Access Control List (ACL) User Interface

Open the Access Control wizard by clicking the 

Lock icon on the Forms Home Page or the Flows Home Page. It is also accessible by clicking the 

icon on the Form/Flow designer toolbars.

Form designers as well as users with the publisher role are authorized to configure access control. The Access Control wizard makes the following permissions available for forms/flows:

• Who can use the form - available for forms and flows

• Who can view submissions - available for forms and flows

• Who can edit submissions - available for forms and flows

• Who can access the audit trail - available only for flows

• Who can administer the flow

ACL settings,set by the designer, are retained when you download/upload a form/flow/app to another designer user in the same or different tenant and when you copy a form/flow.

 

Dynamic ACLs

Templates provide the ability to dynamically determine and restrict access to submissions/ task audit trails when assigning Access Control permissions. Templates are like variables in your form that can be filled in by the user, populated by a business rule or from a back end system.  Any item on the Access Control screens contained in curly braces is a form template and will be replaced with the value of the associated control. For example, the list below contains two fixed roles(reviewer and superuser) and one dynamic template based role - {acctmgrrole} : 

In the example discussed below, templates are used to navigate the flow to the correct employee in the Accounting department and to define user lists to dynamically control access. 

Important Note on Dynamic Access Controls:

• Whenever a template is used to determine access control the derived set of users and roles are tied to the submission. They will only change if the submission is edited. Once a role is granted permission to a submission, that cannot be changed by editing the access control configuration in the designer.

• Dynamic ACLs work per submission when that form/flow is being submitted. If you change ACL permissions they will not take effect for the old submissions automatically as the related ACL record was not created when that particular submission was made. Old submissions must be edited and re-submitted it for the changes to take effect.

 

Who can use the form/flow

Setting this permission determines who is allowed to create form/flow submissions. The choices for Form/Flow visibility are: 

• Private  - only the owner can edit, test or use the form. The owner must log in to 

  .

• Public In Tenant - the form is usable to anyone who has an account (username/password) and is logged in to your tenant.

• Public -  anyone can use it even if they are not logged in.

• Custom - The owning designer always has access to the form/flow. Additionally, the designer may configure selected users and/or roles (i.e. users with these roles) to have runtime access to the form/flow.

This topic is discussed in detail here. 

Who can view submissions

The designer can assign permission to view form/flow submissions to specific roles/users.  Any user with view access can view submissions in read-only mode. Submission deletion is not allowed. Templates can be used to dynamically determine at runtime which users and roles are allowed to view submissions.

To assign permission to view submissions, follow these steps:

1. Open the Access Control wizard by clicking the Lock icon on the Forms Home Page, Flows Home Page or on the Form/Flow designer toolbars. 

2. Select Who can view submissions from the Permission field dropdown. 

3. Enter the roles you want to grant view access to, separated by commas, in the Roles section. You can enter control names from your form/flow encased in curly braces to act as templates for dynamic access.

4. Enter the users you want to grant view access to, separated by commas, in the Users section. You can enter control names from your form/flow encased in curly braces to act as templates for dynamic access.

5. Click Finish or select the next option in the dropdown to continue with the Access Control List.

Who can edit submissions

The designer can assign permission to edit form/flow submissions to specific roles/users. Any user with edit access can view, edit and delete submissions. Templates can be used to dynamically determine at runtime which users and roles are allowed to edit submissions.

To assign permission to edit submissions, follow these steps:

1. Open the Access Control wizard by clicking the Lock icon on the Forms Home Page, Flows Home Page or on the Form/Flow designer toolbars. 

2. Select Who can edit submissions from the Permission field dropdown. 

3. Enter the roles you want to grant edit access to, separated by commas, in the Roles section. You can enter control names from your form/flow encased in curly braces to act as templates for dynamic access.

4. Enter the users you want to grant edit access to, separated by commas, in the Users section. You can enter control names from your form/flow encased in curly braces to act as templates for dynamic access.

5. Click Finish or select the next option in the dropdown to continue with the Access Control List for flows.

Who can access the audit trail - Flows Only

 The audit trail is accessed on a 

 user's Task List by clicking the

View Task History icon. Roles/Users granted this permission will see the

View Task History icon on tasks in their task list.

To assign permission to view the audit trail, follow these steps:

1. Open the Access Control wizard by clicking the Lock icon on the Flows Home Page or on the Flow designer toolbar. 

2. Select Who can access the audit trail from the Permission field dropdown. 

3. The Permission dropdown has two choices: All participants and Custom

4. All participants indicates that any user that participated in the flow can view the audit trail for the task (provided they have access to the task). 
    
   

   
    

5. Custom indicates that only users granted explicit access or with one of the specified roles can view the audit trail for the task (provided they have access to the task).  Roles and users can be selected via an editable combo-box control. 
   
   

1. Enter the roles you want to grant audit trail access to, separated by commas, in the Roles section. You can enter control names from your flow encased in curly braces to act as templates for dynamic access.

2. Enter the users you want to grant audit trail access to, separated by commas, in the Users section. You can enter control names from your flow encased in curly braces to act as templates for dynamic access.

3. Click Finish or select the next option in the dropdown to continue with the Access Control List for flows.

 

Who can administer the flow - Flows Only

This permissions let a user abort, reassign and reset tasks that are not assigned to them. In previous releases these administrative tasks were restricted to tenant admins.

The designer can delegate these tasks to additional users/roles by assigning them in the Who can administer the flow section of the Access Control dropdown. Any user/roles listed here will be considered a Flow Administrator.  As such, the Modify Task icon on a task in the task list will be displayed. Tenant admins and designer users get the Modify Task icon by default. 

To assign user/roles as Flow Administrators, follow these steps:

1. Open the Access Control wizard by clicking the Lock icon on the Flows Home Page or on the Flow designer toolbar. 

2. Select Who can administer the flow from the Permission field dropdown. 

3. Enter the roles you want to assign as flow administrators, separated by commas, in the Roles section. You can enter control names from your flow encased in curly braces to act as templates for dynamic access.

4. Enter the users you want to assign as flow administrators, separated by commas, in the Users section. You can enter control names from your flow encased in curly braces to act as templates for dynamic access.

5. Click Finish to save the completed Access Control List.