Example of using System Actions to Control Users’ Access to System Functions
The following example presents a very simple scenario that illustrates how system actions can be used to control users’ access to system functions.
The illustration below shows the organization model of the easyAs Insurance company’s Claims Management department. The department contains two sub-departments, Customer Service and Claims Handling. Each has a managerial position (Call Supervisor and Claims Manager respectively) and a staff position (Call Handler and Claims Handler). The department is headed overall by a VP Claims Management.
To assist in processing work efficiently, the department has the following requirements:
- The VP Claims Management should be able to view the work list of anybody in the department.
- The Call Supervisor should be able to view the work list of all Call Handlers.
- The Claims Manager should be able to view the work list of all Claims Handlers.
- The Claims Manager and Call Supervisor should not be able to view the work list of anybody in the other department.
The system action View Work List can be used to implement these requirements. By default, no user is allowed to perform this action, so its use must be authorized at the appropriate levels. This is achieved in the following way:
- Using the TIBCO Business Studio Organization Modeler, the business analyst defines a privilege called Manage Work. This will be used to control access to other users’ work lists. He also defines a Department qualifier for this privilege, the value of which will be used to identify which department the privilege applies to.
- The analyst assigns the Manage Work privilege to the View Work List system action for different entities in the organization model, as shown below.
- This defines the privilege that will be required to view the work lists of users in the department, as follows:
- To view a work list of a user in the Customer Service or Claims Handling organization unit, a user will need to hold the Manage Work privilege.
- To view a work list of a user who holds the Call Handler position, a user will need to hold either an unqualified Manage Work privilege, or hold the privilege with the Department qualifier set to CustServ.
- To view a work list of a user who holds the Claims Handler position, a user will need to hold either an unqualified Manage Work privilege, or hold the privilege with the Department qualifier set to Claims.
- The analyst assigns the Manage Work privilege to the organization model entities that need it, as shown below.
- This defines the privileges that will be inherited by users who are assigned to the following positions:
- The user who is the VP Claims Management will have the (unqualified) Manage Work privilege.
- Call Supervisor users will have the Manage Work privilege, qualified with the value CustServ.
- Claims Manager users will have the Manage Work privilege, qualified with the value Claims.
The organization model now contains the necessary information and is deployed to the TIBCO ActiveMatrix BPM runtime.
- Using the Organization Browser, the administrator adds users from the company’s LDAP directory to the appropriate positions in the organization model. These users inherit the privileges defined earlier, as shown below.
The following diagram shows how the system action and privilege settings interact at runtime, to determine which users have access to which worklists.
(1) Sheila Morris, the VP Claims Management, can view the work lists of everybody in the Customer Services and Claims Handling departments (Ed Young, Carol Watts, Phil Gregg, Jim Smith and Tom Jones).
(2) In the Customer Services department, Ed Young, the Call Supervisor, can view the work lists of his Call Handler reports, Carol Watts and Phil Gregg. He cannot see the work lists of anybody in the Claims Handling department.
(3) In the Claims department, Jim Smith, the Claims Manager, can view the work list of his Claims Handler report, Tom Jones. He cannot see the work lists of anybody in the Customer Service department.
(4) The Call Handlers (Carol Watts and Phil Gregg) and Claims Handler (Tom Jones) cannot view anybody else’s worklists, even in their own departments, as they have not been granted the Manage Work privilege.
(5) Nobody in the Customer Service or Claims Handling departments can view Sheila Morris’ work list. This is because no privilege has been assigned to the View Work List system action for either the Claims Management organization unit or the VP Claims Management position.