{{ message }}
fix: remove broken GRANT/REVOKE EXECUTE ON WORKFLOW#173
Merged
ako merged 2 commits intomendixlabs:mainfrom Apr 11, 2026
Merged
Conversation
Workflows$Workflow has no AllowedModuleRoles field in the Mendix metamodel (confirmed by generated metamodel and BSON dump of Studio Pro output). The GRANT/REVOKE EXECUTE ON WORKFLOW commands silently wrote a phantom field that Studio Pro ignored. Replace with clear error messages explaining that workflow access is controlled through triggering microflows and UserTask targeting.
engalar
force-pushed
the
fix/grant-workflow-security-location
branch
from
bff460a to
88eaa78
Compare
…HELP - Remove SHOW ACCESS ON WORKFLOW from HELP output - Update workflows.md See Also to clarify access control approach - Remove dead Workflow section from showSecurityMatrix (AllowedModuleRoles doesn't exist)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AllowedModuleRolesfield on the Workflow BSON document, butWorkflows$Workflowhas no such field in the Mendix metamodel (confirmed by generated metamodel types and BSON dump of Studio Pro output). Studio Pro ignored the phantom field entirely.AllowedModuleRolesfield from theWorkflowstruct and its BSON parser, and cleaned up SHOW SECURITY MATRIX workflow section, HELP output, and all documentation references.Test plan
make buildsucceedsmake testpassesGRANT EXECUTE ON WORKFLOW Mod.WF TO Mod.Role;returns clear error message