We have a requirement where we are assigning a particular work object from workbasket to different workbasket.
After reassigning to a different workbasket, the manager of the 1st workbasket is still able to access that work object.
I have added Canperform Accesswhen in the ARO
Relation b/w WG--WB--WQ is 1 to 1.
Does anyone know how to restrict it.
***Edited by Moderator: Lochan to update platform capability tags***
My assumption is that you have roles and ARO for Assign-Workbasket(Access when might be something like operator must must have the workbasket defined in Operator ID rule) for those roles only that are defined in the workbasket and your expectation is only the roles defined in the workbasket must be able to access it's assignments.
Most likely root cause might be the user who is trying to access the assignment from workbasket(which he is not supposed to get access to) might be having a role that doesn't have an ARO defined for Assign-Workbasket class, so it would take the ARO of @baseclass which grants access with OOTB configuration.
Try defining an ARO(Access when condition to check if user is having workbasket in their operator ID rule) on Assign-Workbasket class for each role that you have in all of the access groups to fix the issue.