User Access Control to System Action Mapping

This topic lists each of the user access controls, and all of the system actions that you need to have access to the function provided by the user access control.

Select the user access control name in the table to link to a description of the function.

Note: The DE.userAdmin system action does not control access to a function like other system actions. Although its name implies it has to do with user administration, it doesn’t. It is used to control whether or not the application will persist user settings. If the user does not have this system action, user settings (e.g., any views that are created, columns that are changed, any changes made via the User Options dialog, etc.) are not persisted. The changes can be made by the user (if they have the appropriate access to make the changes), but they will persist only for the current login session.

Note that the DE.userAdmin system action also controls where the application reads configuration information (including user access):

If the user has the DE.userAdmin system action, configuration information (including user access) is read from the database (if the Configuration Administrator had previously been used, which causes configuration to be written to the database).
If the user does not have the DE.userAdmin system action, configuration information (including user access) is always read from disk (even if the Configuration Adminstrator had previously been used).

Some functions do not require a system action (e.g., all of the event view functions).

If the user is mapped to the System Administrator group in the version 0 organization model (i.e., the user has the “All System Actions” privilege), the application does not check the system actions—the user is given access to all system actions. For more information, see Provided User Access Sets.

Note that the system action names provided in the table below are the names shown in the User Access Privileges dialog that is available from the application (see Determining a User’s System Actions and User Access Controls). However, these are not the labels that are shown for the system actions in TIBCO Business Studio—those labels are not available to the application. They are, however, very similar. For example, the BRM.autoOpenNextWorkItem system action is labelled “Auto Open Next Work item” in Business Studio, the DE.LDAPAdmin system action is labelled “LDAP Admin” in Business Studio, and so on. One notable exception is the DE.userAdmin system action, which is labelled “User Settings” in Business Studio.

