Security workflow with group approval

I’d like to create a workflow that manages approval of opportunities.
As a test scenario I have defined a “Creators” Group and an “Approvers” Group.
When a Creator indicates through a specific field that he wants to initiate the workflow, I have a workflow that changes the “assigned to” to a specific “Approver”, but I do not want the initiator to be able to modify the opportunity. If the “Creators” group has rights only to edit their own opportunites, it is fine, since when the owner changes, they no longer can edit them. The problem comes when they need to have group editing rights, since when the owner changes, the opportunity has both “Creators” rights and “Approvers” rights. Is there a way to remove all the previous groups through the workflow or do we have to program a hook to do that? Any tips to put us in the right direction?

For now, the only solution I have found is to write a “before_save” hook that calls a function to delete all existing groups of the current record, so that only the groups for the current assigned user will remain:

   function deleteGroups(&$bean, $event, $arguments) {  
        global $db;
        $query = "delete from securitygroups_records where record_id = '$record_id' and module = '$module'";
        $GLOBALS['log']->debug("OpportunityLogicHook: deleteGroups: $query");

I guess this has the risk that if the record is not finally saved, it would become orphan, so maybe it is better to have an “after_save” hook instead and leave only the groups that belong to the current assigned user. Any suggestions?

I think that the best solution might to uncheck both the “Inherit from Created By User” and Inherit from “Assigned To User” checkboxes in the Security Suite Settings and just use groups for controlling the access to each opportunity, and defaulting the “Assigned To User” to blank.

Through a hook I can add Security Groups to the opportunity and this way controlling the owner (or groups o owners) of the opportunity at each stage of the workflow…

The problem we are facing now is that it seems that the workflow is launched even before our before_save hook. Is this by design or can it be changed so that the workflow is launched after that hook? Can the worflow be forced to be executed just after the before_save hook?

It seems that the workflows are launched with an after_save hook. The $bean used does not get updated and it actually uses the original values and not the values of custom relationships updated inside our before_save hook. The solution is to update the bean as the first step of run_bean_flows in AOW_Workflow.php:


Can this be included in 7.1.2?