One element of managing workflows through the K2 Workspace that has always been a little tricky has been the addition of users to a role. There are some details about it which seem to me to be easy to miss. I’d like to help with that.

In our development environment, role-based security is assigned directly to users (such as developers and testers). As development matures and planning commences in earnest for staging and production environments, possibilities for Active Directory group-based permissions are examined — so the workflow roles can be assigned to AD groups.

Regardless of model, you need the K2 Workspace to perform role assignments. More directly, you need access to the Management Console in the K2 Workspace to make those assignments.

I’m going to walk you through getting to the roles, creating a new role, adding a user to a role, and removing a user from a role. 

 To get to roles:

1. Open the K2 Workspace, preferably in IE. The URL will look something like http://myserver:port/Workspace/Navigation/Navigation.aspx
2. In the top navigation, hover over the Management menu item. a submenu should appear with a single item, labeled Management Console. Click that.
3. In the left-hand navigation of the main window, you’ll see a header which reads K2 Management. Beneath that will be a tree which starts with the name and port of the K2 server to which the Workspace is attached.
4. Expand the tree.
5. Expand the Roles node.

To create a new role,

1. Right-click on the Roles node
2. Select Add New Role
3. In the main window , you’ll see a header labeled Server > Workflow Server > Roles, under which will be a command bar with buttons labeled Add Role Item, Remove Role Item, and Save. It’s that Save item that will cause you grief later. Beneath the command bar is a role properties area containing a textbox field labeled Name:, another labeled Description, and a checkbox labeled Dynamic. Beneath that is a region reserved for searching on role items.
4. Type in a name for your new role, and a short description. By the way: the two textboxes don’t like special characters. This might become important for your description — no commas, no periods, and no apostrophes. (Plbbth.)
5. Click Save to see a dialog that reads, “Error! Role must include at least RoleItem in the Include collection.” In English, this means you can’t save your new role until you add a member. You can’t just save the role properties. 
6. Click OK to clear the dialog and recover your pride. This is a fantastic segue into…

To add a member to a role,

1. Open the role you wish to modify. If you’ve just created a new role (see above), you’re good to go.
2. In the navigation on the main portion of the browser window, locate and click the Add Role Item button. It’s in that command bar above the role properties. The text is preceded by a thick green plus sign.
3. The Add Role Item dialog appears. It has a tabbed interface that is set to “Users” by default. The top half of the dialog is a search engine for users and groups. The lower half is a region in which users or groups meeting the search criteria will appear, and from which your target user/group may be selected. The two halves are separated by a command bar which contains the options Search, Select All, and Clear All.
4. In that upper region, your search options include various methods. Starts With is set by default, allowing you to type the first few characters of the user or group name. Additional criteria appear on a second line. *
5.  Type the first few characters of a person’s credential and click the Search button in the navigation bar in the middle of the dialog. Each user that met the criteria will be listed in the lower half of the dialog, by Name, Type, Label and Domain. Find the user you’re looking for based on the search you did, and check the box to the left of that user’s name to select it.
6. Click OK in the lower right corner of the dialog.
7. The Add Role Item dialog will close, and you’ll be returned to the main Roles form.
8. The user you selected should now appear listed on the Roles form, in the large region below the role properties.
9. YOU’RE NOT DONE YET. This is where the trick is. YOU MUST CLICK THE Save BUTTON (above the role properties) IN ORDER TO COMPLETE THE ADDITION OF THE USER. I can’t count the number of times I’ve simply selected another group after returning to the main window because I thought the user was added to the group. It’s a real pain when you thought you’ve added this user to 15 groups only to realize you haven’t actually added it to any of them. Click Save first! 

* Additional search criteria appear on the second line — dropdowns labeled Security Label:, Domain: and Search For: By default, the Security Label dropdown is set to the “K2” value.  This is a function of the nature of K2 — it monitors your Active Directory Users and imports a copy of the list periodically, placing a “K2:” label before each user. So, technically, when you’re searching for a role member, you’re really searching for an item listed in K2’s copy of AD.

To remove a member from a role,

1. Open the role you wish to modify.
2. In the large region where the users and groups are listed, find the user you wish to remove, and clear the checkbox in the Include column of the table.
3. Click Save in the command bar above the role properties.