diff --git a/product/ERP5Catalog/CatalogTool.py b/product/ERP5Catalog/CatalogTool.py
index 59c0a4308c01800489701d9f3ab3a1046327fbc6..59c53d26e1726fd16928ffa9343a4a00a264066f 100644
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -460,12 +460,27 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
 
       return allowedRolesAndUsers, role_column_dict
 
+    def getSecurityUidList(self, **kw):
+      """
+        Return a list of security Uids.
+        TODO: Add a cache.
+      """
+      allowedRolesAndUsers, role_column_dict = self.getAllowedRolesAndUsers(**kw)
+      catalog = self.getSQLCatalog()
+      method = getattr(catalog, catalog.sql_search_security)
+      allowedRolesAndUsers = ["'%s'" % (role, ) for role in allowedRolesAndUsers]
+      security_uid_list = [x.uid for x in method(security_roles_list = allowedRolesAndUsers)]
+      return security_uid_list
+
     security.declarePublic( 'getSecurityQuery' )
     def getSecurityQuery(self, query=None, **kw):
       """
         Build a query based on allowed roles or on a list of security_uid
         values. The query takes into account the fact that some roles are
         catalogued with columns.
+
+        TODO: use getSecurityUidList and drop compatibility with old
+        security system.
       """
       allowedRolesAndUsers, role_column_dict = self.getAllowedRolesAndUsers(**kw)
       catalog = self.getSQLCatalog()
diff --git a/product/ERP5Type/patches/WorkflowTool.py b/product/ERP5Type/patches/WorkflowTool.py
index 58997ac9e3af78bc4f1ee9c375929f498b4427bd..6b4348ab9bec3a8a67e3ffdb21c0fc6aca04e75d 100644
--- a/product/ERP5Type/patches/WorkflowTool.py
+++ b/product/ERP5Type/patches/WorkflowTool.py
@@ -113,7 +113,7 @@ SECURITY_COLUMN_ID = 'security_uid'
 COUNT_COLUMN_TITLE = 'count'
 INTERNAL_CRITERION_KEY_LIST = (WORKLIST_METADATA_KEY, SECURITY_PARAMETER_ID)
 
-def groupWorklistListByCondition(worklist_dict, acceptable_key_dict, getSecurityQuery):
+def groupWorklistListByCondition(worklist_dict, acceptable_key_dict, getSecurityUidList):
   """
     Get a list of dict of WorklistVariableMatchDict grouped by compatible conditions.
     Strip any variable which is not a catalog column.
@@ -151,9 +151,6 @@ def groupWorklistListByCondition(worklist_dict, acceptable_key_dict, getSecurity
         if criterion_id in acceptable_key_dict or criterion_id in WORKLIST_METADATA_KEY:
           valid_criterion_dict[criterion_id] = criterion_value
         elif criterion_id == SECURITY_PARAMETER_ID:
-          # XXX: Only call getSecurityQuery to get the security uid list from
-          # generated query. The security API should be extended to allow
-          # access to those intermediate values.
           # Caching is done at this level to be as fast as possible.
           security_cache_key = list(criterion_value)
           security_cache_key.sort()
@@ -161,7 +158,7 @@ def groupWorklistListByCondition(worklist_dict, acceptable_key_dict, getSecurity
           if security_cache_key in security_cache:
             criterion_value = security_cache[security_cache_key]
           else:
-            security_query = getSecurityQuery(**{criterion_id: criterion_value})
+            security_query = getSecurityUidList(**{criterion_id: criterion_value})
             criterion_value = security_query.getValue()
             security_cache[security_cache_key] = criterion_value
           criterion_id = SECURITY_COLUMN_ID
@@ -390,10 +387,10 @@ def WorkflowTool_listActions(self, info=None, object=None):
     def _getWorklistActionList():
       portal_url = getToolByName(self, 'portal_url')()
       portal_catalog = getToolByName(self, 'portal_catalog')
-      getSecurityQuery = portal_catalog.getSecurityQuery
+      getSecurityUidList = portal_catalog.getSecurityUidList
       acceptable_key_dict = portal_catalog.getSQLCatalog().getColumnMap()
       # Get a list of dict of WorklistVariableMatchDict grouped by compatible conditions
-      worklist_list_grouped_by_condition = groupWorklistListByCondition(worklist_dict=worklist_dict, acceptable_key_dict=acceptable_key_dict, getSecurityQuery=getSecurityQuery)
+      worklist_list_grouped_by_condition = groupWorklistListByCondition(worklist_dict=worklist_dict, acceptable_key_dict=acceptable_key_dict, getSecurityUidList=getSecurityUidList)
       LOG('WorklistGeneration', BLATHER, 'Will grab worklists in %s passes.' % (len(worklist_list_grouped_by_condition), ))
       for grouped_worklist_dict in worklist_list_grouped_by_condition:
         LOG('WorklistGeneration', BLATHER, 'Grabbing %s worklists...' % (len(grouped_worklist_dict), ))