Access Rules (Security)

Access Rules (Security)

User Group

Are the roles as defined in WordPress.

A user can belong to multiple User Groups


An Actor is a participant  in a process. An Actor can be defined in the BPMN model as a Lane, however, you can refine Actors definitions in the Designer.

In our example there are three Actors: Claimant (person starting the process), Approver (the Manager who approves the claim) and Reviewer (the person conducting the financial review); as you see on “As Actor” column below.

access rules grid


First Rule:

Allow members of the User Group ‘Employee’ to ‘Perform’ the Event ‘Start Claim’; i.e. Start the Process.  And this user will be labelled ‘Claimant’. He/she can’t change that access (delegate it to another).

Second Rule:

Allow the user that is the  ‘Claimant’  for the Case, to view all activities for that Case.




For System wide capabilities  refer to System commands


Privilege Description Applies to
View Read only, Include notification



Perform Perform work Task
Assign Assign Task to a worker



Monitor Monitor activities System Wide

Complex Access Rules

[Allow|Restrict]  [User Expression] to [Privilege] on [Object type] for [scope]




(Users Expression)









Allow All View Process: Got Mail All
Allow All


(new role Owner)

Process: Order Pizza Owner
.. Owner (as defined above) View Process
Pizzeria Staff Perform

Bake Pizza

Deliver Pizza

User works in the Store
.. Pizzeria manager Assign Process User works in the Store
Head Office Staff Perform Re-Assign Store
Allow or Restrict user group Privilege



All or condition

Two more concepts are introduced above:

Owner and Store, there are process variables defined as part of the process and are used to point to the User (as in the case of owner) or an attribute of the User (as in the case store)

Here is  more complex example

# User expression privilege Process/Task Condition Role
1 Allow Group: Writer Perform-Authoer Edit Article In their expertise Author
2 Allow Group: Research Perform-Researcher Edit Article Researcher
3 Allow Group: Senior Writer Perform-Reviewer Review article

In their expertise

And Not the writer

4 Allow Role: Author Perform-Auther Make Corrections
  • Rule 1: We allow any user that is a member of the group “Writer” to start a new Article (within their expertise), the user that start the process is now has the role “Author”
  • Rule 2: We designated a second Role “Researcher” for the same task
  • Rule 3: Any Senior Writer can perform “Review Article” (within their expertise) but it he/she can not be “Author”.
  • Rule 4: Only the user with the role “Author”, i.e. same user start started the process, can perform the task “Make Corrections”
Roles Definition Multiple
Author 1
Researcher 1
Reviewer 1


Leave a Reply