Managing Authorization

If you like to set the model level declarative security, open the Authorization Manager view from the Administration Perspective launch panel.

In this view, the authorization can be viewed and modified from a permissions or participant point of view.


Figure: Authorization Manager View

Participants Overview

An overview on all participants, their roles and description can be viewed in the Participants section.

Participants
Figure: Participants

Note that the Administrator role and the Auditor role are listed per default if at least one model has been deployed.

Administrator Role

The Administrator role is a predefined role with the authorization for all workflow administration activities. Some Allow permissions are assigned to this role per default.

Auditor Role

The Auditor role provides read-only authorization to view all processing aspects of the workflow. Some Deny permissions are assigned to this role per default.

Scoped Roles and Organizations

Scoped Participants are indicated in the Type column as SCOPED_ROLE and SCOPED_ORGANIZATION.

Exporting Participants Table Content

You can export the Participants table to a CSV file. Click one of the Export / Export icons in the toolbar. Please refer to chapter Exporting Table Content for details on exporting table content.

Permissions

The Permissions tree displays assignable permissions organized in a tree for general, model and UI permissions.

Expanding a node in the tree shows additional Allow and Denynode for granting access. Participants can be added to these nodes to allow access to the parent node.

Expanded Node
Figure: Expanded Node

Filtering for Permissions

To filter for specific permissions, enter a term in the search filter entry field and click the Filter Filter icon. The permissions applying to the search term will be highlighted in the tree accordingly as shown in below screenshot.

Filtering for Permissions
Figure: Filtering for Permissions

Resetting the filtering

To reset the filtering, click the Reset icon in the toolbar.

Highlighting selected Participants

If you like to highlight all occurrences of a participant or participants in the Permissions tree, which are selected in the Participants table, click the Highlight Icon icon in the toolbar.

Highlight permissions of selected participant
Figure: Click to highlight permissions of selected participant

All nodes, which have the selected participant(s) in their permission tree, expand and display the participant(s) highlighted.

Highlighted Participant
Figure: Highlighted participant in Permission tree

General Permissions

To view and select general permissions, expand the General Permissions tree.

General Permissions
Figure: General Permissions

The following general permissions can be set from the Authorization Manager view:

Permission Allow Access - Default Participant Deny Access - Default Participant Description
Abort and Join All Auditor Gives permission to abort the existing process instance and join it to another active process instance. The Abort Process Instances permission is required at process level to work with this permission.
Abort and Start All Auditor Gives permission to abort existing process instance and start another process instance. The Abort Process Instances permission is required at process level to work with this permission.
Control Process Engine Administrator Auditor Gives permission to perform engine operations such as suspend and restart. The user can perform these operations through engine APIs.
Create Case All Auditor Gives permission to create, join, attach and detach, abort and delegate a case. The user can also perform these operation through engine APIs.
Deploy Run-time Artifact Administrator Auditor Gives permission to deploy and manage a runtime artifact in the Infinity Process Platform Portal and via API
Deploy and Modify Process Model Administrator Auditor Gives permission to deploy and specify the parameters for the model deployment at runtime.
Force Suspend to Default Performer Administrator Auditor Gives permission to force activity instances to be suspended and added to the worklist of the default performer declared for the corresponding activity (API - AdministrationService#forceSuspendToDefaultPerformer() and AdministrationService#setProcessInstancePriority() ).
Manage Authorization Administrator Auditor Gives permission to assign or revoke roles and organizations as well as to add and remove user groups to or from a given user (Infinity Process Platform Portal User and Role assignment views and API).
Manage Daemons Administrator Auditor Gives permission to trigger the daemons. The user can also perform these operations through engine APIs and console command.
Manage Deputies Administrator Auditor Gives permission to create, update and delete deputies for all users. The user can also perform these operations through engine APIs. If you add particular role for Deputy then all users with that Role can create deputy for Everyone. So, if user 'a' has role of 'Manage Deputy', then he can see all active users and can create Deputy for Everyone.
Modify Audit Trail Statistics Administrator Auditor Gives permission to modify the audit trail database like users, grants and models
Modify Audit Trail Content Administrator Auditor Gives permission to modify users, grants and models. The user can also perform these operations through APIs and the console command.
Modify Departments Administrator Auditor Gives permission to modify department details such as department name and description. The user can also perform these operations through engine APIs and console commands.
Modify DMS Data All Auditor Gives permission to modify any data via the document management service.
Modify User Data Administrator Auditor Gives permission to modify user name, account, email address and other details. The user can also perform these operations through engine APIs and console commands.
Obtain Audit Trail Content Administrator, Auditor Gives permission to get audit trail health report, log entries and its count. The user can perform these operation through engine APIs and console commands.
Obtain Model Data All Gives permission to get information about model description, process details, participant details through APIs and console commands.
Obtain User Data All Gives permission to get details about user groups and all the users. The user can perform these operation through engine APIs.
Read Departments All Gives permission to read department details. The user can also perform these operations through engine APIs and console commands.
Read Run-time Artifact All Gives permission to read a deployed runtime artifact in the Infinity Process Platform Portal and via API.
Reset User Password All Gives permission to reset the password in case you have forgotten the password. The user can perform these operations through login page of the Infinity Portal, engine APIs and console commands.
Run Recovery Administrator Auditor Gives permission to recover the database. The user can also perform these operations through APIs and console command.
Save Own Partition Scope Preferences Administrator Auditor Gives permission to set partition scope preferences. The user can also perform these operations through APIs and console command.
Save Own Realm Scope Preferences Administrator Auditor Gives permission to set realm scope preferences. The user can also perform these operations through APIs and console command.
Save Own User Scope Preferences All Gives permission to set user scope preferences. The user can also perform these operations through APIs.
Spawn Process All Auditor Gives permission to start new process instance from the in scope process instance. Requires same permission as for start process.

