Overview of User Access Authority

This topic summarizes the steps that determine user access in the application.

  1. Privileges are defined in the organization model. Using the TIBCO Business Studio Organization Modeler, privileges can be assigned to groups, organization units and positions.

    For information about defining privileges in the organization model, see the TIBCO Business Studio™ Organization Modeler User’s Guide.

  2. Users are mapped to groups and positions, using the Organization Browser, thus inheriting the privileges of those entities, as follows:
    • Groups - Members of groups inherit the privileges of the group, as well as all parent groups.
    • Positions / organization units - Members of a position inherit the privileges of the position, as well as the organization unit that is the immediate parent of the position. If organization units are nested, members of the position do not inherit privileges from organization units further up the tree—only the immediate parent.

      For information about mapping users to groups and positions, see the Organization Browser User’s Guide.

  3. When the application is started, it looks at the system actions in the deployed organization model to determine which functions the user has access.
    • If the system action denies access to a particular function, the user is not given access to the function, regardless which user access sets their privilege(s) are mapped.
    • If the system action allows access to a particular function, it then looks at the useAccessDefaults attribute in the userAccess.xml file to determine if the user’s privileges should be used to control access at the application level.
    • If useAccessDefaults is set to “true”, the default access permissions are used; see Turning Access Control On and Off.
    • if useAccessDefaults is set to "false" user access sets containing the user’s privileges are used to control access.