Declarative Security Usage in Infinity Process Platform Services API

This chapter gives an overview over existing permissions and their usage in specific methods of the Infinity Process Platform Services.

Note that Authorization validation is always checked before any other validation or code is performed. Thus, in case the user is not authorized, an AccessForbiddenException occurs rather than an anticipated Exception.

Permissions

The following permissions are available:

Permission Scope Description
abortActivityInstances Activity Permission to abort an activity from the Infinity Process Platform Portal and via API
abortProcessInstances Process Permission to abort a process from the Infinity Process Platform Portal and via API
controlProcessEngine Model Permission to flush the cache and perform engine operations such as suspend and restart
createCase Process Permission to create cases from Infinity Process Platform Portal and via API
delegateToDepartment Activity Permission to delegate an activity to another department from the Infinity Process Platform Portal and via API
delegateToOther (implies delegateToDepartment) Activity Gives permission to delegate to another participant, default performer and user, from the Infinity Process Platform Portal and via API. It also gives permission to suspend an activity.
deleteProcessInstances Process Permission to delete a process instances from the Infinity Process Platform Portal and via API
deployProcessModel Model Gives permission to deploy and specify the parameters for the model deployment at runtime from the Infinity Process Platform Portal Administration perspective, via API and console command.
deployRuntimeArtifact Model Permission to deploy and manage a runtime artifact in the Infinity Process Platform Portal and via API
forceSuspend Model Permission to force activity instances to be suspended and added to the worklist of the default performer declared for the corresponding activity from the Infinity Process Platform Portal and via API
manageAuthorization Model Permission to change user grants, e.g. to assign or revoke roles and organizations as well as to add and remove user groups to or from a given user. This affects the Infinity Process Platform Portal User and Role assignment views and API.
manageDaemons Model Permission to start, stop and query the state of the daemons from the Infinity Process Platform Portal Administration perspective, through API and console command
manageDeputies Model Permission to change the deputies of users from the Infinity Process Platform Portal Administration perspective and through API
manageEventHandlers Activity, Process Permission to bind and unbind event handler via API and console command
modifyAuditTrail Model Permission to modify the AuditTrail database, like users, grants and models through API and console commands
modifyAuditTrailStatistics Model Permission to modify the AuditTrail database, like users, grants and models through API and console commands
modifyActivityInstances Activity Permission to modify activity instances in the Infinity Process Platform Portal and via API
modifyCase Process Permission to modify process instance cases in the Infinity Process Platform Portal and via API
modifyDataValues Activity Permission to read process data values in the Infinity Process Platform Portal and via API
modifyDepartments Model Permission to perform the following operations:
  • Create departments.
  • Modify department details such as department name and description.
  • Change assignments of users.
  • Delete departments.
through the Infinity Process Platform Portal Administration perspective, API and console commands.
modifyDmsData Model Permission to modify any data via the document management service
modifyProcessInstances Process Permission to modify process instances in the Infinity Process Platform Portal and via API
modifyUserData Model Permission to modify user data such as name, email or account through Infinity Process Platform Portal Administration perspective, API and console commands
performActivity Activity Permission to perform an activity from the Infinity Process Platform Portal and per API
readActivityInstanceData Activity Permission to access activity instances from the Infinity Process Platform Portal and via API
readAuditTrailStatistics Model Permission to query statistics on the audit trail database, like health report, log entries and its count via API and console commands
readDataValues Data Permission to read process data values
readDepartments Model Permission to retrieve existing departments and read their attributes via Infinity Process Platform Portal views, API and console commands
readModelData Model Permission to access data contained in the model, like model description, process details and participant details via Infinity Process Portal, API and console commands.
readProcessInstanceData Process Permission to to access the process instances the user is authorized to read, find first process and get process instance count in the Infinity Process Platform Portal and via API
readUserData Model Permission to access user and user group data such as email or account in the Infinity Process Platform Portal Control Center views and per API
readRuntimeArtifact Model Permission to read a deployed runtime artifact in the Infinity Process Platform Portal and via API
resetUserPassword Model Permission to reset the password of a user via Infinity Process Platform Portal Administration perspective, API and console commands
runRecovery Model Permission to recover the database from the Infinity Process Platform Portal Administration perspective, through APIs and console command
saveOwnPartitionScopePreferences Model Permission to save preferences in own partition scope via Infinity Process Platform Portal views, API and console command
saveOwnRealmScopePreferences Model Permission to save preferences in own realm scope via Infinity Process Platform Portal views, API and console command
saveOwnUserScopePreferences Model Permission to save preferences in own user scope via Infinity Process Platform Portal views, API and console command
joinProcessInstance Process Permission to join a process instance from Infinity Process Platform Portal and via API
spawnPeerProcessInstance Process Permission to spawn a peer process instance from Infinity Process Platform Portal and via API
spawnSubProcessInstance Process Permission to spawn a sub process instance from Infinity Process Platform Portal and via API
startProcesses Process Permission to start a new process instance from Infinity Process Platform Portal and via API

Declarative Security used in Infinity Process Platform Services API

The following table shows the permissions required for specific methods in the according services, the participant having the permission per default and the method scope.

