Declarative Security Usage in Stardust Services API

This chapter gives an overview over existing permissions and their usage in specific methods of the Stardust Services.

Permissions
Declarative Security used in Stardust Services API
Adding and Removing Grants

Note that Authorization validation is always checked before any other validation or code is performed. Thus, in case the user is not authorized, an AccessForbiddenException occurs rather than an anticipated Exception.

Permissions

The following permissions are available:

Permission	Scope	Description
abortActivityInstances	Activity	Permission to abort an activity from the Stardust Portal and via API
abortProcessInstances	Process	Permission to abort a process from the Stardust Portal and via API
controlProcessEngine	Model	Permission to flush the cache and perform engine operations such as suspend and restart
createCase	Process	Permission to create cases from Stardust Portal and via API
delegateToDepartment	Activity	Permission to delegate an activity to another department from the Stardust Portal and via API
delegateToOther (implies delegateToDepartment)	Activity	Gives permission to delegate to another participant, default performer and user, from the Stardust Portal and via API. It also gives permission to suspend an activity.
deleteProcessInstances	Process	Permission to delete a process instances from the Stardust Portal and via API
deployProcessModel	Model	Gives permission to deploy and specify the parameters for the model deployment at runtime from the Stardust Portal Administration perspective, via API and console command.
deployRuntimeArtifact	Model	Permission to deploy and manage a runtime artifact in the Stardust Portal and via API
forceSuspend	Model	Permission to force activity instances to be suspended and added to the worklist of the default performer declared for the corresponding activity from the Stardust Portal and via API
manageAuthorization	Model	Permission to change user grants, e.g. to assign or revoke roles and organizations as well as to add and remove user groups to or from a given user. This affects the Stardust Portal User and Role assignment views and API.
manageDaemons	Model	Permission to start, stop and query the state of the daemons from the Stardust Portal Administration perspective, through API and console command
manageDeputies	Model	Permission to change the deputies of users from the Stardust Portal Administration perspective and through API
manageEventHandlers	Activity, Process	Permission to bind and unbind event handler via API and console command
modifyAuditTrail	Model	Permission to modify the AuditTrail database, like users, grants and models through API and console commands
modifyAuditTrailStatistics	Model	Permission to modify the AuditTrail database, like users, grants and models through API and console commands
modifyActivityInstances	Activity	Permission to modify activity instances in the Stardust Portal and via API
modifyCase	Process	Permission to modify process instance cases in the Stardust Portal and via API
modifyDataValues	Activity	Permission to read process data values in the Stardust Portal and via API
modifyDepartments	Model	Permission to perform the following operations: Create departments. Modify department details such as department name and description. Change assignments of users. Delete departments. through the Stardust Portal Administration perspective, API and console commands.
modifyDmsData	Model	Permission to modify any data via the document management service
modifyProcessInstances	Process	Permission to modify process instances in the Stardust Portal and via API
modifyUserData	Model	Permission to modify user data such as name, email or account through Stardust Portal Administration perspective, API and console commands
performActivity	Activity	Permission to perform an activity from the Stardust Portal and per API
readActivityInstanceData	Activity	Permission to access activity instances from the Stardust Portal and via API
readAuditTrailStatistics	Model	Permission to query statistics on the audit trail database, like health report, log entries and its count via API and console commands
readDataValues	Data	Permission to read process data values
readDepartments	Model	Permission to retrieve existing departments and read their attributes via Stardust Portal views, API and console commands
readModelData	Model	Permission to access data contained in the model, like model description, process details and participant details via Stardust Process Portal, API and console commands.
readProcessInstanceData	Process	Permission to to access the process instances the user is authorized to read, find first process and get process instance count in the Stardust Portal and via API
readUserData	Model	Permission to access user and user group data such as email or account in the Stardust Portal Control Center views and per API
readRuntimeArtifact	Model	Permission to read a deployed runtime artifact in the Stardust Portal and via API
resetUserPassword	Model	Permission to reset the password of a user via Stardust Portal Administration perspective, API and console commands
runRecovery	Model	Permission to recover the database from the Stardust Portal Administration perspective, through APIs and console command
saveOwnPartitionScopePreferences	Model	Permission to save preferences in own partition scope via Stardust Portal views, API and console command
saveOwnRealmScopePreferences	Model	Permission to save preferences in own realm scope via Stardust Portal views, API and console command
saveOwnUserScopePreferences	Model	Permission to save preferences in own user scope via Stardust Portal views, API and console command
joinProcessInstance	Process	Permission to join a process instance from Stardust Portal and via API
spawnPeerProcessInstance	Process	Permission to spawn a peer process instance from Stardust Portal and via API
spawnSubProcessInstance	Process	Permission to spawn a sub process instance from Stardust Portal and via API
startProcesses	Process	Permission to start a new process instance from Stardust Portal and via API

Declarative Security used in Stardust Services API

The following table shows the permissions required for specific methods in the according services, the participant having the permission per default and the method scope.

