Declarative Security Usage in Stardust Services API

This chapter gives an overview over existing permissions and their usage in specific methods of the Stardust Services.

Permissions
Declarative Security used in Stardust Services API
Adding and Removing Grants

Note that Authorization validation is always checked before any other validation or code is performed. Thus, in case the user is not authorized, an AccessForbiddenException occurs rather than an anticipated Exception.

Permissions

The following permissions are available:

Permission	Scope	Description
abortActivityInstances	Activity	Permission to abort an activity from the Stardust Portal and via API.
abortProcessInstances	Process	Permission to abort a process from the Stardust Portal and via API.
controlProcessEngine	Model	Permission to flush the cache and perform engine operations such as suspend and restart.
createCase	Process	Permission to create cases from Stardust Portal and via API.
delegateToDepartment	Activity	Permission to delegate an activity to another department from the Stardust Portal and via API.
delegateToOther (implies delegateToDepartment)	Activity	Gives permission to delegate to another participant, default performer and user, from the Stardust Portal and via API. It also gives permission to suspend an activity.
deleteProcessInstances	Process	Permission to delete a process instances from the Stardust Portal and via API.
deployProcessModel	Model	Gives permission to deploy and specify the parameters for the model deployment at runtime from the Stardust Portal Administration perspective, via API and console command.
forceSuspend	Model	Permission to force activity instances to be suspended and added to the worklist of the default performer declared for the corresponding activity from the Stardust Portal and via API.
manageAuthorization	Model	Permission to change user grants, e.g. to assign or revoke roles and organizations as well as to add and remove user groups to or from a given user. This affects the Stardust Portal User and Role assignment views and API.
manageDaemons	Model	Permission to start, stop and query the state of the daemons from the Stardust Portal Administration perspective, through API and console command.
manageEventHandlers	Activity, Process	Permission to bind and unbind event handler via API and console command.
modifyAuditTrail	Model	Permission to modify the AuditTrail database, like users, grants and models through API and console commands.
modifyDepartments	Model	Permission to perform the following operations: Create departments. Modify department details such as department name and description. Change assignments of users. Delete departments. The user can perform these operations through the Stardust Portal Administration perspective, API and console commands.
modifyProcessInstances	Process	Permission to modify process instances in the Stardust Portal and via API.
modifyUserData	Model	Permission to modify user data such as name, email or account through Stardust Portal Administration perspective, API and console commands.
performActivity	Activity	Permission to perform an activity from the Stardust Portal and per API.
readActivityInstanceData	Activity	Permission to access activity instances from the Stardust Portal and via API.
readAuditTrailStatistics	Model	Permission to query statistics on the audit trail database, like health report, log entries and its count via API and console commands.
readDataValue	Data	Permission to read process data values.
readDepartments	Model	Permission to retrieve existing departments and read their attributes via Stardust Portal views, API and console commands.
readModelData	Model	Permission to access data contained in the model, like model description, process details and participant details via Stardust Process Portal, API and console commands.
readProcessInstanceData	Process	Permission to to access the process instances the user is authorized to read, find first process and get process instance count in the Stardust Portal and via API.
readUserData	Model	Permission to access user and user group data such as email or account in the Stardust Portal Control Center views and per API.
resetUserPassword	Model	Permission to reset the password of a user via Stardust Portal Administration perspective, API and console commands.
runRecovery	Model	Permission to recover the database from the Stardust Portal Administration perspective, through APIs and console command.
saveOwnPartitionScopePreferences	Model	Permission to save preferences in own partition scope via Stardust Portal views, API and console command.
saveOwnRealmScopePreferences	Model	Permission to save preferences in own realm scope via Stardust Portal views, API and console command.
saveOwnUserScopePreferences	Model	Permission to save preferences in own user scope via Stardust Portal views, API and console command.
joinProcessInstance	Process	Permission to join a process instance from Stardust Portal and via API.
spawnPeerProcessInstance	Process	Permission to spawn a peer process instance from Stardust Portal and via API.
spawnSubProcessInstance	Process	Permission to spawn a sub process instance from Stardust Portal and via API.