The attributes listed in the table have the following meanings:


Service Method Permission ID Defaults Scope administratorOverride defer Changeable
AdministrationService abortProcessInstance abortProcessInstances ADMINISTRATOR processDefinition true false true
AdministrationService flushCaches controlProcessEngine ADMINISTRATOR model true false true
AdministrationService deployModel deployProcessModel ADMINISTRATOR model true false true
AdministrationService overwriteModel deployProcessModel ADMINISTRATOR model true false true
AdministrationService setPrimaryImplementation deployProcessModel ADMINISTRATOR model true false true
AdministrationService deleteModel deployProcessModel ADMINISTRATOR model true false true
AdministrationService forceSuspendToDefaultPerformer forceSuspend ADMINISTRATOR model true false true
AdministrationService getDaemon manageDaemons ADMINISTRATOR model true false true
AdministrationService stopDaemon manageDaemons ADMINISTRATOR model true false true
AdministrationService startDaemon manageDaemons ADMINISTRATOR model true false true
AdministrationService getAllDaemons manageDaemons ADMINISTRATOR model true false true
AdministrationService startProcess modifyAuditTrail ADMINISTRATOR model true false false
AdministrationService setPasswordRules modifyAuditTrail ADMINISTRATOR model true false true
AdministrationService deleteProcesses modifyAuditTrail ADMINISTRATOR model true false false
AdministrationService cleanupRuntime modifyAuditTrail ADMINISTRATOR model true false true
AdministrationService cleanupRuntimeAndModels modifyAuditTrail ADMINISTRATOR model true false true
AdministrationService createDepartment modifyDepartments ADMINISTRATOR model true false true
AdministrationService modifyDepartment modifyDepartments ADMINISTRATOR model true false true
AdministrationService removeDepartment modifyDepartments ADMINISTRATOR model true false true
AdministrationService setProcessInstancePriority modifyProcessInstances ADMINISTRATOR processDefinition true false true
AdministrationService forceCompletion performActivity ADMINISTRATOR model true false false
AdministrationService getAuditTrailHealthReport readAuditTrailStatistics ADMINISTRATOR model true false true
AdministrationService getDepartment readDepartments ALL model true false true
AdministrationService recoverProcessInstance runRecovery ADMINISTRATOR model true false true
AdministrationService recoverProcessInstances runRecovery ADMINISTRATOR model true false true
AdministrationService recoverRuntimeEnvironment runRecovery ADMINISTRATOR model true false true
AdministrationService saveConfigurationVariables saveOwnPartitionScopePreferences ADMINISTRATOR model true false true
AdministrationService setGlobalPermissions saveOwnPartitionScopePreferences ADMINISTRATOR model true false true
AdministrationService getRuntimeArtifact readRuntimeArtifact ADMINISTRATOR model true false true
AdministrationService getSupportedRuntimeArtifactTypes readRuntimeArtifact ADMINISTRATOR model true false true
AdministrationService deployRuntimeArtifact deployRuntimeArtifact ADMINISTRATOR model true false true
AdministrationService overwriteRuntimeArtifact deployRuntimeArtifact ADMINISTRATOR model true false true
AdministrationService deleteRuntimeArtifact deployRuntimeArtifact ADMINISTRATOR model true false true
AdministrationService writeLogEntry modifyAuditTrailStatistics ALL model true false true
AdministrationService savePreferences saveOwnUserScopePreferences ALL model true false true
DocumentManagementService createDocument modifyDmsData ALL model true false true
DocumentManagementService versionDocument modifyDmsData ALL model true false true
DocumentManagementService removeDocumentVersion modifyDmsData ALL model true false true
DocumentManagementService moveDocument modifyDmsData ALL model true false true
DocumentManagementService updateDocument modifyDmsData ALL model true false true
DocumentManagementService requestDocumentContentUpload modifyDmsData ALL model true false true
DocumentManagementService createFolder modifyDmsData ALL model true false true
DocumentManagementService removeDocument modifyDmsData ALL model true false true
DocumentManagementService updateFolder modifyDmsData ALL model true false true
DocumentManagementService removeFolder modifyDmsData ALL model true false true
DocumentManagementService setPolicy modifyDmsData ALL model true false true
DocumentManagementService migrateRepository modifyDmsData ALL model true false true
QueryService getActivityInstancesCount readActivityInstanceData ALL activity true true true
QueryService getAllActivityInstances readActivityInstanceData ALL activity true true true
QueryService findFirstActivityInstance readActivityInstanceData ALL activity true true true
QueryService getAuditTrail readActivityInstanceData ALL activity true true true