The attributes listed in the table have the following meanings:

Permission ID: identifier that references the permission definition from the model (required).
Defaults: a list of default permissions, if the model contain no permission definition. If attribute is not present it is equivalent with ADMINISTRATOR.
Scope: defines the kind of model element to which the permission is applied. If it is not present, it is equivalent with model.
Changeable:
- true: configurable on model level.
- false: permission definitions from the model will be ignored and only defaults will be considered.
If attribute is not present, it is equivalent with true.
administratorOverride:
- true: the administrator will be able to perform the method regardless of the permissions defined in the model.
- false: the administrator will be treated like any other regular user and must have an explicit permission to be able to perform the method.
If attribute is not present, it is equivalent with true.
defer: if set to true, it determines that the permission is not applied to the method itself or the input of the method, but to the result (output) of the method. For queries this means that the check is not performed on the method (anybody can call the method), but the result of the query will be influenced by the permission.

Service	Method	Permission ID	Defaults	Scope	administratorOverride	defer	Changeable
AdministrationService	abortProcessInstance	abortProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
AdministrationService	flushCaches	controlProcessEngine	ADMINISTRATOR	model	true	false	true
AdministrationService	deployModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	overwriteModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	setPrimaryImplementation	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	deleteModel	deployProcessModel	ADMINISTRATOR	model	true	false	true
AdministrationService	forceSuspendToDefaultPerformer	forceSuspend	ADMINISTRATOR	model	true	false	true
AdministrationService	getDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	stopDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	startDaemon	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	getAllDaemons	manageDaemons	ADMINISTRATOR	model	true	false	true
AdministrationService	startProcess	modifyAuditTrail	ADMINISTRATOR	model	true	false	false
AdministrationService	setPasswordRules	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	deleteProcesses	modifyAuditTrail	ADMINISTRATOR	model	true	false	false
AdministrationService	cleanupRuntime	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	cleanupRuntimeAndModels	modifyAuditTrail	ADMINISTRATOR	model	true	false	true
AdministrationService	createDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	modifyDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	removeDepartment	modifyDepartments	ADMINISTRATOR	model	true	false	true
AdministrationService	setProcessInstancePriority	modifyProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
AdministrationService	forceCompletion	performActivity	ADMINISTRATOR	model	true	false	false
AdministrationService	getAuditTrailHealthReport	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
AdministrationService	getDepartment	readDepartments	ALL	model	true	false	true
AdministrationService	recoverProcessInstance	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	recoverProcessInstances	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	recoverRuntimeEnvironment	runRecovery	ADMINISTRATOR	model	true	false	true
AdministrationService	saveConfigurationVariables	saveOwnPartitionScopePreferences	ADMINISTRATOR	model	true	false	true
AdministrationService	setGlobalPermissions	saveOwnPartitionScopePreferences	ADMINISTRATOR	model	true	false	true
AdministrationService	getRuntimeArtifact	readRuntimeArtifact	ADMINISTRATOR	model	true	false	true
AdministrationService	getSupportedRuntimeArtifactTypes	readRuntimeArtifact	ADMINISTRATOR	model	true	false	true
AdministrationService	deployRuntimeArtifact	deployRuntimeArtifact	ADMINISTRATOR	model	true	false	true
AdministrationService	overwriteRuntimeArtifact	deployRuntimeArtifact	ADMINISTRATOR	model	true	false	true
AdministrationService	deleteRuntimeArtifact	deployRuntimeArtifact	ADMINISTRATOR	model	true	false	true
AdministrationService	writeLogEntry	modifyAuditTrailStatistics	ALL	model	true	false	true
AdministrationService	savePreferences	saveOwnUserScopePreferences	ALL	model	true	false	true
DocumentManagementService	createDocument	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	versionDocument	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	removeDocumentVersion	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	moveDocument	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	updateDocument	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	requestDocumentContentUpload	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	createFolder	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	removeDocument	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	updateFolder	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	removeFolder	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	setPolicy	modifyDmsData	ALL	model	true	false	true