For more information on authorization, please refer to chapter Declarative Security of the Infinity Process Platform Documentation - Developer Handbook. Declarative Security of the Developers Handbook.

To get an overview over permissions used in the Infinity Process Platform Services API, refer to chapter Declarative Security Usage in Infinity Process Platform Services API of the Infinity Process Platform Documentation - Programming Guide. Declarative Security Usage in Infinity Process Platform Services API of the Programming Guide.

Model Permissions

To view and select model permissions, expand the Models tree.

Model Permissions
Figure: Model Permissions

Process Definitions

Process Definition permissions are available under the Process Definitions tree.

Process Definition Permissions
Figure: Process Definition Permissions

Permission Allow Access - Default Participant Deny Access - Default Participant
Abort Process Instances Auditor
Manage Event Handlers Auditor
Modify Attributes Auditor
Modify Process Instance Auditor
Read Process Instance Data Auditor
Start Processes Auditor

Activities

Activities permissions are available under the Activities tree.

Activities Permissions
Figure: Activities Permissions

Permission Allow Access - Default Participant Deny Access - Default Participant
Abort Activity Instances Auditor
Delegate To Department Auditor
Delegate To Other Auditor
Manage Event Handlers Auditor
Modify Attributes Auditor
Perform Activity Auditor
Read Activity Instance Data Auditor
Read Model Data Auditor

Data

Expand the Data tree for data permissions.

Model Data Permissions
Figure: Model Data Permissions

Permission Allow Access - Default Participant Deny Access - Default Participant
Modify Data Values Auditor
Read Data Values Auditor

UI Permissions

In the Perspective section you can set permissions to allow access to perspectives. Expand UI Permissions to show perspective nodes.

Perspective Permissions
Figure: UI Permissions

Perspective nodes

Expanding a perspective node shows additional Allow and Deny nodes for granting access. Participants can be added to these nodes to allow access to the parent node. Expanding a perspective node also displays Views and Launch Panels nodes.

Perspective Node
Figure: Perspective Node

Views nodes

Views nodes contain the views that are defined in the parent perspective. Allow and Deny nodes under each view allow granting and denying access.

Views Node
Figure: Views Node for Administration Perspective

Launch Panel nodes

Launch Panel nodes contain the launch panels that are defined in the parent perspective. Allow and Deny nodes under each view allow granting and denying access.

