Contents
Access Rules (Security)
User Group
Are the roles as defined in WordPress.
A user can belong to multiple User Groups
Actors
An Actor is a participant in a process. An Actor can be defined in the BPMN model as a Lane, however, you can refine Actors definitions in the Designer.
In our example there are three Actors: Claimant (person starting the process), Approver (the Manager who approves the claim) and Reviewer (the person conducting the financial review); as you see on “As Actor” column below.
First Rule:
Allow members of the User Group ‘Employee’ to ‘Perform’ the Event ‘Start Claim’; i.e. Start the Process. And this user will be labelled ‘Claimant’. He/she can’t change that access (delegate it to another).
Second Rule:
Allow the user that is the ‘Claimant’ for the Case, to view all activities for that Case.
For System wide capabilities refer to System commands
Privileges
| Privilege | Description | Applies to |
| View | Read only, Include notification |
Process Case |
| Perform | Perform work | Task |
| Assign | Assign Task to a worker |
Task Process |
| Monitor | Monitor activities | System Wide |
Complex Access Rules
[Allow|Restrict] [User Expression] to [Privilege] on [Object type] for [scope]
|
Allow Restrict |
Who (Users Expression) |
To {Privilege) |
On (Process/Task) |
For (Condition) |
As (Role) |
| Allow | All | View | Process: Got Mail | All | |
| Allow | All |
Start (new role Owner) |
Process: Order Pizza | Owner | |
| .. | Owner (as defined above) | View | Process | ||
| Pizzeria Staff | Perform |
Bake Pizza Deliver Pizza |
User works in the Store | ||
| .. | Pizzeria manager | Assign | Process | User works in the Store | |
| Head Office Staff | Perform | Re-Assign Store | |||
| Allow or Restrict | user group | Privilege |
Process Task |
All or condition |
Two more concepts are introduced above:
Owner and Store, there are process variables defined as part of the process and are used to point to the User (as in the case of owner) or an attribute of the User (as in the case store)
Here is more complex example
| # | User expression | privilege | Process/Task | Condition | Role | |
| 1 | Allow | Group: Writer | Perform-Authoer | Edit Article | In their expertise | Author |
| 2 | Allow | Group: Research | Perform-Researcher | Edit Article | Researcher | |
| 3 | Allow | Group: Senior Writer | Perform-Reviewer | Review article |
In their expertise And Not the writer |
Reviewer |
| 4 | Allow | Role: Author | Perform-Auther | Make Corrections |
- Rule 1: We allow any user that is a member of the group “Writer” to start a new Article (within their expertise), the user that start the process is now has the role “Author”
- Rule 2: We designated a second Role “Researcher” for the same task
- Rule 3: Any Senior Writer can perform “Review Article” (within their expertise) but it he/she can not be “Author”.
- Rule 4: Only the user with the role “Author”, i.e. same user start started the process, can perform the task “Make Corrections”
| Roles Definition | Multiple |
| Author | 1 |
| Researcher | 1 |
| Reviewer | 1 |