QueryService getLogEntriesCount readAuditTrailStatistics ADMINISTRATOR model true false true
QueryService getPermissions readModelData ALL model false
QueryService getAllData readModelData ALL model true false true
QueryService getAllBusinessObjects readDataValues ALL data true true true
QueryService getAllLogEntries readAuditTrailStatistics ADMINISTRATOR model true false true
QueryService findFirstLogEntry readAuditTrailStatistics ADMINISTRATOR model true false true
QueryService findAllDepartments readDepartments ALL model true false true
QueryService findDepartment readDepartments ALL model true false true
QueryService getModel readModelData ALL model true false true
QueryService getAllParticipants readModelData ALL model true false true
QueryService getParticipant readModelData ALL model true false true
QueryService getAllProcessDefinitions readModelData ALL model true false true
QueryService getProcessDefinition readModelData ALL model true false true
QueryService getAllModelDescriptions readModelData ALL model true false true
QueryService getAllAliveModelDescriptions readModelData ALL model true false true
QueryService getActiveModelDescription readModelData ALL model true false true
QueryService getModels readModelData ALL model true false true
QueryService getModelDescription readModelData ALL model true false true
QueryService wasRedeployed readModelData ALL model true false true
QueryService getActiveModel (deprecated) readModelData ALL model true false true
QueryService getModelAsXML readModelData ALL model true false true
QueryService getSchemaDefinition readModelData ALL model true false true
QueryService getProcessInstancesCount readProcessInstanceData ALL processDefinition true true true
QueryService getAllProcessInstances readProcessInstanceData ALL processDefinition true true true
QueryService findFirstProcessInstance readProcessInstanceData ALL processDefinition true true true
QueryService getUsersCount readUserData ALL model true false true
QueryService getUserGroupsCount readUserData ALL model true false true
QueryService getAllUsers readUserData ALL model true false true
QueryService getAllUserGroups readUserData ALL model true false true
QueryService findFirstUser readUserData ALL model true false true
QueryService findFirstUserGroup readUserData ALL model true false true
QueryService getRuntimeArtifact readRuntimeArtifact ADMINISTRATOR model true false true
QueryService getRuntimeArtifacts readRuntimeArtifact ADMINISTRATOR model true false true
UserService modifyUser modifyUserData ADMINISTRATOR model true false true
UserService createUser modifyUserData ADMINISTRATOR model true false true
UserService invalidate modifyUserData ADMINISTRATOR model true false true
UserService invalidateUser modifyUserData ADMINISTRATOR model true false true
UserService createUserGroup modifyUserData ADMINISTRATOR model true false true
UserService modifyUserGroup modifyUserData ADMINISTRATOR model true false true
UserService invalidateUserGroup modifyUserData ADMINISTRATOR model true false true
UserService createUserRealm modifyUserData ADMINISTRATOR model true false true
UserService dropUserRealm modifyUserData ADMINISTRATOR model true false true
UserService getUser readUserData ALL model true false true
UserService getUserGroup readUserData ALL model true false true
UserService getUserRealms readUserData ALL model true false true
UserService addDeputy manageDeputies ADMINISTRATOR model true false true
UserService modifyDeputy manageDeputies ADMINISTRATOR model true false true
UserService removeDeputy manageDeputies ADMINISTRATOR model true false true
UserService getDeputies manageDeputies ADMINISTRATOR model true false true
UserService getUsersBeingDeputyFor manageDeputies ADMINISTRATOR model true false true
UserService generatePasswordResetToken resetUserPassword ALL model true false true
UserService resetPassword resetUserPassword ALL model true false true
WorkflowService abortActivityInstance abortActivityInstances OWNER activity true false true
WorkflowService abortProcessInstance abortProcessInstances ADMINISTRATOR processDefinition true false true
WorkflowService suspend performActivity OWNER activity false false false
WorkflowService delegateCase delegateToOther (implies delegateToDepartment) OWNER processDefinition true false false
WorkflowService suspendToDefaultPerformer performActivity OWNER activity false false false
WorkflowService suspendToUser(long)
suspendToUser(long, String, Map<String, ?>)
performActivity OWNER activity false false false
WorkflowService suspendToUser(long,long)
suspendToUser(long, long, String, Map<String, ?>)
performActivity OWNER activity false false true
WorkflowService suspendToParticipant performActivity OWNER activity false false true
WorkflowService hibernate delegateToOther ALL activity true false true
