Access roles preferences
The Access roles site preference allows you to create access roles and manage the membership of each access role.
Default access roles
Default access roles control access to administrative functions and to specific workflow-related tools. Default access roles are created when the application is installed. You can rename the default access roles, and add or remove members. You cannot delete a default access role.
Each default access role controls access to a specific feature or tool. In addition, you can assign
the default access roles to other views and actions.
- Application Engine Administrators - Determines which users can set
site preferences and access the Admin page in Workplace or Administration Tools in Workplace XT. Only members of this
access role can define access roles and membership.
- Members of this access role are implicitly members of all defined access
roles.
- This access role must have at least one member.
- The user who sets the bootstrap preferences on initial use is automatically
added to the Application Engine Administrators access role. This user becomes
the creator/owner of the custom objects in the Content Engine that represent
and secure access roles in the object store. This user cannot be denied
access to any of the default access roles unless another user takes ownership
of the access role custom objects through Enterprise Manager.
- You cannot set a member of this access role to Deny Access. You can only deny access by not adding a user to this access role.
- PSConsole - Determines which users can access Simulation Console. By default, this access role has no
members until you add members.
- PSDesigner - Determines which users can access Simulation
Designer. By default, this access role has no
members until you add members.
- PWAdministrator - Determines which users can access Process Administrator. By default, this access role has no members until you
add members.
- PWConfiguration - Determines which users can access Process Configuration Console. By default, this access role has no members until
you add members.
- PWDesigner - Determines which users can
access Process Designer in design and diagram mode and the Workflow Subscription wizard. By default, this access role has no members until you
add members.
NOTE For
users to access the Workflow Subscription wizard, you must add the members
to this access role and you must give each user access rights to create instance
and modify link privileges on the Workflow Subscription Class default permissions
through Enterprise Manager. See Security script wizard for more information.
- PWDiagram - Determines which users can access Process Designer in diagram mode. By default, this access role has no members until you
add members.
Custom access roles
You can create custom access roles or use the default access roles to determine which users can access specific features and commands
within Workplace and Workplace XT. You can use access roles with the Multi-select
Actions preference, Author
Page preferences, My
Workplace preferences, Primary
Views preferences, and Actions preferences. If a user is not a member of the assigned
access role, the user
cannot access the feature. If a user is a member of a specific
access role, you can allow or deny the member access to the associated feature.
Resolving access role control
Users can be members of more than one access role, sometimes with conflicting
rights. Also, in some situations, you might need to grant additional membership
to a user to ensure that the user has full access to all intended features and
actions. Keep the following points in mind when assigning access role memberships,
access to primary views, and access to actions.
- To grant access to all users, add the #Authenticated-Users
group to the access role. You can allow or deny access to this group to allow or deny access to
all users.
- When a user is added to an access role, the user is allowed access by default.
You must manually deny access if needed.
- If a user is a member of more than one access role, and the access roles
have conflicting allow and deny access rights, the user is allowed
access. That is, allowed access in one access role overrides denied access in another
access role.
- Object store administrators, defined in Content Engine, can view all objects in the object store, regardless of access role membership.
- If a user is granted membership to the PSConsole, PSDesigner, or PWDesigner
access role, and you have secured the Advanced Author page in Workplace or Advanced Tools in Workplace XT with another access
role, the user must also be a member of the Advanced Author access role to view
the Advanced Author page (Workplace) or Advanced Tools (Workplace XT) and to start the tools for the access role
(Simulation Console, Simulation
Designer, Process Designer,
or Workflow Subscription wizard).
- If a user is granted membership to the PWAdministrator or PWConfiguration
access role, and you have secured the Admin page in Workplace or the Administration menu in Workplace XT with another access role,
the user must also be a member of the Admin access role to view the administration page or menu and
to start the associated tools for the access role (Process Administrator or Process Configuration Console).
Changing access role membership
Access role membership information is cached during a client session, but changes
to access role assignments are immediate. If you change the access roles assigned for a primary
view or access roles assigned to an action, those changes take effect immediately
for users who are logged in. However, if you add or remove a user from an access role while
that user is currently logged in, the changes take effect the next time the
user logs in.
The user who creates the access role always has access to the access role, even if the user name is removed from the role. The user retains owner access to the custom objects that represent the access role in the object store. To fully remove the user account from the access role, an object store administrator must use Enterprise Manager to change the owner of the custom objects that represent the access role.
To add members to an access role
- Click Add new members below the name of the
desired access role. The Select Users/Groups page opens.
- Select either User or Groups to display the appropriate list.
- Type one or more characters for the beginning of the user or group names
to search for. For example, to locate groups named ProjectLeads and ProgramManagers,
type "p". All group names beginning with "p" are returned. You can
narrow the search by entering more characters. For example, "proj"
would return ProjectLeads, but not ProgramManagers.
- Click Search. After a brief delay, the matching
names are displayed.
- If the number of matching names is greater than the default for displaying,
not all matches are displayed. You must change the search criteria
and click Search again to see more results.
- When you are satisfied with the results, select the desired group names
from the list. You can use Ctrl+Click or Shift-Click to select more than
one name in the list.
- Click Accept. The site preferences page opens
again, with the new user or group name listed for the access role under Allowed Access.
- If needed, click Deny Access next to the user or group name to deny access to a specific user or group.
- Save your changes.
To remove a user or group from an access role
Click Remove next to the access role's user or group name that you want to remove, then save your changes.
To change access from allow to deny
Click Deny access next to the access role's user or group name that you want to change, then save your changes.
To add a new access role
- Click Add Role to open the Add Access Role page.
- Enter an Access role name .
- Optionally, enter a description in Access role
description.
- Click Accept. The Site Preferences page opens.
- Add members to the new access role and save your changes.
To remove a user-defined access role
Click Delete Role below the access role name you want to remove, then save your changes.
To rename an access role
- Click Rename Role below the desired access
role.
- Edit the Access role name.
- If applicable, edit the description.
- Accept and save your changes.