Rights determine which operations user and groups may perform on processes and tasks. A rights policy is used to decide whether a concrete user may perform an operation on a workflow object.
The rights policy, which is used by the CoreMedia Workflow
Server is configurable. By default, the ACLRightsPolicy
is used. It
determines the rights based on Access Control Lists (ACL) for each workflow object. The ACLs
are defined by granting and revoking rights for a user or a group. The following rules
apply:
Rights for a user are calculated from concrete rights defined for a user and the rights from all the groups the user is a member of. Users and groups may be specified directly or by storing them into a specified variable.
A revoke precedes a grant.
Rights for users and groups read from a variable precede rights granted to a fixed user. These rights again precede rights for a fixed group.
For example:
<Rights> <Grant user="admin" rights="create,start,suspend,resume,abort"/> <Grant group="composer" rights="create,start"/> <Grant group="suspender" rights="suspend,resume"/> </Rights>
Example 4.8. Example of the ACL for a process
This ACL for a process gives the user admin
the right to create, start,
suspend, resume and abort the process instance. Whether the user admin
is in
the groups composer
or suspender
is not relevant. Users, that are
member of the composer
group, may create and start process instances. If a
composer
group member, is in the group suspender
, too, he may
suspend and resume, the process instance, too. Users that are not member of the
composer
or suspender
group have no rights on the process
instance.