WorkflowService delegateToDefaultPerformer delegateToOther (implies delegateToDepartment) ALL activity true false true
WorkflowService delegateToUser delegateToOther (implies delegateToDepartment) ALL activity true false true
WorkflowService delegateToParticipant delegateToOther (implies delegateToDepartment) ALL activity true false true
WorkflowService setActivityInstanceAttributes modifyActivityInstances ALL activity true false true
WorkflowService bindActivityEventHandler manageEventHandlers ALL activity true false true
WorkflowService bindProcessEventHandler manageEventHandlers ALL processDefinition true false true
WorkflowService unbindActivityEventHandler manageEventHandlers ALL activity true false true
WorkflowService unbindProcessEventHandler manageEventHandlers ALL processDefinition true false true
WorkflowService getActivityInstanceEventHandler manageEventHandlers ALL activity true false true
WorkflowService getProcessInstanceEventHandler manageEventHandlers ALL processDefinition true false true
WorkflowService activate performActivity OWNER activity false false false
WorkflowService complete performActivity OWNER activity false false false
WorkflowService activateAndComplete performActivity OWNER activity false false false
WorkflowService activateNextActivityInstance performActivity OWNER activity false true false
WorkflowService activateNextActivityInstance performActivity OWNER workitem false true false
WorkflowService activateNextActivityInstanceForProcessInstance performActivity OWNER activity false true false
WorkflowService createBusinessObjectInstance modifyDataValues ALL data true false true
WorkflowService updateBusinessObjectInstance modifyDataValues ALL data true false true
WorkflowService deleteBusinessObjectInstance modifyDataValues ALL data true false true
WorkflowService createCase createCase ALL model true false true
WorkflowService joinCase modifyCase ALL processDefinition true false true
WorkflowService leaveCase modifyCase OWNER processDefinition true false true
WorkflowService mergeCases modifyCase OWNER processDefinition true false true
WorkflowService performAdHocTransition performActivity OWNER activity true false true
WorkflowService getWorklist readActivityInstanceData ALL workitem false true false
WorkflowService getActivityInstance readActivityInstanceData ALL activity true false true
WorkflowService getAdHocTransitionTargets readModelData ALL activity true true true
WorkflowService getModel readModelData ALL model true false true
WorkflowService getStartableProcessDefinitions readModelData ALL model true false true
WorkflowService setProcessInstanceAttributes modifyProcessInstances ALL processDefinition true false true
WorkflowService getProcessInstance readProcessInstanceData ALL processDefinition true false true
WorkflowService getProcessResults readProcessInstanceData ALL processDefinition true false true
WorkflowService getInDataPath readProcessInstanceData ALL processDefinition true false true
WorkflowService getInDataPaths readProcessInstanceData ALL processDefinition true false true
WorkflowService setOutDataPath readProcessInstanceData ALL processDefinition true false true
WorkflowService setOutDataPaths readProcessInstanceData ALL processDefinition true false true
WorkflowService getInDataValue readDataValues OWNER data true true false
WorkflowService getInDataValues readDataValues OWNER data true true false
WorkflowService startProcess startProcesses ALL processDefinition true false true
WorkflowService joinProcessInstance joinProcessInstance ALL model true false true
WorkflowService spawnSubprocessInstance spawnSubProcessInstance ALL model true false true
WorkflowService spawnSubprocessInstances spawnSubProcessInstance ALL model true false true
WorkflowService spawnPeerProcessInstance spawnPeerProcessInstance ALL model true false true
WorkflowService writeLogEntry modifyAuditTrailStatistics ALL true false true

Adding and Removing Grants

With the interface User, you can manage grants for participants. Please refer to the Javadoc of the User interface for detailed information on the usage of its methods and their parameters.

Adding Grants to Participants

The method addGrant(ModelParticipantInfo participant) marks that grants for the given participant should be added to all model versions. An InvalidArgumentException is thrown in case the participant is null.

Note that the grant will not be actually given until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Infinity Process Platform Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.

Removing Grants from a Participant

The method removeGrant(ModelParticipantInfo participant) marks the grants for the given participant to be removed from all model versions. The grant will not be actually removed until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Infinity Process Platform Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.