Controlling Access

Some access to views and information on data, activity instances or process instances in views is restricted to users having a specific authorization set. This also concerns available actions in the views like delegation, termination etc. The authorizations can be set in the Stardust modeler or via API. For details on how to set these authorizations and on their effects, refer to the chapters Authorization in the Stardust Online Documentation - Developer Modeling Guide Authorization of the Modeling Guide and Declarative Security Usage in Stardust Services API in the Stardust Online Documentation - Developer Programming Guide Declarative Security Usage in Stardust Services API in the Programming Guide accordingly.

• Controlling Access to the Administration Perspective
• Controlling Access to the Business Control Center Perspective
• Controlling Workflow Data Access via Declarative Security

Controlling Access to the Administration Perspective

To switch on or off Administration Perspective access for the Stardust Portal completely, do the following

1. unpack the ipp-administration-perspective.jar file of your Web application. Depending on your Web application, it is located either:
   • in the WEB-INF/lib folder of your portal war file or
   • in the lib folder of your installed org.eclipse.stardust.ide.wst.facet.portal _<version> Eclipse plugin.
2. modify the content of the admin-portalUi-context.xml file, residing in the META-INF/spring folder. At the beginning change the following requiredRoles attribute:

   <!-- Administration provided extension of portal perspective -->
       <ippui:perspective id="ippAdminPerspective" messageBundles="admin-portal-messages" requiredRoles="Administrator">

Per default, the access control is restricted to the Administrator only.

Controlling Access to the Business Control Center Perspective

To switch on or off Business Control Center Perspective access for the Stardust Portal completely,

1. Unpack the ipp-business-control-center.jar file of your Web application. Depending on your Web application, it is located either:
   • in the WEB-INF/lib folder of your portal war file or
   • in the lib folder of your installed org.eclipse.stardust.ide.wst.facet.portal_<version> Eclipse plugin.
2. Modify the content of the businessControlCenterUi-context.xml file, residing in the META-INF/spring folder. At the beginning enter the following requiredRoles attribute:

   <!-- Business Control Center provided extension of portal perspective -->
       <ippui:perspective id="ippBccPerspective" messageBundles="business-control-center-messages" requiredRoles="BccUser">

Controlling Workflow Data Access via Declarative Security

You can restrict the access to workflow data via declarative security settings in the Stardust Process Modeler. Please refer to the chapter Authorization in the Stardust Online Documentation - Modeling Guide Authorization of the Modeling Guide for details.

Restriction to the access in the Business Control Center perspective views can be set for the following inspections and operations on workflow data:

• Inspecting Process Instance Data
• Inspecting Activity Instance Data
• Aborting Activity Instances
• Delegating Activities to Other Users / Departments

Inspecting Process Instance Data

To determine who has the authorization to inspect data about a process instance, change the authorization setting for "Read Process Instance Data" in the property page of the according process.

In the example below, the properties of a process determine that the role NationalDirector has the grant to inspect process instance data of this process in the Business Control Center views.

Figure: Setting Authorization for Reading Process Instance Data

Inspecting Activity Instance Data

To determine who has the authorization to inspect data about an activity instance, change the authorization setting for "Read Activity Instance Data" in the property page of the according activity.

In the example below, the properties of an activity determine that the activity owner (the person who should be working on it) and the Administrator have the grant to inspect activity instance data of this activity in the Business Control Center views.

Figure: Setting Authorization for Reading Activity Instance Data

Aborting Activity Instances

To determine who has the authorization to abort an activity instance, change the authorization setting for "Abort Activity Instances" in the property page of the according activity.

In the example below, the properties of an activity determine that the activity owner and the Administrator have the grant to abort instances of this activity in the Business Control Center views.

Figure: Setting Authorization for Aborting Activity Instances

Please note that the abort icon is only enabled in case the property Allows Abort by Participant is selected for the according activity. Please refer to the section Specifying Activities of the Stardust Online Documentation - Modeling Guide Specifying Activities of the Modeling Guide for information on this activity property.

Delegating Activities to Other Users

To determine who has the authorization to delegate an activity instance to another user or department, change the authorization setting for "Delegation to other users" and "Delegation to other departments" respectively in the property page of the according activity.

In the example below, the properties of an activity determine that the activity owner and the role NationalDirector have the grant to delegate instances of this activity in the according Stardust Portal views to other users.

Figure: Setting Authorization for Delegating to Other Users