The Access roles site preference
allows you to create access roles and manage the membership of each
access role. Access roles hide actions, pages and applets from standard
pages within the application. However, access roles do not secure
content engine objects or prevent users from calling these actions,
pages and applets if provided by another application, API, or through
a custom-built URL calling Workplace XT actions, pages or applets
directly. Access roles are not a substitute for file or folder level
security.
Default access roles
Default access roles
control access to administrative functions and to specific workflow-related
tools. Default access roles are created when the application is installed.
You can rename the default access roles, and add or remove members.
You cannot delete a default access role.
Each default access
role controls access to a specific feature or tool. In addition, you
can assign the default access roles to other views and actions.
- Application
Engine Administrators - Determines which users can set
site preferences and access the Administration Tools. Only members
of this access role can define access roles and membership.
- Members of this access role are implicitly members of all defined
access roles.
- This access role must have at least one member.
- The user who sets the bootstrap preferences on initial use is
automatically added to the Application Engine Administrators access
role. This user becomes the creator/owner of the custom objects in
the Content Engine that represent and secure access roles in the object
store. This user cannot be denied access to any of the default access
roles unless another user takes ownership of the access role custom
objects through Enterprise Manager.
- You cannot set a member of this access role to Deny
Access. You can only deny access by not adding a user
to this access role.
- PSConsole -
Determines which users can access Simulation Console. By default,
this access role has no members until you add members.
- PSDesigner -
Determines which users can access Simulation Designer. By default,
this access role has no members until you add members.
- PWAdministrator -
Determines which users can access Process Administrator. By default,
this access role has no members until you add members.
- PWConfiguration -
Determines which users can access Process Configuration Console.
By default, this access role has no members until you add members.
- PWDesigner -
Determines which users can access Process Designer in design and
diagram mode and the Workflow Subscription wizard. By default, this
access role has no members until you add members. For users to access
the Workflow Subscription wizard, you must add the members to this
access role and you must give each user access rights to create instance
and modify link privileges on the Workflow Subscription Class default
permissions through Enterprise Manager. See Security script wizard for more information.
- PWDiagram -
Determines which users can access Process Designer in diagram mode.
By default, this access role has no members until you add members.
Custom access roles
You can create custom
access roles or use the default access roles to determine which users
can access specific features and commands within Workplace XT. You
can use access roles with My Workplace preferences, Primary Views preferences,
and Actions preferences.
If a user is not a member of the assigned access role, the user cannot
access the feature. If a user is a member of a specific access role,
you can allow or deny the member access to the associated feature.
Resolving access role control
Users can
be members of more than one access role, sometimes with conflicting
rights. Also, in some situations, you might need to grant additional
membership to a user to ensure that the user has full access to all
intended features and actions. Keep the following points in mind when
assigning access role memberships, access to primary views, and access
to actions.
- To grant access to all users, add the #Authenticated-Users group
to the access role. You can allow or deny access to this group to
allow or deny access to all users.
- When a user is added to an access role, the user is allowed access
by default. You must manually deny access if needed.
- If a user is a member of more than one access role, and the access
roles have conflicting allow and deny access rights, the user is allowed
access. That is, allowed access in one access role overrides denied
access in another access role.
- Object store administrators, defined in Content Engine, can view
all objects in the object store, regardless of access role membership.
- If a user is granted membership to the PSConsole, PSDesigner,
or PWDesigner access role, and you have secured the Advanced Tools
with another access role, the user must also be a member of the Advanced
Author access role to view the Advanced Tools and to start the tools
for the access role ( Simulation Console, Simulation Designer,
Process Designer, or Workflow Subscription wizard).
- If a user is granted membership to the PWAdministrator or PWConfiguration
access role, and you have secured the Administration menu with another
access role, the user must also be a member of the Admin access role
to view the administration page or menu and to start the associated
tools for the access role (Process Administrator or Process Configuration
Console).
Changing access role membership
Access role
membership information is cached during a client session, but changes
to access role assignments are immediate. If you change the access
roles assigned for a primary view or access roles assigned to an action,
those changes take effect immediately for users who are logged in.
However, if you add or remove a user from an access role while that
user is currently logged in, the changes take effect the next time
the user logs in.
The user who creates the access role always
has access to the access role, even if the user name is removed from
the role. The user retains owner access to the custom objects that
represent the access role in the object store. To fully remove the
user account from the access role, an object store administrator must
use Enterprise Manager to change the owner of the custom objects
that represent the access role.
To add members to an access
role:
- Click Add new members below the name of
the desired access role. The Select Users/Groups page opens.
- Select either User or Groups to
display the appropriate list.
- Type one or more characters for the beginning of the user or group
names to search for. For example, to locate groups named ProjectLeads
and ProgramManagers, type "p". All group names beginning with
"p" are returned. You can narrow the search by entering more characters.
For example, "proj" would return ProjectLeads, but not ProgramManagers.
- Click Search. After a brief delay, the
matching names are displayed.
- If the number of matching names is greater than the default for
displaying, not all matches are displayed. You must change the search
criteria and click Search again to see more
results.
- When you are satisfied with the results, select the desired group
names from the list. You can use Ctrl+Click or Shift-Click to
select more than one name in the list.
- Click Accept. The site preferences page
opens again, with the new user or group name listed for the access
role under Allowed Access.
- If needed, click Deny Access next to the
user or group name to deny access to a specific user or group.
- Save your changes.
To remove a user or group from an access role:
Click Remove next
to the access role's user or group name that you want to remove, then
save your changes.
To change access from allow to deny:
Click Deny
access next to the access role's user or group name that
you want to change, then save your changes.
To add a new access
role:
- Click Add Role to open the Add Access Role
page.
- Enter an Access role name .
- Optionally, enter a description in Access role description.
- Click Accept. The Site Preferences page
opens.
- Add members to the new access role and save your changes.
To remove a user-defined access role:
Click Delete
Role below the access role name you want to remove, then
save your changes.
To rename an access role:
- Click Rename Role below the desired access
role.
- Edit the Access role name.
- If applicable, edit the description.
- Accept and save your changes.