Hide a workflow state for certain users
Users who have Read access to a workflow state can see that state in their Workbox as long as the state includes workflow commands for which they have Command Execute Access. If business requirements state that a particular workflow state should be hidden from a given set of users, you can restrict access to that state for those users by:
-
Hiding all the workflow commands in the state from the users in question
or
-
Explicitly hiding the workflow state itself from the users in question.
To explicitly hide a workflow state:
-
Turn off the inheritance access for the workflow state and do not grant the user and all the roles that the user is a member of Read access to the workflow state.
or
-
Deny the user or one of the roles that the user is a member of Read access to the workflow state.
Each of these approaches has its advantages and disadvantages.
-
Turning off the inheritance access means that you must explicitly grant Read access to all the roles that should be able to see the workflow state in the Workbox. This is the best approach when only a small number of users and roles need to see the workflow state in the Workbox.
-
In the Sitecore security system, deny always overrules allow. When you explicitly deny a role Read access, you can inadvertently prevent a user who is a member of many roles from seeing the workflow state. Denying Read access can have unanticipated results.
In general, we recommend that you turn off inheritance access rights and explicitly allow Read access only when the number of roles that require Read access is manageable.