Mode Property

[This is preliminary documentation and subject to change.]

Sets the type of security checking performed by the workflow engine.

[Visual Basic,VBScript]
Public Property Mode as CdoWfMode
[C++]
HRESULT get_Mode(CdoWfMode* pVal);
HRESULT put_Mode(CdoWfMode Val);
[IDL]
HRESULT [propget] Mode([out,retval] CdoWfMode* pVal);
HRESULT [propput] Mode([in] CdoWfMode Val);

Remarks

The Microsoft® Exchange 2000 Server workflow engine will run in one of two modes:

• Restricted
• Privileged

In restricted mode, all executable workflow code will be limited to a small number of “safe” actions. The script engine will be sandboxed such that no other COM objects can be co-created. Code will execute under a security context with little or no permission (anonymous).

In privileged mode, the script engine will be able to co-create any registered COM objects. Creating COM objects lets you integrate with other systems such as SQL databases and other business applications that provide COM components. You can also use LDAP and Active Directory in privileged mode. COM objects may also be used in place of script, for workflow actions. The code will execute under the same Windows 2000 security context as the workflow engine itself—typically the Workflow System Account defined by the server administrator.

The checking for which workflows can run in which mode is done at run-time by the Workflow Event Sink (cdowfevt.dll). The workflow event sink component has a COM+ Application Role PrivilegedWorkflowAuthors attached to it. Only workflows authored by (last saved by) members of this role are allowed to run in unlimited mode. Second, the workflow author must also explicitly request that the workflow execute in unlimited mode, by setting a flag (Mode) on the ProcessDefinition object.

If the Mode flag is set to cdowfRestrictedMode on the ProcessDefinition, then the call to Advance will run in restricted mode. It has the following behavior:

• Script Execution Only
• Sandboxed Script Only
• Script runs as a "guest-level" user (EUSER_EXSTOREEVENT)

If the Mode flag is set to cdowfPrivilegedMode on the ProcessDefinition, and the workflow components are determined to be authored by someone with proper privileges, then the call to Advance will run in privileged mode. This mode has the following behavior:

• Script or COM Actions
• No Script Sandboxing
• Script runs as "privileged" user (Workflow application account)

Note

If you fail to set the mode property it defaults to zero (0). Zero is neither Restricted nor Privileged and will cause your application to throw an error. You must explicitly set the security mode.

Example

The following example defines variables for a ProcessDefinition object and a IDataSource interface, creates the objects in memory, opens the ProcDefURL object with read/write access, sets the Mode property to 'Privileged' mode, and saves the change back to the ProcDefURL row in the Web Store.

Dim iPD As CDOWF.ProcessDefinition
Dim iDsrc As CDO.IDataSource

Set iPD = New CDOWF.ProcessDefinition
Set iDsrc = iPD

'ProcDefURL must be a valid URL to a ProcessDefinition item
iDsrc.Open ProcDefURL, _
           Nothing, _
           adModeReadWrite, _
           adFailIfNotExists

With iPD
   .Mode = cdowfPrivilegedMode
End With

iDsrc.Save

See Also

IProcessDefinition