How to implement a 2-man-rule

In some situations, a task may not be performed by someone who has performed another task. This is often referred to with the term 2-man-rule.

More accurate would be to call this an exclusion rule, because the idea behind the rule is to exclude users for a specific task. The result of the exclusion of a specific user for a certain task is that another user has to perform that task, hence the term 2-man-rule.

In this article, the implementation of a 2-man-rule is discussed, based on the following simple process model:

The process shown above consists of four ad hoc tasks, AddFiles, ContactCustomer, MakeAssessment and UpdatePersonalInformation. These tasks are not specified further in this example, but the reader may very well understand what the contents of such tasks could be. The process has one mandatory task, ReviewAndClose.

In order to achieve this requirement, place an authorization algorithmon the task ReviewAndCloseCase, as shown below.

Specify a multivalued attribute in which all users are stored that may not execute this task, as shown below.

Now all that needs to be done is make sure that at the end of the ad-hoc tasks AddFiles, ContactCustomer, MakeAssessment and UpdatePersonalInformation, the attribute Control.CaseOwners is updated. See the image below.

The contents of the flows that are mapped to the ad-hoc tasks AddFiles, ContactCustomer, MakeAssessment and UpdatePersonalInformation is out of scope, but make sure that at the end of the flow, the user who has performed the task (by default stored in system.user.id) is added to the multivalued attribute Control.CaseOwners. This is achieved by updating the value of the attribute Control.CaseOwners with its old value (Control.CaseOwners), combined with system.user.id.

When a user, who has previously performed any of the ad-hoc tasks AddFiles, ContactCustomer, MakeAssessment or UpdatePersonalInformation, tries to perform the task ReviewAndCloseCase at runtime, the following message will appear: