System Actions and Organization Model Versions
When testing whether a user has the authorization to perform a system action, that is that the user holds the required privileges, all major versions of the organization model are taken into account.
The privileges required to perform a system action are applied on a per-major-version basis. That is, the same system action may require a different set of privileges in different major versions of the organization model, and each set of required privileges is tested independently. Similarly, it is possible that a position to which a user is mapped may be granted different privileges in different versions of the organization model.
To use a system action, a user must be mapped to a position that has been granted all of the privileges that are required in any major version of the organization model.
To test for this, TIBCO ActiveMatrix BPM examines each major version of the organization model in turn. For each major version, BPM gathers the required privileges defined in that version for the system action. Then:
- If no required privileges have been defined in a given major version, that version is ignored.
- If required privileges are found in a version, and the user does not hold all those privileges, BPM proceeds to test other major versions.
- If any required privileges are found in a version, and the user holds all those privileges in that version, access to the system action is granted and the search stops: no further major versions of the organization model are checked.
If BPM has checked all the major versions of the organization model that exist, then:
- If a required privilege is defined in any major version, but the user does not qualify for access (see third bullet above), then access to the system action is denied.
- If there are no required privileges for the system action in any major version, access is granted or denied using the default access for that system action. Some system actions are open to all users by default unless any required privileges have been defined to override this default, while other system actions are denied by default; see "System Actions Reference" in the TIBCO ActiveMatrix BPM - BPM Developer’s Guide.
Different Organization Models with the Same Major Version
All organization models of the same major version - for instance, versions 2.0, 2.1, 2.2, 2.2.1, and 2.3—are merged, and any required privileges set against any system action in any such version are similarly merged. Therefore, to use a system action, a user must hold all the required privileges that are defined in all organization models of the same major version.
Example of using System Actions to Control Users’ Access to System Functions, continued
See: Example of using System Actions to Control Users’ Access to System Functions.
In the organization described in the example, changes in the business lead to the introduction of a new version of the organization model, Version 2.0, and the system action "View Work List" no longer requires the Manage Work privilege.
Carol Watts tries to view her colleague Phil Gregg’s worklist. In the current version of the organization model, there are no required privileges to prevent her doing this. Therefore:
- TIBCO ActiveMatrix BPM examines each major version of the organization model in turn. It starts with the current Version 2.0. No required privileges have been defined in this major version, so that version is ignored.
- Testing Version 1.0. however, ActiveMatrix BPM finds that a required privilege has been defined, the Manage Work privilege. In that same version, Carol Watts does not hold this privilege.
- ActiveMatrix BPM therefore does not grant Carol access, but proceeds to look for other major versions to test. Finding none, it refuses Carol access to the "View Work List" system action, even though there is no restriction in the latest version of the organization model to prevent her.