Public link

Applies to version: 2023 R1 and above; author: Łukasz Maciaszkiewicz

Introduction

Effective competition on the current market demands that companies possess a high degree of flexibility and the capability to access and make use of external resources. Many times, particularly when the internal resources of a company or its division appear to be insufficient, it is necessary to involve external experts, especially when a project or a task is non-recurrent and hiring a permanent expert is economically infeasible.

To share instances and tasks safely and conveniently, the WEBCON BPS platform is provided with the public link functionality. It allows users to share instances or tasks quickly and seamlessly with individuals holding no access to a particular application or process, or even people outside the company, thus supporting its business activity.

This article describes the aforementioned functionality and discusses its configuration as well as its main features.

Enabling the public link functionality

Along with implementation of the public link functionality comes a new section Sharing available now in the process “Settings” tab in Designer Studio. To use the aforementioned functionality in a selected process, check the Enable instance and task sharing button in the “Sharing” section.

Once it is checked, other fields placed in the section become editable, i.e. Privileges level and Default sharing expiration time (in days). The “Privileges level” option contains a drop-down list that allows you to specify whether the instances are shared with edition (Edit) or read-only (Read only) rights. On the other hand, the “Default sharing expiration time (in days)” option allows you to specify the number of days after which sharing will be deactivated. You can also define or calculate the number of days using a business rule inserted in the field mentioned above.

The “Sharing” section lets you enable the public link functionality

Note that checking the button itself will also modify the configuration of the Designer Studio. One of the modifications involves access to three sharing actions and the ability to insert the “Share” button directly in the form. Other modification is the appearance of new business rules. The aforementioned configuration elements are discussed below.

Context variables

Once you check the public link functionality, the business rule editor is expanded with new context variables. The Is instance shared? variable is added to the “Information” group in the “System fields” node, enabling users to check whether a given instance has been shared. Additionally, the Is share mode active? variable is added to the “Form display modes”. The variable checks whether the form is currently displayed in the share mode for the temporary user.

Sharing actions

After enabling the public link functionality in the process settings, the user gains access to the three sharing actions belonging to the “Privileges and sharing” group: Share workflow instance, Share task, and Stop sharing.

The actions can be embedded in:

• process automations (the “System settings” button → the “Automations” node in the selection tree),
• workflow automations (as actions inserted globally in the workflow or in a particular step),
• action templates (process name → the “Configuration” button → the “Action templates” node).

Note that these actions are not available in global automations.

Enabling the public link functionality makes available three new actions

A detailed description of each action, including presentation of the contexts under which they can be invoked, is provided below.

• Share workflow instance

The action allows you to share a selected BPS workflow instance in the read-only or edition mode. User can specify a person or persons an instance is to be shared with by entering at least one e-mail address in the Instance shared with (email addresses) field in the action configuration window (they can also use business rule to define a list of e-mail addresses). For each specified e-mail address there is a separate sharing with a unique link to the selected instance.

It is also necessary to configure an e-mail sent as a notification to a person obtaining the link. To do that, enter the e-mail subject in the “Confirmation email - subject” in the action configuration window and type in its content in the “Confirmation email - message” field. The message is sent to the e-mail address entered previously along with a link to the shared instance and sent in accordance with the global template for sending e-mail notifications (the “System settings” button → the “E-mail notifications” node → “Configuration of sending e-mails).

To determine the level of privileges of an individual holding the link to the shared instance, select either Read only (user can only display shared instance) or Edit (user can edit content of the shared instance) from the drop-down list in the Privileges level field.

When configuring the action, the user must also specify the time through which the sharing will remain active in the Sharing expiration time (in days). When the specified time elapses, the system records the information on sharing and its author, and the sharing itself is deactivated. Remember that it is possible to stop sharing earlier by means of the Stop sharing action.

A demonstrative configuration of the “Share workflow instance” action

If the same user invokes the action for the already existing and active sharing and for the same e-mail address, the sharing is reedited and the link to the instance is sent again (if the action is embedded in the on-path automation.

The “Share workflow instance” action can be invoked in the following contexts:

“On entry”, “On exit”, “On timeout”, “On browser opening”, “Menu button”, “On path”, “Upon instance saving”.

• Share task

The action allows you to generate and directly share tasks in the system. Like in the case of the “Share workflow instance” action, the task is shared through a unique link sent to the e-mail address specified in the Assign task to (email addresses). You can specify multiple e-mail addresses for which separate task links will be generated.

What is important the task settings correspond with the settings specified on path between steps, e.g. if the “Completion – Any” option is selected in the “Parallelism” field (workflow name → the “Workflow designer” tab → double click the required path → the “Task creation” tab → the “Parallelism” field), the task must be executed only by one of the persons holding the link.

Once you enter the e-mail address or addresses, you need to create an e-mail notification that is sent together with the link to the task. Enter the message subject in the Confirmation email - subject field and its content in the Confirmation email - message.

