Authorization roles for business processes

Actions that you can take on business processes depend on your authorization role. This role can be a J2EE role or an instance-based role.

A role is a set of employees who share the same level of authority. Java™ 2 Platform, Enterprise Edition (J2EE) roles are set up when the business process container is configured. Instance-based roles are assigned to processes and activities when the process is modeled. Role-based authorization requires that global security is enabled in WebSphere® Application Server.

J2EE roles

The following J2EE roles are supported:
  • J2EE BPESystemAdministrator. Users assigned to this role have all privileges. This role is also referred to as the system administrator for business processes.
  • J2EE BPESystemMonitor. Users assigned to this role can view the properties of all business process objects. This role is also referred to as the system monitor for business processes.

You can use the administrative console to change the assignment of users and groups to these roles.

Instance-based roles

A process instance or an activity is not assigned directly to a staff member in the process model, instead it is assigned to one of the available roles. Any staff member that is assigned to an instance-based role can perform the actions for that role. The association of users to instance-based roles is determined at runtime using staff resolution.

The following instance-based roles are supported:

These roles are authorized to perform the following actions:

Role Authorized actions
Activity reader View the properties of the associated activity instance, and its input and output messages.
Activity editor Actions that are authorized for the activity reader, and write access to messages and other data associated with the activity.
Potential activity starter Actions that are authorized for the activity reader. Members of this role can send messages to receive or pick activities.
Potential activity owner Actions that are authorized for the activity reader. Members of this role can claim the activity.
Activity owner Work on and complete an activity. Members of this role can transfer owned work items to an administrator or a potential owner.
Activity administrator Repair activities that are stopped due to unexpected errors, and force terminate long-running activities.
Process starter View the properties of the associated process instance, and its input and output messages.
Process reader View the properties of the associated process instance and its input and output messages. Process readers can also view the properties, and input and output messages for any activities that are contained in the process instance, but they cannot see any information about its subprocesses.
Process administrator Members of this role can administer process instances and intervene in a process that has started; create, delete, and transfer work items. Members of this role also have activity administrator authorization.
Do not delete the user ID of the process starter from your user registry if the process instance still exists. If you do, the navigation of this process cannot continue. You receive the following exception in the system log file:
no unique ID for: <user ID> 

(c) Copyright IBM Corporation 2005, 2006.
This information center is powered by Eclipse technology (http://www.eclipse.org)