User Access Control	System Actions Needed
StartInstance	None
DataView	BDS.readGlobalData
DataView NewView	BDS.manageDataViews, BDS.readGlobalData
DataView EditView	BDS.manageDataViews, BDS.readGlobalData
DataView RemoveView	BDS.manageDataViews, BDS.readGlobalData
DataView NewCategory	BDS.manageDataViews, BDS.readGlobalData
DataView DataViewList	BDS.readGlobalData
DataView DataViewList PageSize	BDS.readGlobalData
DataView DataViewList DataViewResults	BDS.readGlobalData
DataView DataViewList DataViewResults GlobalDataPreview	BDS.readGlobalData
DataView DataViewList DataViewResults WorkItems	BRM.viewGlobalWorkList, BDS.readGlobalData
DataView DataViewList DataViewResults ProcessInstances	BDS.readGlobalData PE.queryProcessTemplate PE.queryProcessInstance
DataView DataViewList DataViewResults EventViewer	EC.queryAudit, BDS.readGlobalData
EventView	EC.queryAudit
EventView  NewView	EC.queryAudit
EventView  NewView  CustomView	EC.queryAudit
EventView  EditView	EC.queryAudit
EventView  RemoveView	EC.queryAudit
EventView  BaseFilter	EC.queryAudit
EventView  CreateSystemView	EC.queryAudit
EventView  AuthorSystemView	EC.queryAudit
EventView  EventViewer	EC.queryAudit
EventView  EventViewer  SaveView	EC.queryAudit
EventView  EventViewer  SetRetrieveCount	None
EventView EventViewer  SaveViewAs	EC.queryAudit
EventView  EventViewer  CorrelatedEvents	EC.queryAudit
EventView EventViewer  EventAttributes	EC.queryAudit
EventView EventViewer  EventLinks	EC.queryAudit
EventView   EventViewer  Filter	EC.queryAudit
EventView EventViewer  Sort	EC.queryAudit
EventView  EventViewer  Find	EC.queryAudit
EventView  EventViewer  SelectAttributes	EC.queryAudit
EventView  EventViewer  SelectColumns	EC.queryAudit
EventView EventViewer SelectColumns DefaultColumns	EC.queryAudit
EventView EventViewer PageSize	EC.queryAudit
BusinessService	BIZSVC.listBusinessService(1)
BusinessService  StartBusinessService	BIZSVC.listBusinessService(1) BIZSVC.executeBusinessService
BusinessService   StartBusinessService   Favorites	BIZSVC.listBusinessService(1) BIZSVC.executeBusinessService
BusinessService Find	BIZSVC.listBusinessService(1)
BusinessService DockFloatOption	BIZSVC.listBusinessService(1)
ProcessView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ShowAllInstances	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   NewView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   EditView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   RemoveView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   BaseFilter	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   CreateSystemView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   AuthorSystemView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   DefineHaltedView	PE.queryProcessTemplate PE.queryProcessInstance PE.haltedProcessAdministration
ProcessView   ProcessInstance   ShowTerminalInstances	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   SaveView	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   SaveViewAs	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   Cancel	PE.queryProcessTemplate PE.queryProcessInstance PE.cancelProcessInstance
ProcessView   ProcessInstance   Resume	PE.queryProcessTemplate PE.queryProcessInstance PE.resumeProcessInstance
ProcessView   ProcessInstance   Suspend	PE.queryProcessTemplate PE.queryProcessInstance PE.suspendProcessInstance
ProcessView   ProcessInstance   ResumeHalted	PE.queryProcessTemplate PE.queryProcessInstance PE.haltedProcessAdministration
ProcessView   ProcessInstance   Retry	PE.queryProcessTemplate PE.queryProcessInstance PE.haltedProcessAdministration
ProcessView   ProcessInstance   Ignore	PE.queryProcessTemplate PE.queryProcessInstance PE.haltedProcessAdministration
ProcessView   ProcessInstance   Filter	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   Sort	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   Find	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   ShowOutstanding	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   ShowOutstandingAdmin	PE.queryProcessTemplate PE.queryProcessInstance DE.browseModel
ProcessView   ProcessInstance   EventViewer	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView   ProcessInstance   SelectColumns	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView ProcessInstance SelectColumns DefaultColumns	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView ProcessInstance PageSize	PE.queryProcessTemplate PE.queryProcessInstance
ProcessView ProcessInstance ShowCustomAttributes	PE.queryProcessTemplate PE.queryProcessInstance
WorkView	None
WorkView   ShowInbox	None
WorkView   NewView	None
WorkView   EditView	None
WorkView   RemoveView	None
WorkView   BaseFilter	None
WorkView   CreateSystemView	None
WorkView   AuthorSystemView	None
WorkView   SupervisedWorkItem	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check(2) )
WorkView   SupervisedWorkItem   AllWorkItems	DE.browseModel DE.resolveResource BRM.viewGlobalWorkList
WorkView   SupervisedWorkItem   Cancel	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2) BRM.closeOtherResourcesItems (scope check2) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.
WorkView   SupervisedWorkItem   Skip	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2) BRM.skipWorkItem (scope check2) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.
WorkView   SupervisedWorkItem   PrioritizeAny	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2) BRM.changeAnyWorkItemPriority (scope check2)
WorkView   SupervisedWorkItem   Reoffer	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.
WorkView   SupervisedWorkItem   AllocateToAnother	n/a See the following two rows in this table for the system actions required for the work item allocation functions.
WorkView   SupervisedWorkItem   AllocateToAnother   CanAllocateFromOfferSet	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2) BRM.reallocateToOfferSet (scope check2) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.)
WorkView   SupervisedWorkItem   AllocateToAnother   CanAllocateFromOrganization	DE.browseModel DE.resolveResource DE.resourceAdmin BRM.viewWorkList (scope check2) BRM.reallocateWorkItemToWorld (You must have this system action at the organization model level, as the one at the scoped level is not used.) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity. Also note that the function this controls is actually named Allocate to World.
WorkView   SupervisedWorkItem   AllocateToAnother   ShowResourcePreview	n/a There are no system actions that control access to the Toggle Preview button / menu selection.
WorkView   SupervisedWorkItem   EventViewer	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   Filter	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   Sort	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   Find	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   AutoRefresh	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   SelectColumns	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   SupervisedWorkItem   DefaultColumns	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem Preview	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem PreviewData	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem Preview PreviewOn	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem Preview PreviewFloat	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem Preview PreviewOff	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView SupervisedWorkItem PageSize	DE.browseModel DE.resolveResource BRM.viewWorkList (scope check2)
WorkView   WorkItem	DE.resolveResource
WorkView   WorkItem   SaveView	DE.resolveResource
WorkView   WorkItem   SaveViewAs	DE.resolveResource
WorkView   WorkItem   Open	DE.resolveResource
WorkView   WorkItem   OpenNext	DE.resolveResource BRM.autoOpenNextWorkItem
WorkView   WorkItem   OpenAuto	DE.resolveResource BRM.autoOpenNextWorkItem
WorkView   WorkItem   Cancel	DE.resolveResource
WorkView   WorkItem   Skip	DE.resolveResource BRM.skipWorkItem
WorkView   WorkItem   Pend	DE.resolveResource BRM.pendWorkItem
WorkView   WorkItem   PrioritizeAllocated	DE.resolveResource BRM.changeAllocatedWorkItemPriority
WorkView   WorkItem   PrioritizeAny	DE.resolveResource BRM.changeAnyWorkItemPriority
WorkView   WorkItem   AllocateToSelf	DE.resolveResource
WorkView   WorkItem   Reoffer	DE.resolveResource BRM.workItemAllocation
WorkView   WorkItem   AllocateToAnother	DE.resolveResource
WorkView   WorkItem   AllocateToAnother   CanAllocateFromOfferSet	DE.browseModel DE.resolveResource BRM.workItemAllocation
WorkView   WorkItem   AllocateToAnother   CanAllocateFromOrganization	DE.browseModel DE.resolveResource DE.resourceAdmin BRM.workItemAllocation BRM.reallocateWorkItemToWorld
WorkView   WorkItem   AllocateToAnother   ShowResourcePreview	DE.resolveResource
WorkView   WorkItem   EventViewer	DE.resolveResource
WorkView   WorkItem   Filter	DE.resolveResource
WorkView   WorkItem   Sort	DE.resolveResource
WorkView   WorkItem   Find	DE.resolveResource
WorkView   WorkItem   AutoRefresh	DE.resolveResource
WorkView   WorkItem   SelectColumns	DE.resolveResource
WorkView   WorkItem   DefaultColumns	DE.resolveResource
WorkView WorkItem Preview	DE.resolveResource
WorkView WorkItem PreviewData	DE.resolveResource
WorkView WorkItem Preview PreviewOn	DE.resolveResource
WorkView WorkItem Preview PreviewFloat	DE.resolveResource
WorkView WorkItem Preview PreviewOff	DE.resolveResource
WorkView WorkItem PageSize	DE.resolveResource
ProcessTemplate	PE.queryProcessTemplate
ProcessTemplate   Filter	PE.queryProcessTemplate
ProcessTemplate   Sort	PE.queryProcessTemplate
ProcessTemplate   Select Columns	PE.queryProcessTemplate
ShowPrivileges	None
ExportFilterXML	None
ApplicationLog	None
ConfigureOptions	DE.userAdmin (also see note on page 41 )
ConfigureOptions   Layout	DE.userAdmin (also see note on page 41 )
ConfigureOptions WorkItemFloatOverride	None
ConfigureOptions BusinessServiceFloatOverride	None
ConfigureOptions LocaleSelector	None
ConfigureOptions LocaleSelector DisplayInAppHeader	None
Administration	None
Administration   Configuration	DE.userAdmin WSB.applicationConfiguration
ShowErrorDetail	None
ShowErrorDetail   ShowStackTrace	None
ShowMainOrganizationBrowser	None
OrganizationBrowser	DE.browseModel
OrganizationBrowser   ShowContainersTree	DE.browseModel DE.LDAPAdmin
OrganizationBrowser   ShowGroupsTree	DE.browseModel
OrganizationBrowser   ShowOrganizationTree	DE.browseModel
OrganizationBrowser   ListPotentialResources	DE.browseModel DE.LDAPAdmin
OrganizationBrowser   EventViewerForOrganization	DE.browseModel
OrganizationBrowser   EventViewerForResource	DE.browseModel And one of the following is needed to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   ShowResourceAttributesInResourceList	DE.browseModel DE.readParameters And one of these is required to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   ManageLDAPContainers	n/a This is never directly checked.
