loading table of contents...

4.1.9. Rights

Rights determine which operations user and groups may perform on processes and tasks. A rights policy is used to decide whether a concrete user may perform an operation on a workflow object.

The rights policy, which is used by the CoreMedia Workflow Server is configurable. By default, the ACLRightsPolicy is used. It determines the rights based on Access Control Lists (ACL) for each workflow object. The ACLs are defined by granting and revoking rights for a user or a group. The following rules apply:

  • Rights for a user are calculated from concrete rights defined for a user and the rights from all the groups the user is a member of. Users and groups may be specified directly or by storing them into a specified variable.

  • A revoke precedes a grant.

  • Rights for users and groups read from a variable precede rights granted to a fixed user. These rights again precede rights for a fixed group.

For example:

<Rights>
  <Grant user="admin" rights="create,start,suspend,resume,abort"/>
  <Grant group="composer" rights="create,start"/>
  <Grant group="suspender" rights="suspend,resume"/>
</Rights>

Example 4.8. Example of the ACL for a process


This ACL for a process gives the user admin the right to create, start, suspend, resume and abort the process instance. Whether the user admin is in the groups composer or suspender is not relevant. Users, that are member of the composer group, may create and start process instances. If a composer group member, is in the group suspender, too, he may suspend and resume, the process instance, too. Users that are not member of the composer or suspender group have no rights on the process instance.