In K2 version 4.7 (and previous versions), when the main workflow calls an IPC/sub-workflow, it uses the K2 service account to start the sub-workflow (IPC). Now, in K2 Five, when the main workflow calls the sub-workflow (or IPC), it uses the workflow Originator user's account instead of the K2 service account. With this changed, we are now encountering some issues...

1. When a workflow has a sub-workflow (or IPC) and the user (originator) started a task and assined it to another user. Then later the user (originator) who started the task left the company or was terminated (The originator is no longer active in the Active Directory). The main workflow will encounter an error when the user assigned completes the task since the sub-workflow wil not be able to execute or start as the originator of the task is no longer active from the Active Directory.

2. Some of our sub-workflows are being used by multiple workflows. We don't want to use the same permission set to sub-workflows as we don't want other users to access this sub-workflows. With the K2 Five new implementation for IPC, we are forced to grant start permission to almost any users who has start permission to the main workflows. Proper security permissions are compromised because of this changed. We can no longer limit the permission to execute the sub-workflow to just the K2 service account.

If the original implementation was retained where K2 service account is being used to execute an IPC or sub-workflow, the above issues should not be encountered. Or if there will be an option within the workflow where there is an IPC or a sub-workflow call that you can configure where you can grant permissions to a group or individual users or K2 service account and set a "Start" permission, these aforementioned issues will be resolved.