Workflows and data separation

Data separation restricts workflow contexts to users who are either in the same domain of the workflow or are members of a parent domain.

Figure 1. Workflow and data separation

Workflow records in the Workflow Contexts [wf_contexts] table are considered data. Data separation restricts workflow contexts to users who are either in the same domain of the workflow or are members of a parent domain. While a user in a parent domain can see running workflows in a child domain, a user in a child domain cannot see running workflows in a parent domain. If necessary, administrators can use visibility or contains domains to expand who can see domain-specific data.

For example, when an ACME user requests something from the service catalog, a Service Catalog Request workflow context is created in the ACME domain. Similarly, a service catalog request from an Initech user creates a workflow context in the Initech domain. An MSP user in the TOP domain can see both workflow contexts because it is the parent domain for both the ACME and Initech domains. However when an ACME or Initech user logs in, data separation prevents them from seeing each other's service catalog requests. This is expected behavior because each workflow context contains data specific to that domain, such as the item requested and the request's approval history.