Private fields using data object and Viewing task instance history (#899)
* Private fields using data object and Viewing task instance history * edits while reviewing --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com>
|
@ -0,0 +1,44 @@
|
||||||
|
# Handling Sensitive Data using Data Store
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Handling sensitive data, such as credit card numbers, passwords requires careful management to ensure security and privacy.
|
||||||
|
This documentation outlines the process of creating and managing sensitive data objects within SpiffWorkflow, along with setting appropriate permissions.
|
||||||
|
|
||||||
|
### Process Breakdown
|
||||||
|
|
||||||
|
#### 1. Identifying Sensitive Data
|
||||||
|
- Determine what constitutes sensitive data within your workflow. This could include personal information, financial details, confidential business information, etc.
|
||||||
|
#### 2. Data Object Creation and Script Task Integration
|
||||||
|
- **Script Task Setup**: Develop a script task that interacts with the data object. The script should be designed to handle the sensitive data securely, ensuring it's not exposed or logged inadvertently.
|
||||||
|
- **Data Object Creation**: Create a data object in the workflow to store the sensitive data. This object acts as a container for the data, separating it from the main workflow logic.
|
||||||
|
#### 3. Assigning Data Categories
|
||||||
|
- **Categorization**: Assign a specific category to the data object that reflects its sensitive nature. For example, categories like `confidential` or `private` or name of field can be used.
|
||||||
|
#### 4. Implementing Access Controls
|
||||||
|
- **Permission Rules**: Establish permission rules, using a Decision Model and Notation (DMN) table or another mechanism as described under [Admin and Permissions](/DevOps_installation_integration/admin_and_permissions.md) . This step involves specifying who can access the sensitive data.
|
||||||
|
- **Access Restrictions**: Define the access level (e.g., read, write, deny) for different user groups or roles. For instance, you might restrict read access to certain groups while denying it to others.
|
||||||
|
- **URL-Based Permissions**: Use URL patterns to enforce permissions. For example, a URL pattern like `/process-data/confidential/*` can be used to control access to all data objects categorized as confidential.
|
||||||
|
|
||||||
|
### Example: Steps to Handle Sensitive Data
|
||||||
|
|
||||||
|
#### 1. Creating a Script Task with Sensitive Data
|
||||||
|
- **Initial Setup**: Start by creating a script task where the script sets a variable (e.g., `a=1`). This variable `a` could represent sensitive data like a credit card number.
|
||||||
|
- **Execution**: Run the tasks to observe the value of `a`.
|
||||||
|
![image](images/private_data_object.png)
|
||||||
|
#### 2. Converting to a Data Object
|
||||||
|
- **Data Object Creation**: Create a data object and name it (e.g., `a`). Link this data object to the script task and set the data object ID to `a`.
|
||||||
|
- **Assign a Category**: Assume the data object represents a credit card number. Assign a category to this data object, such as `creditcards`.
|
||||||
|
- **Visibility**: The credit card data is visible until permissions are set to restrict access.
|
||||||
|
![image](images/category.png)
|
||||||
|
- **Process Execution**: Upon running the process, the value of the data object will be `1`.
|
||||||
|
![image](images/sensitive_value.png)
|
||||||
|
#### 4. Setting Permissions with DMN Table
|
||||||
|
- **Access Control**: To control who can see the credit card data, you could set permissions in a DMN Table.
|
||||||
|
- **Permission Configuration**: Set the following permissions:
|
||||||
|
- `permission_groups` to `"everybody"`
|
||||||
|
- `permissions` to `"DENY:read"`
|
||||||
|
- `permission_urls` to `"/process-data/creditcards/"`
|
||||||
|
![image](images/setting_permissions.png)
|
||||||
|
#### 5. Implementing Restricted Access
|
||||||
|
With these permissions, access to the credit card data is denied to everyone, ensuring that no unauthorized individuals can view this sensitive information.
|
||||||
|
|
||||||
|
By following these steps, SpiffWorkflow users can securely handle sensitive data within their processes. The combination of data objects, categorization, and precise permission settings ensures that sensitive information like credit card numbers is protected and accessible only to those with the necessary authorization.
|
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 43 KiB |
After Width: | Height: | Size: 8.7 KiB |
After Width: | Height: | Size: 100 KiB |
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 52 KiB |
After Width: | Height: | Size: 47 KiB |
|
@ -461,3 +461,32 @@ To access and review completed user forms within a specific process model, follo
|
||||||
![Completed by others](images/Completed_by_others.png)
|
![Completed by others](images/Completed_by_others.png)
|
||||||
|
|
||||||
This approach ensures you can monitor and review the progress of user forms within any process model while maintaining the confidentiality of inputs made by other users.
|
This approach ensures you can monitor and review the progress of user forms within any process model while maintaining the confidentiality of inputs made by other users.
|
||||||
|
|
||||||
|
---
|
||||||
|
## How to view task instance history
|
||||||
|
|
||||||
|
Monitoring the history of task instances is helpful for tracking the progress and execution details of a workflow. This guide provides a step-by-step approach to access and understand the task instance history, including the interpretation of task statuses.
|
||||||
|
|
||||||
|
### Steps to Access Task Instance History
|
||||||
|
|
||||||
|
1. **Run the Process**: Initiate a workflow process in SpiffWorkflow.
|
||||||
|
|
||||||
|
2. **Access the Process Instance**: After running the process, navigate to the specific process instance within the SpiffWorkflow interface. This is where you can track the progress of the tasks.
|
||||||
|
![Access process instance](images/Access_Process_Instance.png)
|
||||||
|
|
||||||
|
3. **View Task Details**: Click on the executed task or event that has been completed. For instance, in this example we clicked on "user task".
|
||||||
|
![Access task instance](images/Task_instance.png)
|
||||||
|
|
||||||
|
You will be presented with detailed information about each task instance, including its status and execution timestamp.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
- `2 : 04-01-2024 19:58:11 - MAYBE`
|
||||||
|
- `3 : 04-01-2024 19:58:10 - COMPLETED`
|
||||||
|
- `4 : 04-01-2024 19:58:07 - COMPLETED`
|
||||||
|
![Access task instance](images/task_instance_history.png)
|
||||||
|
|
||||||
|
|
||||||
|
- **COMPLETED Status**: Tasks marked as 'COMPLETED' have finished their execution successfully and have moved the workflow forward.
|
||||||
|
- **MAYBE Status**: Indicates that the task still exists within SpiffWorkflow. While these tasks could be omitted for clarity, retaining them provides a complete picture of the workflow's execution.
|
||||||
|
|
||||||
|
Viewing task instance history in SpiffWorkflow is now more streamlined and informative, thanks to recent updates. Users can effectively track each task's execution, status, and timing, gaining insights into the workflow's overall performance.
|
||||||
|
|
|
@ -35,6 +35,7 @@ Building_Diagrams/Builtin_examples.md
|
||||||
:caption: Debugging Diagrams
|
:caption: Debugging Diagrams
|
||||||
Debugging_Diagrams/bpmn_unit_tests.md
|
Debugging_Diagrams/bpmn_unit_tests.md
|
||||||
Debugging_Diagrams/process_error_handling.md
|
Debugging_Diagrams/process_error_handling.md
|
||||||
|
Debugging_Diagrams/Private_data.md
|
||||||
```
|
```
|
||||||
|
|
||||||
```{toctree}
|
```{toctree}
|
||||||
|
|