I would like to add a Send Email smart shape to a flow rule, and specify an Attachment Category to include an attachment in the outbound email. There are many paths that lead to the execution of the Send Email smart shape; the shape may be executed after completion of an assignment, or after a wait shape has expired for example.
Up until this point the configuration is relatively simple and all is well. Until we apply security constraints...
To restrict access to the attachment, the Attachment Category rule security tab is updated; the "Access control list by privilege" is configured to grant varying levels of access to six different user types.
At run-time, when the Send Email smart shape is executed, an error occurs: "You are not authorized to open instance DATA-WORKATTACH-FILE". I suspect that this is because the Send Email shape is executed by a requestor that does not have a privilege defined in the "Access control list by privilege" section of the Attachment Category rule.
My question is, how can we configure our application to generate the email notification (with the attachment) in this type of scenario? e.g. the authorization settings of the user that performed the previous step, should not impact generation of the email notification with the attachment.
When you are sending the correspondence from the smart shape, I believe it calls the pzSendEmail activity, which in step 9 (in version 7.3.1), it always sets the parameter to send the mail via an agent. That means that the SendCorr agent needs permission to do what you are trying to do. I suspect if you did a private checkout of pzSendEmail and changed step 9 to not do that, you would see it using your operator's privileges. To have the level of configurability that you are looking for, you may need to do something custom instead of using the smart shape and I'd start with the pzSendEmail activity and tweak as needed.