There is no sharing expiration time limit for the “Share task” action. Once a task is executed, the task sharing is automatically replaced with instance sharing with read-only privileges and 1-year expiration time. The same applies to situations where a task shared with multiple persons is executed by one of them (if the task had been configured as “Completion – Any”).

It is important to remember that once a task is completed, information on its sharing is recorded in the historical data table.

A demonstrative configuration of the “Share task” action

Sharing the same task again results in overwriting the current sharing and resending e-mail notification.

The “Share task” action can be invoked in the following contexts:

“On entry”, “On exit”, “On path”, “Upon instance saving”.

• Stop sharing

The action ends sharing of a specified instance for all users. Unlike the actions discussed above, the “Stop sharing” action does not send e-mail notification. The action has no configuration window – once it is embedded in automation, it can be deactivated by pressing the “Deactivate” button in the drop-down menu.

The “Stop sharing” action can be invoked in the following contexts:

“On entry”, “On exit”, “On timeout”, “On browser opening”, “Menu button”, “On path”, “Upon instance saving”.

Sharing with form button

In addition to the abovementioned actions that automate the sharing process, the WEBCON BPS system also offers a convenient, alternative sharing method, i.e. the Share button available in the form. This method requires direct involvement from a user who in this case must manually configure sharing in the form.

A demonstrative form with the “Share” button inside a red frame

As mentioned in the introduction to this article, in order to insert the “Share” button in the form, it is necessary to enable the public link functionality in the process configuration (checking the “Enable instance and task sharing” checkbox in the “Sharing” section). You can manage the availability of the button in the “Field matrix” (workflow name → “Main form” → “Field matrix” → “Standard areas”) and by editing the form layout in a selected step (workflow name → the “Workflow designer” tab → step name → the “Forms” tab). 

Field matrix containing checked “Share” button availability checkbox

Note here that the button is not visible for new instances (even when configured as visible in the initial step).

To make the “Share” button unavailable, uncheck the respective checkbox in the “Main form” tab.

The button cannot be further configured and its operation follows process settings. By pressing the button, a window will open where you can enter the e-mail address of the person with whom you wish to share the instance [Share workflow instance with (email address)]. Furthermore, you can specify the level of privileges for the person by checking the Allow editing button, which enables them to make changes to the shared instance. Conversely, unchecking the button restricts them to read-only access.

In the Expiration date field you can specify how long the sharing will remain active – once this time elapses, the sharing will be deactivated.

After entering all the required information, click the Share button.

Sharing window opened after clicking the “Share” button

Once you share the instance (click the “Share” button), a new window opens. It contains information on e-mail address for which the instance was shared and link to the instance. There are also two additional fields below that allow you to create an e-mail notification sent to the specified address. Like the actions configuration, you can enter the e-mail subject and content in the Subject and Message fields, respectively. Both fields are by default filled out with standard content in the current language of the form. The instance link mentioned earlier is automatically added to the e-mail content.

Window containing link to the shared instance and fields for creating an e-mail notification

After clicking the Send button, the specified e-mail address receives a message with information on instance sharing and the user who shared it.

Ending the sharing

There are multiple ways to stop sharing which are dependent on its type. Below are some possible scenarios for ending the sharing.

• Instance sharing
  • Elapse of defined sharing expiration time
  • Manual stopping of sharing initiated by either the user or the administrator
  • Invoking the “Stop sharing” action

NOTE: when sharing an instance with edition rights, each path transition reduces privileges to the “Read only” level and 1-year expiration time.

• Task sharing
  • Task execution – including by other person – results in replacing the sharing with a new one with read-only privileges and 1-year expiration time.
  • Path transition results in replacing the sharing with instance sharing with read-only privileges and 1-year expiration time.
  • Invoking the “Stop sharing” action

Please note that transiting a path or invoking the “Stop sharing” action only ends the sharing, not the task itself.

Information on all finished sharings is recorded by the service in a dedicated table containing sharing history – HistorySharedInstances. The same principle applies to the previously mentioned situations that involve changing the type of sharing. For example, transiting a path will replace the existing sharing with editing rights with a new one that has read-only rights.

• Archiving

When a shared instance is archived or deleted, the sharing is ended and a record is created in the content database containing historical data. The relevant entry is also deleted from the table which contains information about shared instances.

General remarks

When the received link is opened, the system generates a temporary user account with the appropriate privileges that were configured by the user either in the action or form using the “Share” button. These privileges relate exclusively to the specified instance. Additionally, regardless of the form configuration, this type of user is not able to delegate tasks or share tasks and instances with others. They are also restricted from accessing certain options, including administrative tools, history, deleting instances, or starting new ones.

The form view that is displayed to the temporary user is determined by the configuration entered in the “Field Matrix” and the defined rules. To control the visibility of defined elements for the temporary user, it is possible to use the “Is share mode active?” option.