DocumentManagementService	migrateRepository	modifyDmsData	ALL	model	true	false	true
QueryService	getActivityInstancesCount	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getAllActivityInstances	readActivityInstanceData	ALL	activity	true	true	true
QueryService	findFirstActivityInstance	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getAuditTrail	readActivityInstanceData	ALL	activity	true	true	true
QueryService	getLogEntriesCount	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	getPermissions	readModelData	ALL	model			false
QueryService	getAllData	readModelData	ALL	model	true	false	true
QueryService	getAllBusinessObjects	readDataValues	ALL	data	true	true	true
QueryService	getAllLogEntries	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	findFirstLogEntry	readAuditTrailStatistics	ADMINISTRATOR	model	true	false	true
QueryService	findAllDepartments	readDepartments	ALL	model	true	false	true
QueryService	findDepartment	readDepartments	ALL	model	true	false	true
QueryService	getModel	readModelData	ALL	model	true	false	true
QueryService	getAllParticipants	readModelData	ALL	model	true	false	true
QueryService	getParticipant	readModelData	ALL	model	true	false	true
QueryService	getAllProcessDefinitions	readModelData	ALL	model	true	false	true
QueryService	getProcessDefinition	readModelData	ALL	model	true	false	true
QueryService	getAllModelDescriptions	readModelData	ALL	model	true	false	true
QueryService	getAllAliveModelDescriptions	readModelData	ALL	model	true	false	true
QueryService	getActiveModelDescription	readModelData	ALL	model	true	false	true
QueryService	getModels	readModelData	ALL	model	true	false	true
QueryService	getModelDescription	readModelData	ALL	model	true	false	true
QueryService	wasRedeployed	readModelData	ALL	model	true	false	true
QueryService	getActiveModel (deprecated)	readModelData	ALL	model	true	false	true
QueryService	getModelAsXML	readModelData	ALL	model	true	false	true
QueryService	getSchemaDefinition	readModelData	ALL	model	true	false	true
QueryService	getProcessInstancesCount	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	getAllProcessInstances	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	findFirstProcessInstance	readProcessInstanceData	ALL	processDefinition	true	true	true
QueryService	getUsersCount	readUserData	ALL	model	true	false	true
QueryService	getUserGroupsCount	readUserData	ALL	model	true	false	true
QueryService	getAllUsers	readUserData	ALL	model	true	false	true
QueryService	getAllUserGroups	readUserData	ALL	model	true	false	true
QueryService	findFirstUser	readUserData	ALL	model	true	false	true
QueryService	findFirstUserGroup	readUserData	ALL	model	true	false	true
QueryService	getRuntimeArtifact	readRuntimeArtifact	ADMINISTRATOR	model	true	false	true
QueryService	getRuntimeArtifacts	readRuntimeArtifact	ADMINISTRATOR	model	true	false	true
UserService	modifyUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidate	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidateUser	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	modifyUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	invalidateUserGroup	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	createUserRealm	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	dropUserRealm	modifyUserData	ADMINISTRATOR	model	true	false	true
UserService	getUser	readUserData	ALL	model	true	false	true
UserService	getUserGroup	readUserData	ALL	model	true	false	true
UserService	getUserRealms	readUserData	ALL	model	true	false	true
UserService	addDeputy	manageDeputies	ADMINISTRATOR	model	true	false	true
UserService	modifyDeputy	manageDeputies	ADMINISTRATOR	model	true	false	true
UserService	removeDeputy	manageDeputies	ADMINISTRATOR	model	true	false	true
UserService	getDeputies	manageDeputies	ADMINISTRATOR	model	true	false	true
UserService	getUsersBeingDeputyFor	manageDeputies	ADMINISTRATOR	model	true	false	true
UserService	generatePasswordResetToken	resetUserPassword	ALL	model	true	false	true
UserService	resetPassword	resetUserPassword	ALL	model	true	false	true
WorkflowService	abortActivityInstance	abortActivityInstances	OWNER	activity	true	false	true
WorkflowService	abortProcessInstance	abortProcessInstances	ADMINISTRATOR	processDefinition	true	false	true
WorkflowService	suspend	performActivity	OWNER	activity	false	false	false
WorkflowService	delegateCase	delegateToOther (implies delegateToDepartment)	OWNER	processDefinition	true	false	false
WorkflowService	suspendToDefaultPerformer	performActivity	OWNER	activity	false	false	false
WorkflowService	suspendToUser(long) suspendToUser(long, String, Map<String, ?>)	performActivity	OWNER	activity	false	false	false
WorkflowService	suspendToUser(long,long) suspendToUser(long, long, String, Map<String, ?>)	performActivity	OWNER	activity	false	false	true
