Visibility Rules
WorkDesk enforces strict actor-scoped and tenant-scoped visibility. Employees see only the workflow executions directly relevant to them. This is not a UI convention — it is enforced at the API and database level.
Who Can See What
| Actor Role | Visibility |
|---|---|
| Employee (standard) | Executions they triggered + executions they acted on as HIL respondent |
| Department Manager | Same as employee, plus optionally: executions triggered by their direct reports (if configured by admin) |
| Workflow Admin | All executions within the tenant — in Admin Panel, not WorkDesk |
| Super Admin | All executions across all tenants — in Admin Panel only |
Enforcement Mechanism
All history queries are enforced at the database level via two filters added to every query:
// ExecutionHistoryController.cs — simplified
[HttpGet("/api/workdesk/executions")]
public async Task<IActionResult> GetExecutionHistory([FromQuery] HistoryQuery query)
{
var actorId = User.GetActorId(); // from JWT claim
var tenantId = User.GetTenantId(); // from JWT claim
var executions = await _repo.GetExecutionsAsync(new ExecutionHistoryFilter
{
// MANDATORY: always applied — cannot be overridden by query params
TenantId = tenantId,
ActorScope = new ActorScope
{
ActorId = actorId,
IncludeTriggered = true, // executions actor triggered
IncludeHilParticipated = true, // executions actor acted as HIL
},
// OPTIONAL: from query string
Status = query.Status,
WorkflowName = query.WorkflowName,
From = query.From,
To = query.To,
});
return Ok(executions);
}Tenant Isolation
BizFirstGO is a multi-tenant platform. Each organization (tenant) has completely isolated data. The tenantId in the actor's JWT token is used to scope all queries — no cross-tenant data can leak through the WorkDesk API.
The tenantId filter is applied server-side before any actor scoping. Even if an actor somehow obtained an execution ID from another tenant, the API would return 404 (not 403) — preventing information disclosure about whether the execution exists.
HIL Participation Tracking
An execution is linked to an actor's history as a "HIL respondent" when the actor submits a HIL response to that execution. The link is created at the moment of submission and is stored in the Process_HILResponseLog table.
// Pseudocode — how participation is recorded
// Called when actor POSTs to /api/executions/{id}/resume
async Task RecordHilParticipation(Guid executionId, Guid actorId, Guid tenantId)
{
await _db.HILResponseLogs.InsertAsync(new HILResponseLog
{
ExecutionId = executionId,
ActorId = actorId,
TenantId = tenantId,
RespondedAt = DateTime.UtcNow,
TaskType = taskType,
});
// This record makes the execution visible in the actor's history
}Configuring Extended Visibility
Admins can grant extended visibility to manager-level users via the Admin Panel:
- Department Visibility — manager sees executions of all department members
- Workflow-Specific Visibility — grant an actor view access to all executions of a specific workflow definition
- Explicit Grant — grant a specific actor access to a specific execution (for audit review purposes)