Setting Authorization in Model Element Property Pages

You can set authorization in the property dialogs of process definition and activity model elements.

Please refer to chapter Declarative Security in our Concepts section for details on the scope and impact of the different model element permissions.

Setting Authorization Properties

To set the authorization in the properties dialog of an element:

Beneath the Permission list, the possible participants for a selected permission are displayed with checkboxes. Possible participants are all roles, organizations, the administrator and the participant pertaining to an activity (Owner). Additionally the All option is provided to give grant to everyone. Grants like Owner and All, not pertaining to specific participants, are displayed cursive.

The permission set by default, is also enabled per default in the dialog. It is marked as default in brackets after the grant name.

To remove permission from all participants, deselect all provided entries.

Be aware that if disabling all permissions and closing the dialog, the permission is reset to the default permission and persisted again. After reopening the dialog you notice the default permission selected again.

Please also refer to the section Overwriting default Values of Declarative Security Grants of concept chapter Declarative Security for details on overwriting default values.

If no participant is selected, the permission is given to the default participant provided for this action. The administrator is always granted, regardless of the grants set for the authorization property.

Property Page - Authorization
Figure: Setting the Authorization in the Property Page.

Authorization for Data

The data property pages provide the following permissions:

Authorization - Data
Figure: Setting the Authorization for Data.

Authorization for Process Definitions

The process definition property pages provide the following permissions:

Authorization - Process
Figure: Setting the Authorization for a Process Definition.

Authorization for Activities

The activity property pages provide the following permissions:

Delegation to other departments

The entitlement Delegation to other departments allows the user to delegate work from one department to another.

Delegation to other users vs. Delegation to other departments

To determine if an activity delegation succeeds with the "Delegation to other users" permission, or requires the "Delegation to other departments" permission, depends on the following cases. In case the input for delegation is:

  1. the source participant, represented by a source participant and a source department
  2. the target participant, represented by a target participant and a target department
  3. the default performer of the activity, represented by a participant

then the delegation permissions needed are:

Interactive activities

Interactive activities additionally can have the grant Owner, which represents the participant associated with the activity. This is useful for example to restrict the abort functionality for subprocess activities. Thus it can be avoided that subprocess activities are aborted and as a consequence the whole process is terminated.

If the activity instance is in the participant worklist of a scoped participant, the Owner grant is extended to the worklist visibilities. The participant and department of the activity will then have to match with the logged-in user in order to allow the action.

Authorization - Activities
Figure: Setting the Authorization for an interactive Activity.

Non-interactive activities

Please note that additionally to the participant given the permission for aborting activity instances, the administrator always has the right to abort.

Authorization - Activities
Figure: Setting the Authorization for a non-interactive Activity.