Controlling Workflow Rule Access with Hierarchical Security

You typically do not assign users process which they should not use; as such, users do not have access to any workflow rule invocations that they should not execute.

The application provides another layer of protection to shield sensitive workflow rules against any mistakes in process assignment or presentation form design.  Each rule has a Security Group value.  If this value is specified, the rule obeys group security.

• Message rules use user's permission.  For instance, if you are currently logged in as SMITH, SALLY, you must be a member of a rule's security group in order to execute it.
• Scheduled rules use SYSTEM permission.  When you start the application, it logs in with a SYSTEM user account.  The application then uses this account, its security permissions, and its other resources, to execute the scheduled rules.  

The system account user name is stored in security.properties, where this value can be encrypted and hidden with the other security settings.  The default settings are these:

<attribute xpath="descendant::preferences/core" name="userId" value="SYSTEM"/>