Authorization for EJB renderings
Security must be enabled in WebSphere Application Server. When an instance of the LocalBusinessProcess
or the BusinessProcess session bean is created, WebSphere Application Server associates
a session context with the instance. The session context contains the caller's
principal. This information is used by both the container and the process
engine to check the caller's authorization for each call.
The following reasons for a work-item assignment are used:
- For processes: reader, starter, administrator
- For activities: reader, editor, potential owner, owner
These assignment reasons are mapped to authorization authorities:
- Activity reader authority: can see properties of the associated activity
instance, and its input and output messages
- Activity editor authority: has the authority of the activity reader, and
has write access to messages and other data associated with the activity
- Potential activity owner authority: has the authority of the activity
editor, and has the right to claim the activity
- Activity owner authority: has the authority of the potential activity
owner, and has the right to complete the activity
- Process starter authority: can see properties of the associated process
instance, its input and output messages, and write other data associated with
the process
- Process reader authority: can see properties of the associated process
instance, its input and output messages, and everything that the activity
reader supports for all contained activities, including those in blocks, but
not those of the independent subprocesses
- Process administrator authority: has the authority of the process reader
and the process starter, and the right to intervene in a process that has
started
Special authority is granted to a person with the role of business process
administrator. A business process administrator is a special role; it is different
from the process administrator of a process instance. A business process administrator
has all privileges.
You cannot delete the user ID of the process starter from your user registry
while the process instance exists. If you do, the navigation of this process
cannot continue. You receive the following exception in the system log file:
no unique ID for: <user ID>

Required authorizations for process requests
Required authorizations for activity requests
Searchable topic ID:
c6auth
Last updated: Jun 21, 2007 8:07:48 PM CDT
WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/wfapi/concepts/c6auth.html