Our document control workflow is experiencing a critical RBAC issue. Users assigned the ‘Document Reviewer’ role cannot access approval tasks, receiving permission denied errors even though the role explicitly grants approval permissions.
The strange part is that the same users CAN view documents and add comments, but the approval action fails. I’ve verified in the role configuration that ‘Approve Documents’ permission is enabled for Document Reviewer role.
Error: Permission denied for action: APPROVE_DOCUMENT
User Role: Document_Reviewer
Inherited Roles: Quality_User, Basic_User
Permission Check: FAILED at workflow step
I suspect there’s a conflict with role inheritance or the RBAC permission cache isn’t updating when we modify roles. Has anyone dealt with approval workflow permission issues in Arena QMS 2022.2?
Check your workflow step configuration. In Arena QMS, approval steps can have their own permission requirements that are separate from role-based permissions. Go to the document approval workflow definition and verify that the approval step allows the Document_Reviewer role. There’s a specific field in the workflow step properties where you list allowed roles for that action. If Document_Reviewer isn’t listed there, the RBAC permission alone won’t grant access.
Kevin’s on the right track. We had this exact issue and discovered that workflow permissions and RBAC permissions are evaluated separately. Even if a role has system-level approval permissions, each workflow step maintains its own access control list. You need to configure both the role permissions AND the workflow step permissions for approval actions to work correctly.
Also worth checking if you have cross-functional role mapping configured. Sometimes document approval requires permissions from multiple functional areas (quality, engineering, operations), and if the role mapping isn’t set up to bridge these areas, approval actions fail even with correct role assignments.
This sounds like a permission cache issue. Arena QMS caches RBAC permissions for performance, and sometimes changes to role configurations don’t propagate immediately. Try forcing a cache invalidation through the admin console. There’s usually an option under System Administration to clear the security cache.
I’ve encountered similar behavior with inherited roles causing conflicts. When a user has multiple roles, Arena QMS evaluates permissions in a specific order, and sometimes a restrictive permission from a parent role overrides the more permissive child role. Check if your Basic_User role has any explicit DENY permissions for document approval that might be blocking the Document_Reviewer permission grant.