Figure: Authorization Manager View
If you like to set the model level declarative security, open the Authorization Manager view from the Administration Perspective launch panel.
In this view, the authorization can be viewed and modified from a permissions or participant point of view.
Figure: Authorization Manager View
To view and select general permissions, expand the General Permissions tree.
Figure: Authorization Manager View
The following general permissions can be set from the Authorization Manager view:
| Permission | Default Participant | Description |
|---|---|---|
| Control Process Engine | Administrator | Gives permission to perform engine operations such as suspend and restart. The user can perform these operations through engine APIs. |
| Create Case | All | Gives permission to create, join, attach and detach, abort and delegate a case. The user can also perform these operation through engine APIs. |
| Deploy and Modify Process Model | Administrator | Gives permission to deploy and specify the parameters for the model deployment at runtime. |
| Force Suspend to Default Performer | Administrator | Gives permission to force activity instances to be suspended and added to the worklist of the default performer declared for the corresponding activity (API - AdministrationService#forceSuspendToDefaultPerformer() and AdministrationService#setProcessInstancePriority() ). |
| Abort and Join | All | Gives permission to abort the existing process instance and join it to another active process instance. The Abort Process Instances permission is required at process level to work with this permission. |
| Manage Authorization | Administrator | Gives permission to assign or revoke roles and organizations as well as to add and remove user groups to or from a given user (Stardust Portal User and Role assignment views and API). |
| Manage Daemons | Administrator | Gives permission to trigger the daemons. The user can also perform these operations through engine APIs and console command. |
| Manage Deputy | Administrator | Gives permission to create, update and delete deputies for all users. The user can also perform these operations through engine APIs. If you add particular role for Deputy then all users with that Role can create deputy for Everyone. So, if user 'a' has role of 'Manage Deputy', then he can see all active users and can create Deputy for Everyone. |
| Modify Audit Trail Content | Administrator | Gives permission to modify users, grants and models. The user can also perform these operations through APIs and the console command. |
| Modify Departments | Administrator | Gives permission to modify department details such as department name and description. The user can also perform these operations through engine APIs and console commands. |
| Modify User Data | Administrator | Gives permission to modify user name, account, email address and other details. The user can also perform these operations through engine APIs and console commands. |
| Obtain Audit Trail Content | Administrator | Gives permission to get audit trail health report, log entries and its count. The user can perform these operation through engine APIs and console commands. |
| Read Departments | All | Gives permission to read department details. The user can also perform these operations through engine APIs and console commands. |
| Obtain Model Data | All | Gives permission to get information about model description, process details, participant details through APIs and console commands. |
| Obtain User Data | All | Gives permission to get details about user groups and all the users. The user can perform these operation through engine APIs. |
| Reset User Password | All | Gives permission to reset the password in case you have forgotten the password. The user can perform these operations through login page of the Stardust Portal, engine APIs and console commands. |
| Run Recovery | Administrator | Gives permission to recover the database. The user can also perform these operations through APIs and console command. |
| Save Own Partition Scope Preferences | Administrator | Gives permission to set partition scope preferences. The user can also perform these operations through APIs and console command. |
| Save Own Realm Scope Preferences | Administrator | Gives permission to set realm scope preferences. The user can also perform these operations through APIs and console command. |
| Save Own User Scope Preferences | All | Gives permission to set user scope preferences. The user can also perform these operations through APIs. |
| Abort and Start | All | Gives permission to abort existing process instance and start another process instance. The Abort Process Instances permission is required at process level to work with this permission. |
| Spawn Process | All | Gives permission to start new process instance from the in scope process instance. Requires same permission as for start process. |
For more information on authorization, please refer to chapter Authorization of the Stardust Documentation - Developer Handbook. Authorization of the Developers Handbook.
To get an overview over permissions used in the Stardust Services API, refer to chapter Declarative Security Usage in Stardust Services API of the Stardust Documentation - Programming Guide. Declarative Security Usage in Stardust Services API of the Programming Guide.
In the UI Permissions section you can set permissions to allow access to perspectives, launch panels and views in the portal. Expand the UI Permissions to show perspective nodes in alphabetical order and an Extensions node.
Figure: UI Permissions
Expanding a perspective node shows an additional Allow Access node for granting access. Participants can be added to these nodes to allow access to the parent perspective node. Expanding a perspective node also displays Launch Panel and Views nodes.
Figure: Perspective Node
Launch Panel nodes contain the launch panels that are defined in the parent perspective. Under each launch panel, Allow Access are provided to allow granting access.
Figure: Launch Panel Node
Views nodes contain the views that are defined in the parent perspective. Allow Access nodes under each view allow granting access.
Figure: View Node
Expanding the Global Extensions node shows all defined global extensions. Expanding a global extension node itself displays Launch Panels and Views nodes if defined.
Global extensions for common views:
Figure: Global Extensions
Example for a global perspective extension with a custom view and launch panel:
Figure: Custom Global Extensions
Launch panels and views defined in a perspective extension that extends exactly one perspective, e.g. not a global extension, is displayed under the target (extended) perspective node itself.
Conversely, launch panels and views defined in a perspective extension that extends all perspectives are displayed under a separate node in the Global Extensions node.
