Workflow Security Modes
Workflow Security Modes
This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
When your action table includes scripts and Component Object Model (COM) objects that run on your server, workflow security becomes an issue. You can prevent workflow applications from disrupting your server by using workflow security modes. You can use security modes to differentiate between trusted and non-trusted developers and provide users the most flexibility within appropriate limitations.
The security mode is a property of the ProcessDefinition, which you set at design time. You can set the Mode Property to either restricted or privileged. For your workflow to run in privileged mode, however, you must be a member of the Privileged Workflow Authors COM+ role. This is checked by the workflow event sink at run time. Privileged Workflow Authors is a COM+ role created by Microsoft® Exchange Server 2003 setup. For more information about registering Privileged Workflow Authors, see Registering Workflow Authors.
The following table summarizes the two security modes that you can implement with CDO for Workflow (CDOWF).
| Factors to consider | Restricted mode | Privileged mode |
|---|---|---|
| Script access | Only the current Exchange store item (ProcessInstance CoClass) is accessible. | Scripts and objects can access enterprise databases as security context allows. |
| Cocreatable COM objects | None can be created. | Unlimited registered components. Allows you to integrate with other systems such as Structured Query Language (SQL) databases and other applications that provide COM components. |
| Microsoft Active Directory® access | Limited Active Directory lookups through the GetUserProperty Method. | Can use LDAP and Active Directory. |
| Security context | Workflow System Account defined by the system administrator and ActiveConnection of the user who triggered the workflow event. | |
The following illustration shows the Component Services dialog box, where you can view the workflow event sink COM+ package with the Privileged Workflow Authors role and its members.
.gif "Screenshot of the Component Services console in MMC with the workflow event sink COM+ package installed, showing the Privileged Workflow Authors role")
The following topics further describe the two security modes:
Send us your feedback about the Microsoft Exchange Server 2003 SDK.
Build: June 2007 (2007.618.1)
© 2003-2006 Microsoft Corporation. All rights reserved. Terms of use.