WorkflowService	suspendToParticipant	performActivity	OWNER	activity	false	false	true
WorkflowService	hibernate	delegateToOther	ALL	activity	true	false	true
WorkflowService	delegateToDefaultPerformer	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	delegateToUser	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	delegateToParticipant	delegateToOther (implies delegateToDepartment)	ALL	activity	true	false	true
WorkflowService	setActivityInstanceAttributes	modifyActivityInstances	ALL	activity	true	false	true
WorkflowService	bindActivityEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	bindProcessEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	unbindActivityEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	unbindProcessEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	getActivityInstanceEventHandler	manageEventHandlers	ALL	activity	true	false	true
WorkflowService	getProcessInstanceEventHandler	manageEventHandlers	ALL	processDefinition	true	false	true
WorkflowService	activate	performActivity	OWNER	activity	false	false	false
WorkflowService	complete	performActivity	OWNER	activity	false	false	false
WorkflowService	activateAndComplete	performActivity	OWNER	activity	false	false	false
WorkflowService	activateNextActivityInstance	performActivity	OWNER	activity	false	true	false
WorkflowService	activateNextActivityInstance	performActivity	OWNER	workitem	false	true	false
WorkflowService	activateNextActivityInstanceForProcessInstance	performActivity	OWNER	activity	false	true	false
WorkflowService	createBusinessObjectInstance	modifyDataValues	ALL	data	true	false	true
WorkflowService	updateBusinessObjectInstance	modifyDataValues	ALL	data	true	false	true
WorkflowService	deleteBusinessObjectInstance	modifyDataValues	ALL	data	true	false	true
WorkflowService	createCase	createCase	ALL	model	true	false	true
WorkflowService	joinCase	modifyCase	ALL	processDefinition	true	false	true
WorkflowService	leaveCase	modifyCase	OWNER	processDefinition	true	false	true
WorkflowService	mergeCases	modifyCase	OWNER	processDefinition	true	false	true
WorkflowService	performAdHocTransition	performActivity	OWNER	activity	true	false	true
WorkflowService	getWorklist	readActivityInstanceData	ALL	workitem	false	true	false
WorkflowService	getActivityInstance	readActivityInstanceData	ALL	activity	true	false	true
WorkflowService	getAdHocTransitionTargets	readModelData	ALL	activity	true	true	true
WorkflowService	getModel	readModelData	ALL	model	true	false	true
WorkflowService	getStartableProcessDefinitions	readModelData	ALL	model	true	false	true
WorkflowService	setProcessInstanceAttributes	modifyProcessInstances	ALL	processDefinition	true	false	true
WorkflowService	getProcessInstance	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getProcessResults	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getInDataPath	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getInDataPaths	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	setOutDataPath	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	setOutDataPaths	readProcessInstanceData	ALL	processDefinition	true	false	true
WorkflowService	getInDataValue	readDataValues	OWNER	data	true	true	false
WorkflowService	getInDataValues	readDataValues	OWNER	data	true	true	false
WorkflowService	startProcess	startProcesses	ALL	processDefinition	true	false	true
WorkflowService	joinProcessInstance	joinProcessInstance	ALL	model	true	false	true
WorkflowService	spawnSubprocessInstance	spawnSubProcessInstance	ALL	model	true	false	true
WorkflowService	spawnSubprocessInstances	spawnSubProcessInstance	ALL	model	true	false	true
WorkflowService	spawnPeerProcessInstance	spawnPeerProcessInstance	ALL	model	true	false	true
WorkflowService	writeLogEntry	modifyAuditTrailStatistics	ALL		true	false	true

Adding and Removing Grants

With the interface User, you can manage grants for participants. Please refer to the Javadoc of the User interface for detailed information on the usage of its methods and their parameters.

Adding Grants to Participants

The method addGrant(ModelParticipantInfo participant) marks that grants for the given participant should be added to all model versions. An InvalidArgumentException is thrown in case the participant is null.

Note that the grant will not be actually given until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Stardust Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.

Removing Grants from a Participant

The method removeGrant(ModelParticipantInfo participant) marks the grants for the given participant to be removed from all model versions. The grant will not be actually removed until the method UserService.modifyUser(user) is invoked. Please refer to the section UserService of the chapter Stardust Services for information on this service and the according Javadoc of the org.eclipse.stardust.engine.api.runtime.UserService for detailed information on the modifyUser method.