Hide a workflow command for certain users
Workflow commands for a content item are shown to users in the Content Editor and the Workbox users when:
-
The user has Write access to the content item
and
-
The user has Write access to the command’s parent workflow state
and
-
The user has Read access to the workflow command itself.
If you configure the security settings so that a user does not meet all of these criteria, you hide the workflow command from that user.
If the user must have Write access to both the content item and the workflow state, there are two ways to deny them Read access to the workflow command:
-
Turn off inheritance access for the workflow command, and do not grant the user and all the roles that the user is a member of Read access to the workflow command.
NoteTurning off the inheritance access means that you must explicitly grant Read access to all the roles that should be able to see the workflow state in the Workbox. This is the best approach when only a small number of users and roles need to see the workflow state in the Workbox.
-
Deny the user or one of the roles that the user is a member of Read access to the workflow command.
NoteIn the Sitecore security system, deny always overrules allow. When you explicitly deny a role Read access, you can inadvertently prevent a user who has is a member of many roles from seeing the workflow command. Denying Read access can have unanticipated results.
In general, it is recommended that you turn off inheritance access and explicitly allow Read access only when the number of roles that requires Read access is manageable.For further reading