Declarative Security used in Stardust Services API

The following table shows the permissions required for specific methods in the according services, the participant having the permission per default and the method scope.

The attributes listed in the table have the following meanings:

Permission ID: identifier that references the permission definition from the model (required).
Defaults: a list of default permissions, if the model contain no permission definition. If attribute is not present it is equivalent with ADMINISTRATOR.
Scope: defines the kind of model element to which the permission is applied. If it is not present, it is equivalent with model.
Changeable:
- true: configurable on model level.
- false: permission definitions from the model will be ignored and only defaults will be considered.
If attribute is not present, it is equivalent with true.
administratorOverride:
- true: the administrator will be able to perform the method regardless of the permissions defined in the model.
- false: the administrator will be treated like any other regular user and must have an explicit permission to be able to perform the method.
If attribute is not present, it is equivalent with true.
defer: if set to true, it determines that the permission is not applied to the method itself or the input of the method, but to the result (output) of the method. For queries this means that the check is not performed on the method (anybody can call the method), but the result of the query will be influenced by the permission.

Service	Method	Permission ID	Defaults	Scope	administratorOverride	defer	Changeable
AdministrationService	abortProcessInstance	abortProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
AdministrationService	flushCaches	controlProcessEngine	ADMINISTRATOR	model	true	false	true
AdministrationService	deployModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	overwriteModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	setPrimaryImplementation	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	deleteModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	forceSuspendToDefaultPerformer	forceSuspend	ADMINISTRATOR	model	true	false	true
AdministrationService	getDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	stopDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	startDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	getAllDaemons	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	startProcess	modifyAuditTrail	ADMINISTRATOR	model	true	false	false
AdministrationService	setPasswordRules	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	getPasswordRules
AdministrationService	getPermissions	readModelData	ALL	model			false
AdministrationService	deleteProcesses	modifyAuditTrail	ADMINISTRATOR	model	true	false	false
AdministrationService	cleanupRuntime	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	cleanupRuntimeAndModels	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	createDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	modifyDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	removeDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	setProcessInstancePriority	modifyProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
AdministrationService	forceCompletion	performActivity	ADMINISTRATOR	model	true	false	false
AdministrationService	getAuditTrailHealthReport	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
AdministrationService	getDepartment	readDepartments	ALL	model	true	false	true
AdministrationService	recoverProcessInstance	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	recoverProcessInstances	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	recoverRuntimeEnvironment	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	saveConfigurationVariables	saveOwnPartitionScopePreferences	ADMINISTRATOR	model	true	false	true
AdministrationService	setGlobalPermissions	saveOwnPartitionScopePreferences	ADMINISTRATOR	model	true	false	true
AdministrationService	getProfile
AdministrationService	setProfile
AdministrationService	getUser
AdministrationService	writeLogEntry
AdministrationService	savePreferences	saveOwnUserScopePreferences	ALL	model	true	false	true
QueryService	getActivityInstancesCount	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getAllActivityInstances	readActivityInstanceData	ALL	activity	true	true	true
QueryService	findFirstActivityInstance	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getAuditTrail	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getLogEntriesCount	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	getPermissions	readModelData	ALL	model			false
QueryService	getAllLogEntries	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	findFirstLogEntry	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	findAllDepartments	readDepartments	ALL	model	true	false	true
QueryService	findDepartment	readDepartments	ALL	model	true	false	true
QueryService	getModel	readModelData	ALL	model	true	false	true
QueryService	getAllParticipants	readModelData	ALL	model	true	false	true
QueryService	getParticipant	readModelData	ALL	model	true	false	true
QueryService	getAllProcessDefinitions	readModelData	ALL	model	true	false	true
QueryService	getProcessDefinition	readModelData	ALL	model	true	false	true
QueryService	getAllModelDescriptions	readModelData	ALL	model	true	false	true
QueryService	getAllAliveModelDescriptions	readModelData	ALL	model	true	false	true
QueryService	getActiveModelDescription	readModelData	ALL	model	true	false	true