The “Share” button icon is replaced with the Active shares icon once an instance is shared. Clicking on the icon will display a list of users with whom the instance is shared. Please note that users can only view their own sharings and cannot see sharings generated by other users..  The information presented here include e-mail address, type of privileges, and sharing expiration date. There are also two additional buttons available: edition (pencil icon) and deletion (bin icon). The first option enables you to edit the sharing by changing the expiration date or type of privileges (if the mode set in the process configuration “Sharing” section is “Edit”), while the second option deletes the selected sharing.

The “Active shares” button displays the e-mail addresses with which an instance has been shared.

Administrator privileges

When operating in admin mode, an administrator can view all instances and tasks that have been shared and delete them if necessary. In the case of instances, the administrator can also edit them. An administrator can view the aforementioned sharings in multiple ways. They can click the "Active shares" button to display them directly in the form, or access them through the admin panel (by clicking the Active shares button) or the "Workflow instance privileges" (the "Admin actions" gear button → the "Privileges" option). The last option does not allow user to edit the sharings (it is only possible to delete them).

The “Workflow instance privileges” window contains information on sharings

It is worth to briefly address the aforementioned “Active shares” option available in the admin panel. It is a view that enables users to display and modify (edit and delete) all active sharings regardless of their type (instance or task sharing). The view provides a filtering function for sharings, which is particularly useful when there is a large number of sharings to manage.

Identity verification with security codes

Starting from the 2023 R2 version, it is possible to enhance the security of public links by utilizing a single-use authorization code which is sent to the email address of the link recipient. This solution prevents individuals who have accidentally obtained the link from gaining unauthorized access to the shared instance.

• Enabling the functionality

The identity verification mechanism is by default enabled in Designer Studio [selected the Require identity verification (security code sent via email) checkbox] immediately after activating the public access (process name → the Settings tab → the Public access section → Enable task and instance sharing for people outside the organization). To disable it, unselect the aforementioned checkbox.

• Operation

You can notice the mechanism operation after opening a secured link. The system redirects you to the Portal’s website and displays information about obligatory confirmation of identity by means of a single-use authorization code.

A 6-digit code is generated after clicking the Send an authorization code and sent to the e-mail address of the intended link recipient. [The messages are sent in the language in which a user displayed the window for entering authorization code in Portal (which corresponds with the language set in the Internet browser)]. The code delivery is confirmed with the message Verification code has been sent which is displayed within a green box under the area used for identity confirmation.

A separate code valid for 5 min is generated for each shared instance – after 5 min it is necessary to generate a new code which must be entered in the text field and press the Verify button. (It is worth noting here that a user can work simultaneously in several browsers by generating and entering different authorization codes).

• Limit for the number of attempts

It is important to remember that after 20 unsuccessful log-in attempts the public link becomes inactive and the system displays information that the link expired (this information is also presented in the form and the Admin Panel). The administrator or the link author can reactive the link. To access the instance or task to which a link was reactivated, the intended recipient needs to generate and input a new authorization code.

• Identity verification interval

After an hour has passed since gaining access to the shared instance or task, the system will automatically prompt for new authorization, unless a user is actively editing a form within the given instance or task. You can modify this time in the Security node (System settings → Global parameters) by changing the value in the User identity verification interval field provided in the section Security codes configuration for sharing workflow instances publicly. (Please note that this field is active only if you had set the User defined value in the Tokens and cookies lifetime configuration field.)

• Information about secured link

Information regarding securing a link with an authorization code and its status is accessible to both administrators and link authors.

In the first case, this information is available in the Admin Panel in the Protection column of the Active shares. The key icon indicates that identity verification is enabled for a specific share, while the general prohibition sign icon signals that the share has been locked (possibly due to exceeding login attempt limits or authorization intervals). An empty field indicates that the share is not secured. After hovering over the icons mentioned earlier, a tooltip is displayed providing information about the required verification or the date when the link was locked.

For the locked access, it is possible to share the link again by clicking the lock icon available in the Actions column.

The link author also receives information about locking the share (the information on necessary identity verification is not displayed). It is presented in the form of the aforementioned general prohibition sign icon after clicking the Active shares icon in the top, left form corner.

Similarly, by clicking the lock icon here, the author can re-enable the sharing of the link.

Summary

The public link functionality is a very useful tool that enables users to share access to instances or tasks quickly and conveniently. It is particularly helpful when specific content needs to be presented to third parties who do not necessarily need access to the whole process or do not have it for other reasons. This feature provides companies with the flexibility to involve external individuals in their projects, enabling them to leverage external knowledge and experience.

2024 R1 update

From version 2024.1.1 onward, this functionality is licensed based on Single-Use access licesnes.
You can find more information about this new type of licene (added in version 2023.1.1) in the following article: WEBCON BPS Licenses.