Ensure that you enable global security in WebSphere® Application Server.
When an instance of the LocalBusinessFlowManager or the BusinessFlowManager
session bean is created, WebSphere Application Server associates a session
context with the instance. The session context contains the caller's principal
role. This information is used to check the caller's authorization for each
call. The caller must be authorized to call methods, and view objects and
the attributes of these objects.
The following reasons for a work-item assignment are used:
- For processes: reader, starter, administrator
- For activities: reader, editor, potential owner, owner, administrator
These assignment reasons are mapped to authorizations:
- Activity reader: can see properties of the associated activity instance,
and its input and output messages.
- Activity editor: has the authority of the activity reader, and has write
access to messages and other data associated with the activity.
- Potential activity owner: has the authority of the activity editor, and
has the right to claim the activity.
- Activity owner: has the authority of the potential activity owner, and
has the right to complete the activity. Has the authority to transfer owned
work items to an administrator or potential owner.
- Activity administrator: can repair activities that are stopped due to
unexpected errors, and force terminate long-running activities.
- Activity potential owner: can send messages to receive or
pick activities.
- Process starter: can see properties of the associated process instance,
and its input and output messages.
- Process reader: can see properties of the associated process instance,
its input and output messages, and everything that the activity reader supports
for all of the contained activities but not those of the subprocesses.
- Process administrator: has the authority of the process reader and the
process starter, and the right to intervene in a process that has started.
Has the authority to create, delete, and transfer work items.
Special authorization authority is granted to people with the following
roles:
- Business process administrator and the Java™ 2 Platform, Enterprise Edition (J2EE)
BPESystemAdministrator. These roles have all privileges.
- Business process monitor and the J2EE BPESystemMonitor. These roles can
read all of the objects.
Do not delete the user ID of the process starter from your user registry
if the process instance still exists. If you do, the navigation of this process
cannot continue. You receive the following exception in the system log file:
no unique ID for: <user ID>