers for a AD entity. ActiveDirectoryRoleFactory is the class for creating ActiveDirectoryRole objects (via constructor parameter of domain or email alias name)
    If the ActiveDirectory Role is composed of other Groups then all of them are expanded to check if the user is contained in them.
    Beta1 bits of WWF has the above support for AD Roles. There is sample for AD Roles in the Beta1 bits - it shows only the AD groups support.  The other aspects of AD Role support like GetManager, GetPeers and GetDirectReports are based on the information in the Active Directory. The APIs should be easy to use and should follow the other Roles samples. If you think it is necessary I can post a sample for relationship based Roles. 

    Runtime semantics of Role(s) association with EventSink/WebReceive Activity
    An event is associated with an user (via IIdentity parameter) by the host when raising an event. If this user is part of the Roles associated with the activity then the activity executes normally - else an WorkflowAuthorizationException is thrown which will need to be handled by the workflow logic.
    The WebReceive activity behaves in a similar way except the user is extracted from the HttpContext of the session.
    In short, the Roles associated with an activity control the execution of an activity and if an user is contained within the Role(s) the workflow progresses.

    I hope I have clarified all your issues. Let me know if you have any other questions or issues regarding Roles.

    thanks,
    Tuesday, September 20, 2005 6:50 AM
  • Hi,

    Once again i thank you for being so fast in answering, and this time so efectively Smile. Yes in fact my doubts are clarified, the extensibility of Roles is a good feature, it enables migration paths from other solutions reusing the role repository. The aspect of guidance, it's a petty that someone won't get trough with that issue because is quit important how role modeling is done and how a Role repository is to be organized to maximize role reuse and management, but one thing at a time.....is just good enough for now that Microsoft has embraced this project into windows foundation.

    For now i'm quit please with these anwser, later in time i will get back if i'll have more questions/ issues concerning this matter.

    Thank you once again,

    Vasco Marques
    Tuesday, September 20, 2005 3:18 PM
  • Hi Krishna

    Hey First i really appreciate if you post the sample (regarding AD ) here , secondly i used to work with what is knows as "Organizational Charts ", well just for a brief introduction see the figure below , what its shows a simple organizational hirearchy of IT firm . Some of the current workflow in the market already suport the Organizational chart , can you but light on this how to achieve this in optimal fashion in WWF .


                                                   CEO 
                                                     :
                                                     :
                                                   CTO   
                                                     :
                                                Dept Head
                                                      :
                                                  :      :
                                                 TL     TL
                                   




    Monday, October 03, 2005 6:47 AM
  • There is sample for AD Roles in the Beta1 bits - it shows only the AD groups support.  The other aspects of AD Role support like GetManager, GetPeers and GetDirectReports are based on the information in the Active Directory. The APIs are fairly straightforward but I can post a sample on this.

    As for the organization modeling question I would like to know your requirements. Are you looking for support in WWF to model/populate/manage hierarchical Roles or do you want support in WWF to write workflows that consume/program against hierarchical Role providers?
    Currently, we have support for the latter and I would consider the former beyond the scope of WWF. However maybe you can help me clarify what additional support you are looking for.
    Monday, October 03, 2005 4:39 PM
  • Krishna,

    In a related thread on this topic you mentioned

    "For example, an activity can be assigned to a Role at design time. At the runtime only the person who is in that Role can execute that activity."

    Do does this imply that WWF Roles are more like "access controls" for an activity?

    ...or can they be thought of as a way of dynamically (at run time) assigning an instance of an activity within a running workflow to a particular user?

    Michael Herman
    Parallelspace Corporation

    p.s. I'm at the MS conference center this week attending the MS workflow conference.
    Tuesday, October 04, 2005 3:55 PM
  • It is the former - Roles as a way of gating who can execute the activity.  However you can logically achieve the scenario mentioned (assigning the instance of an activity) by having a composite activity where one of the child activity has the logic of assigning (whatever it actually means in the context) to a user (who is part of that Role) .
    Tuesday, October 04, 2005 10:50 PM
  • So my initial comment (in another thread) that WWF doesn't have an intrinsic understanding of User or Person appears to be true.

    Hence, WWF has no intrinsic ability to assign an activity instance to a person or by extension, doesn't enable the creation of a task list listing all of the tasks a particular person needs to act on. 

    (Yes, these capabilities can be added with custom code and the destination user can be stored as an activity parameter, etc. -- the point is that there is no intrinsic support in WWF for assigning an activity instance to a person at design time or dynamically at run time.)

    This one of the key areas (the most basic areas?) where WWF ISVs will add critical enterprise business workflow capability.
    Tuesday, October 04, 2005 11:06 PM
  • Hi Krishna

    Well if you can post the sample here it will be really cool , anyways , ya actually organizational modeling is quite important ,well consuming them is quite straingt forward but the problem is that how should I tackle the existing organizational chart's present (ohh for an analogy you can think of organizational charts in Ultimus if you work on it Smile ) any ways its jsut like i had to create an organizational chart in which i had to populate them with users/Groups  from AD or any other source then use them in workflow .

    Actually i think its not directly related to WWF but you know some part of it might be anwswered i nthe context , any suggestions
    Wednesday, October 05, 2005 5:45 AM
  • To close on this thread, this was discussed here at the MS Workflow conference and roles are for "role authentication" ...and WWF doesn't have any intrinsic support for the assigning an activity to a user or person.  This is left to the hosted application to implement.  One approach, for example, is to add an AssignedTo parameter to the activity(ies) and have the application stuff a user account value into the parameter at design or run-time.
    Thursday, October 06, 2005 3:48 AM
  • Does this mean that in order to do branching on a Role, we need to define our own Role peoperty on the Workflow/State etc. and use that to determine the branching?
    Thursday, November 10, 2005 11:41 PM
  • Yes.  In order to do branching on a role you need to define a role property as you suggest.

    Regards,
    Pul

    Saturday, November 12, 2005 10:02 PM
  • Hello Krishna, I'm deriving the class WorkflowRole, and then using it in an EventSink. When the call to the method IncludesIdentity happens, the identity comes "" (empty). So my question is the next one:

    How can I set up the identity of the user who makes the call???


    Regards,
    M
    Thursday, December 01, 2005 9:11 PM
  • You have to set up the identity parameter in the Event being raised (in the host process). The identity will then flow to the activity. Can you please take a quick look in the Roles sample for WF Beta1 ( I assuming you have beta1 bits)

    Thanks. 
    Sunday, December 11, 2005 7:25 AM