February 12, 2015 
I am busy at a customer with implementing some security rules on work items. As you might or moght not know the work item security is quite limited.
My scenario is as follows:
- Only users in group XYZ kan make a state transition from [Draft] to [Approved]
- When the item is in the state [Approved] only members of group XYZ can set it back to [Draft]
- When the item is in the state [Approved] *nobody* is allowed to modify the work item. So set the work item to read only
I read this fantastic workaround by Angela Dugan, and thought my worries were over. In short the solution of Angela works as follows.
- Add a field [UserAccessDenied] to a work item but do not show this on the form
- In the desired state add a rule [REQUIRED] for a certain group
- Because you can not enter a value, you can never save the work item, so it is “sort of” read only
Only I had one nasty issue. Because my requirement was that *nobody* was allowed to modify the work item Angela’s workaround did not work directly. When I set my work item in the state approved, the work item rules validated that the field was empty directly and I was not able to save my work item and can never put it in the [Approved] State.
To work around this issue, I came up with the following
- Implement the workaround of Angela
- Limit the state transition to my group XYZ
- In my State Transition add a rule to the field [UserAccessDenied] that uses a [COPY] rule to fill in “a” value (allowed in my case). This allows me to save the work item when I am in a specific group
- In my State [Approved] Add teh [REQUIRED] rule and set the value back to empty. This puts back the [REQUIRED] rule to work for everybody.
I can now only go back to another state in order to save the work item
.
Hope this helps!
The Road to ALM 
Comments are closed.