Launch Panel Node
Figure: Launch Panels node for Worklist Perspective

Global Extensions

Expanding the Global Extensions node shows all defined global extensions. Expanding a global extension node itself displays Launch Panels and Views nodes if defined.

Global extensions for common views:

Global Extensions
Figure: Global Extensions

Permissions - Case Process Instance

The following permissions are required for different operations on a case process instance.

Function Authorization
Attaching, Detaching and Joining Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings.
Delegation Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings.
Setting the Process Priority for a Case Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings.
Setting the Case Name Allowed to all users. This permission grant is not configurable via declarative security settings.
Setting the Descriptors Allowed to all users. This permission grant is not configurable via declarative security settings.
Attaching Documents Allowed to all users. This permission grant is not configurable via declarative security settings.
Adding Process Notes Allowed to all users. This permission grant is not configurable via declarative security settings.
Querying for Cases The result of queries on cases depends on grant Read Process Instance which is set to All, by default. This permission grant is not configurable via declarative security settings.
Querying for Case Default Activities The result of queries on case default activities depends on the grant Read Activity Instance Data which is set to owner (same as the case owner) and All. This permission grant is not configurable via declarative security settings.
Aborting a Case Not allowed.
Other functionality on case process instances The following fixed default values apply if not mentioned otherwise:
  • Abort process Instances: Administrator
  • Read process Instances: All
  • Modify process Instances: Administrator

Permission Operations

You can perform the following operation on each permission:

Restoring the default permissions

To restore the permissions of a specific node, right-click the node and select Restore the default permissions from the context menu.

Restore
Figure: Restoring the default permissions

The permission gets assigned to the default participants.

Removing a Participant from a Permission node

To remove a participant from a Allow or Deny permission, right-click the participant and select Remove Participant from the context menu.

Remove Participant
Figure: Removing a participant

Note if you remove participant meta-role All and you have no other participant assigned, the following warning message appears on top of the Permissions tree:

Remove All Warning
Figure: Remove All warning

Removing all Participants from a Permission node

To remove all participants from Allow or Deny of a permission node, right-click the Allow or Deny node of the permission and select Remove all participants.

Removing all Participants from Permission
Figure: Removing all participants from a permission

Assigning Permissions to Participants

To assign a permission to one or more participants, click the participant(s) in the Participants table and drag and drop it/them under the according Permission tree node.

Drag and Drop
Figure: Dragging and dropping a Participant to a Permission

Now the Participant is added to the Permission tree accordingly. A notification message above the permissions indicates that the operation has completed successfully.

Drag and Drop Result
Figure: Participant is added to Permission tree

Assigning multiple permissions to Participants

To drag a participant to multiple permission nodes, do the following:

  1. Select multiple permission nodes, e.g. via CTRL+Click. The selected permission nodes get highlighted.

  2. Now select the participant and drag him to the Permissions tree.

  3. The participant will be added to all permission nodes that were selected in the tree.

Cloning Permissions

You can clone permissions from one or more Participants to one or more other Participants. Select the Participant(s) in the table and click the Clone icon in the toolbar.

Clone Permission
Figure: Cloning a Permission

The Clone Participant dialog opens. Specify the Participant to retrieve the permissions of the selected participant.

Select Participant
Figure: Select Participant

You have the option to select more than one Participant. Click Clone to start the clone operation or Cancel to cancel it.

Selected Participant
Figure: Selected Participant

Cloning Example

For example, we have a participant Engineer with the permissions to deploy runtime artifacts and a participant Salesperson with the permission to control the process engine and deploy and modify process models.

Original Participant Permissions
Figure: Original Participant Permissions

Now we like to give participant Controller the permissions of the two participants. We select participants Salesperson and Engineer in the Participants table and click the Clone icon.

Clone the Permissions
Figure: Clone the Permissions

In the Clone Participant dialog, we select participant Controller and click the Clone button.

Select Participant Engineer
Figure: Select Participant Engineer

In the Permissions tree we can now see that Participant Controller has the permissions to modify audit trail statistics, to manage deputies and to manage authorization.

Cloned Permissions
Figure: Cloned Permissions