[Case Management framework] Access Control in Case Definitions vs. Case Instances - Case Management Framework
Forge component by Platform Maintenace

Hi everyone,

I am using the Case Management Framework for developing applications, and I am trying to make use of the Access Control functionality for some workflows, however I am unsure about what happens in certain scenarios, so I would like to know if someone can answer the following:

Does Case Instance access control override Case Definition access control? (or the other way around?)

For example, let's say User1 is in Group1 and is creating a Case instance of CaseDefinition1: If Group1 has Read/Write access rights for CaseDefinition1, and later I use the Case_UpdateGroupAccess (to read-only) action for Group1 for the new Case instance, What happens to the permissions for that Group related to this specific instance? (will the action even run at all?) Do they still have Read/Write Access to it?

I can think about a lot of similar scenarios, but the underlying question is basically the same. Right now I am exploring the available options under the framework to see if I can make use of them as-is, or if I need to extend them in a custom way to fit our needs.


Hi Francisco,

Thank you for your question. The way it works at the moment is the following: 

Once an action that requires Access Control is executed the CMf checks whether the Case Definition associated with the given Case has the Access Control feature turned on or not. 

If the feature is turned on, CMf will look at the permissions given at both the Case Definition and Case levels. The highest level of permissions found between those two will be used. (Write > Read)

Picking up on your example if you tried to use the "Case_UpdateGroupAccess" action to update permissions given at the CaseDefinition level you would get an exception because that action requires permissions defined at the Case level. You would need to use the "CaseDefinition_UpdateGroupAccess" action instead. But let's say you had given access at the Case level to that Group as well. If you updated the permissions to "Read" the group would still have "Write" permissions because "Write" permissions were still defined at the Case Definition level.

Hope I was able to answer your questions,


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.