diff --git a/awx/main/access.py b/awx/main/access.py index 63b826791f..e81b69e16b 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -2781,7 +2781,7 @@ class RoleAccess(BaseAccess): class WorkflowApprovalAccess(BaseAccess): ''' - A user can create an workflow approval if they are a superuser, an org admin + A user can create a workflow approval if they are a superuser, an org admin of the org connected to the workflow, or if they are assigned as admins to the workflow. @@ -2817,7 +2817,7 @@ class WorkflowApprovalAccess(BaseAccess): class WorkflowApprovalTemplateAccess(BaseAccess): ''' - A user can create an approval template if they are a superuser, an org admin + A user can create a workflow approval if they are a superuser, an org admin of the org connected to the workflow, or if they are assigned as admins to the workflow. diff --git a/docs/workflow.md b/docs/workflow.md index 8043b0f37e..cedc8cd2f9 100644 --- a/docs/workflow.md +++ b/docs/workflow.md @@ -54,6 +54,32 @@ In the event that spawning the workflow would result in recursion, the child wor will be marked as failed with a message explaining that recursion was detected. This is to prevent saturation of the task system with an infinite chain of workflows. +#### Workflow Approval Nodes + +The workflow approval node feature enables users to add steps in a workflow in between nodes within workflows so that a user (as long as they have approval permissions, explained in further detail below) can give the "yes" or "no" to continue on to the next step in the workflow. + +**RBAC Setup for Workflow Approval Nodes** + +A user can _create_ a workflow approval if they are: +- a Superuser +- an Org Admin of the organization connected to the workflow +- a Workflow Admin in the organization connected to the workflow +- assigned as admins to a particular workflow + +A user can _approve_ a workflow when they are: +- a Superuser +- a Workflow Admin +- an Organization Admin +- any user who has explicitly been assigned the "approver" role + +A user can _view_ approvals if they: +- have Read access to the associated Workflow Job Template + +**Other Workflow Approval Node Features** + +A timeout can be set for each approval node. This field defaults to `0` for no expiration. + + ### DAG Formation and Restrictions The DAG structure of a workflow is enforced by associating workflow job template nodes via endpoints `/workflow_job_template_nodes/\d+/*_nodes/`, where `*` has options `success`, `failure` and `always`. There is one restriction that is enforced when setting up new connections and that is the cycle restriction, since it's a DAG.