OrganizationBrowser   ManageLDAPContainers   NewContainer	DE.browseModel DE.LDAPAdmin
OrganizationBrowser   ManageLDAPContainers   EditContainer	DE.browseModel DE.LDAPAdmin
OrganizationBrowser   ManageLDAPContainers   DeleteContainer	DE.browseModel DE.LDAPAdmin DE.deleteLDAPAdmin DE.deleteResourceAdmin(3)
OrganizationBrowser   ShowOrganizationPreview	DE.browseModel
OrganizationBrowser   ShowOrganizationPreview   PreviewPrivileges	DE.browseModel
OrganizationBrowser   ShowOrganizationPreview   PreviewCapabilities	DE.browseModel
OrganizationBrowser   ShowOrganizationPreview   PreviewPushDestinations	DE.browseModel DE.readPushDestinations
OrganizationBrowser   ShowResourcePreview	DE.browseModel DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewGroupMembership	DE.browseModel DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewPositionsHeld	DE.browseModel DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewResourceAttributes	DE.browseModel DE.resolveResource DE.readParameters And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewPrivileges	DE.browseModel DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewCapabilities	DE.browseModel DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   ShowResourcePreview   PreviewPushDestinations	DE.browseModel DE.resolveResource DE.readPushDestinations And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   EditOrganization	n/a This is never directly checked.
OrganizationBrowser   EditOrganization   EditOrgPushDestinations	DE.browseModel DE.readPushDestinations DE.writePushDestinations
OrganizationBrowser   EditOrganization   Import	DE.browseModel DE.importLDAPAdmin
OrganizationBrowser   EditOrganization   Export	DE.browseModel DE.exportLDAPAdmin
OrganizationBrowser   EditResources	n/a This is never directly checked.
OrganizationBrowser   EditResources   EditGroupMembership	DE.browseModel DE.resolveResource DE.resourceAdmin And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   EditResources   EditPositionsHeld	DE.browseModel DE.resolveResource DE.resourceAdmin And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: DE.LDAPAdmin
OrganizationBrowser   EditResources   EditResourceAttributes	DE.browseModel DE.readParameters DE.writeParameters And one of these is required to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   EditResources   EditCapabilities	DE.browseModel DE.resourceAdmin And one of these is required to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   EditResources   EditPushDestinations	DE.browseModel DE.readPushDestinations DE.writePushDestinations And one of these is required to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   EditResources   CreateResources	DE.browseModel DE.createResourceAdmin DE.LDAPAdmin (indirectly needed—required to view lists of resources for an LDAP container, the only place where potential resources will exist)
OrganizationBrowser   EditResources   DeleteResources	DE.browseModel DE.deleteResourceAdmin One of these is required to see a resource: DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container) DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser   EditResources   RenameResource	DE.browseModel DE.resolveResource DE.resourceAdmin DE.LDAPAdmin
Help	None
Help   Help	None
Help   About	None
Help   OrganizationBrowser	None
CustomMenuAccess	None
CustomInterfaces	None (Note, however, that you may need a system action for the location at which the custom interface launch control appears. For example, if a custom interface menu appears on the work item list, you need the appropriate system to access the work item list.)
(1) Although you need the BIZSVC.listBusinessService system action to list business services, and the BIZSVC.executeBusinessService system action to execute business services, you might need other system actions for your business services to execute correctly. For example, if your business service creates statefull instances of processes, you will also need the PE.startprocess system action. If that instance then creates a user task (work item) for the first step, you would also need the BRM.scheduleWorkItem system action. (2) A scope check means that it checks to see if the system action is set on a specific group, organization unit, or position (for the purpose of providing access to supervised work views). If the system action is not set on a scoped level, it checks to see if it is set at the organization model level. For more information, see Scope of System Actions . (3) This system action is needed to delete an LDAP container that contains resources.

Note: The following three event-related system actions are also available from TIBCO Business Studio, although they are not currently used. Therefore, they are not shown in the table above:

EC.openWorkItemAuditTrail
EC.listTrocessTemplateAuditTrail
EC.showProcessInstanceAuditTrail

Note: There is also a DE.organizationAdmin system action available that does not have a corresponding user access control. This system action overrides container organization relationships as defined in the Organization Browser. Resources with this system action can see all organizations, regardless the organization relationships that have been defined.

Contents

Index

Search Results

User Access Control to System Action Mapping