Note: Launch panels and views defined in a perspective extension that extends more than one but less than all perspectives (using a comma-separated list) are currently not displayed. This kind of extensions are deprecated.
The following permissions are required for different operations on a case process instance.
| Function | Authorization |
|---|---|
| Attaching, Detaching and Joining | Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings. |
| Delegation | Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings. |
| Setting the Process Priority for a Case | Allowed to Case Owners and Administrators. This permission grant is not configurable via declarative security settings. |
| Setting the Case Name | Allowed to all users. This permission grant is not configurable via declarative security settings. |
| Setting the Descriptors | Allowed to all users. This permission grant is not configurable via declarative security settings. |
| Attaching Documents | Allowed to all users. This permission grant is not configurable via declarative security settings. |
| Adding Process Notes | Allowed to all users. This permission grant is not configurable via declarative security settings. |
| Querying for Cases | The result of queries on cases depends on grant Read Process Instance which is set to All, by default. This permission grant is not configurable via declarative security settings. |
| Querying for Case Default Activities | The result of queries on case default activities depends on the grant Read Activity Instance Data which is set to owner (same as the case owner) and All. This permission grant is not configurable via declarative security settings. |
| Aborting a Case | Not allowed. |
| Other functionality on case process instances | The following fixed default values apply if not mentioned otherwise:
|
By default, the Permissions option is selected in the Authorization Manager view. All the model level permission are listed under the Permissions pane. The possible participants for these permissions are listed in the right side pane of the page.
You can expand each permission node to view the participants who have grants for that authorization. When you click on any permission, that permission is displayed in bold highlights of the same color. It indicates that the permission is selected. You can also select multiple permissions and participants using the CTRL+Click gesture.
Figure: Permissions
You can perform following operation on each permission:
Also, you can perform following operations on the participants that are listed under each permission:
If you want to give the permission to all participants, right-click on the permission and select the Add All Participants from the context menu. If required, you can select more than one permission node and perform this operation.
Figure: Add All Participants
The selected permission is granted to all the participants.
Figure: Granted to All Participants
A permission is assigned to some participants but in case you want to assign it to only default participant then select this option. This option is disabled if already a default participant has that permission. If required, you can select more than one permission node and perform this operation.
To restore default participant, right-click on the permission and select Restore
Default Participant option from the context menu. Click on the Save 
icon displayed in the upper-right corner of the page.
Figure: Restore Default Participants
The permission gets assigned to the default participant.
Note that you must save the changes to permissions after this operation.
Using this option, you can paste the participant displayed under any permission to any other permission. This option is enabled if only you have copied the participant from any other permission node. If required, you can select more than one permission node and perform this operation.
To use this option, copy the participant from any node then right-click on the permission and select Paste
from the context menu. Click on the Save
icon displayed in the upper-right corner of the page.
Figure: Paste Participant
Note that you must save the changes to permissions after this operation.
Using this option, you can remove the participant listed under the permission.
Right-click on participant and select Remove Participant option from the Context Menu
Figure: Remove Participants
Click on the Save
icon displayed in the upper-right corner of the page.
Note that you must save the changes to permissions after this operation.
Using this option, you can copy the participant and paste it under any other permission.
Right-click on participant and select Copy option from the Context Menu
Figure: Copy Participants
Click on the Save
icon displayed in the upper-right corner of the page.
The participant can have one or more permissions granted to them.
Figure: Permissions and Available Participants
By default, all the participants are displayed. The Type drop-down displays the participant type. By default, All option is selected.
Figure: Participant Type
You can also search for participant using the Search for Participant link displayed in upper-right corner. Click the Search for Participant link and enter the participant name in the Participant box. As soon as you enter the text, participant names matching the pattern are provided in the drop-down list. You can select the performer from the list. The search is per default case-sensitive with the exception of the first letter. You can change to case-insensitive search by setting the property Carnot.Client.Search.CaseSensitive in your carnot.properties file to false.
Figure: Search Participant
Click on the name of the participant. The selected participant gets displayed in the Selected Participants table.
Figure: Selected Participants
To assign the permissions to a participant:
icon in the upper-right corner of the page to save the change.
Figure: Permission Assigned to Participant
Note that you can also assign permissions to participants using copy paste operation.
The model authorization for the specific participant can be viewed using the Participant radio button.
Select the Participant radio button.
Figure: Participant
Enter the participant name in the entry field. Once typing, all participant starting with the pattern are provided in a drop-down list where you can select one.
Figure: Enter Participant
The available model authorizations that have not been granted to the participant are displayed in the Available pane, whereas the permissions that have been granted are listed in the Selected pane.
Figure: Participant - Available and Selected
Using the Add and Add All button, you can assign selected or all permissions to the participant. To remove selected or all permissions for the participant, use the Remove and Remove All button respectively.
Figure: Add a permission to the participant
The toolbar provides a button to show or hide general permissions. Per default the general permissions are displayed.
Figure: Showing/Hiding general permissions
Figure: Hidden general permissions
The toolbar also provides a button to show or hide UI permissions. Per the UI permissions are displayed.
Figure: Showing/Hiding UI permissions
Figure: Hidden UI permissions
Click the Save icon in the upper right corner to save all changes done on authorization settings.
Figure: Save the Authorization Settings