QueryService	getModels	readModelData	ALL	model	true	false	true
QueryService	getModelDescription	readModelData	ALL	model	true	false	true
QueryService	wasRedeployed	readModelData	ALL	model	true	false	true
QueryService	getActiveModel (deprecated)	readModelData	ALL	model	true	false	true
QueryService	getModelAsXML	readModelData	ALL	model	true	false	true
QueryService	getSchemaDefinition	readModelData	ALL	model	true	false	true
QueryService	getProcessInstancesCount	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	getAllProcessInstances	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	findFirstProcessInstance	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	getUsersCount	readUserData	ALL	model	true	false	true
QueryService	getUserGroupsCount	readUserData	ALL	model	true	false	true
QueryService	getAllUsers	readUserData	ALL	model	true	false	true
QueryService	getAllUserGroups	readUserData	ALL	model	true	false	true
QueryService	findFirstUser	readUserData	ALL	model	true	false	true
QueryService	findFirstUserGroup	readUserData	ALL	model	true	false	true
UserService	modifyUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidate	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidateUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	modifyUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidateUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUserRealm	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	dropUserRealm	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	getUser	readUserData	ALL	model	true	false	true
UserService	getUserGroup	readUserData	ALL	model	true	false	true
UserService	getUserRealms	readUserData	ALL	model	true	false	true
UserService	resetPassword	resetUserPassword	ALL	model	true	false	true
UserService	closeSession
UserService	isInternalAuthentication
UserService	isInternalAuthentified
UserService	isInternalAuthorization
UserService	startSession
WorkflowService	abortActivityInstance	abortActivityInstances	OWNER	activity	true	false	true
WorkflowService	abortProcessInstance	abortProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
WorkflowService	suspend	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	suspendToDefaultPerformer	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	suspendToUser	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	suspendToParticipant	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	hibernate	delegateToOther	ALL	activity	true	false	true
WorkflowService	delegateToDefaultPerformer	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	delegateToUser	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	delegateToParticipant	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	bindActivityEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	bindProcessEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	unbindActivityEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	unbindProcessEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	getActivityInstanceEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	getProcessInstanceEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	activate	performActivity	OWNER	activity	false	false	false
WorkflowService	complete	performActivity	OWNER	activity	false	false	false
WorkflowService	activateAndComplete	performActivity	OWNER	activity	false	false	false
WorkflowService	activateNextActivityInstance	performActivity	OWNER	activity	false	true	false
WorkflowService	activateNextActivityInstance	performActivity	OWNER	workitem	false	true	false
WorkflowService	activateNextActivityInstanceForProcessInstance	performActivity	OWNER	activity	false	true	false
WorkflowService	getWorklist	readActivityInstanceData	ALL	workitem	false	true	false
WorkflowService	getActivityInstance	readActivityInstanceData	ALL	activity	true	false	true
WorkflowService	getModel	readModelData	ALL	model	true	false	true
WorkflowService	getStartableProcessDefinitions	readModelData	ALL	model	true	false	true
WorkflowService	getProcessInstance	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getProcessResults	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	setProcessInstanceAttributes	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getInDataPath	readDataValues	ALL	data		true
WorkflowService	getInDataPaths	readDataValues	ALL	data		true
WorkflowService	setOutDataPath	modifyDataValues	ALL	data		true
WorkflowService	setOutDataPaths	modifyDataValues	ALL	data		true
WorkflowService	getInDataValue	readDataValues	ALL	data		true
WorkflowService	getInDataValues	readDataValues	ALL	data		true
WorkflowService	startProcess

Adding and Removing Grants

With the interface User, you can manage grants for participants. Please refer to the Javadoc of the User interface for detailed information on the usage of its methods and their parameters.

Adding Grants to Participants

The method addGrant(ModelParticipantInfo participant) marks that grants for the given participant should be added to all model versions. An InvalidArgumentException is thrown in case the participant is null.

Note that the grant will not be actually given until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Stardust Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.

Removing Grants from a Participant

The method removeGrant(ModelParticipantInfo participant) marks the grants for the given participant to be removed from all model versions. The grant will not be actually removed until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Stardust Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.