User Access Control to System Action Mapping
This topic lists each of the user access controls, and all of the system actions that you need to have access to the function provided by the user access control.
Select the user access control name in the table to link to a description of the function.
Note that the DE.userAdmin system action also controls where the application reads configuration information (including user access):
- If the user has the DE.userAdmin system action, configuration information (including user access) is read from the database (if the Configuration Administrator had previously been used, which causes configuration to be written to the database).
- If the user does not have the DE.userAdmin system action, configuration information (including user access) is always read from disk (even if the Configuration Adminstrator had previously been used).
Some functions do not require a system action (e.g., all of the event view functions).
If the user is mapped to the System Administrator group in the version 0 organization model (i.e., the user has the “All System Actions” privilege), the application does not check the system actions—the user is given access to all system actions. For more information, see Provided User Access Sets.
Note that the system action names provided in the table below are the names shown in the User Access Privileges dialog that is available from the application (see Determining a User’s System Actions and User Access Controls). However, these are not the labels that are shown for the system actions in TIBCO Business Studio—those labels are not available to the application. They are, however, very similar. For example, the BRM.autoOpenNextWorkItem system action is labelled “Auto Open Next Work item” in Business Studio, the DE.LDAPAdmin system action is labelled “LDAP Admin” in Business Studio, and so on. One notable exception is the DE.userAdmin system action, which is labelled “User Settings” in Business Studio.
User Access Control | System Actions Needed |
---|---|
StartInstance | None |
DataView | BDS.readGlobalData |
DataView | BDS.manageDataViews, BDS.readGlobalData |
DataView | BDS.manageDataViews, BDS.readGlobalData |
DataView | BDS.manageDataViews, BDS.readGlobalData |
DataView | BDS.manageDataViews, BDS.readGlobalData |
DataView | BDS.readGlobalData |
DataView
DataViewList |
BDS.readGlobalData |
DataView
DataViewList |
BDS.readGlobalData |
DataView
DataViewList DataViewResults |
BDS.readGlobalData |
DataView
DataViewList DataViewResults |
BRM.viewGlobalWorkList, BDS.readGlobalData |
DataView
DataViewList DataViewResults |
BDS.readGlobalData
PE.queryProcessTemplate PE.queryProcessInstance |
DataView
DataViewList DataViewResults |
EC.queryAudit, BDS.readGlobalData |
EventView | EC.queryAudit |
EventView | EC.queryAudit |
EventView
NewView |
EC.queryAudit |
EventView | EC.queryAudit |
EventView | EC.queryAudit |
EventView | EC.queryAudit |
EventView | EC.queryAudit
WSB.applicationConfiguration |
EventView | EC.queryAudit
WSB.applicationConfiguration |
EventView | EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
None |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
EventView
EventViewer SelectColumns |
EC.queryAudit |
EventView
EventViewer |
EC.queryAudit |
BusinessService | BIZSVC.listBusinessService(1) |
BusinessService | BIZSVC.listBusinessService(1)
BIZSVC.executeBusinessService |
BusinessService
StartBusinessService |
BIZSVC.listBusinessService(1)
BIZSVC.executeBusinessService |
BusinessService | BIZSVC.listBusinessService(1) |
BusinessService | BIZSVC.listBusinessService(1) |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance WSB.applicationConfiguration |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance WSB.applicationConfiguration |
ProcessView | PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.haltedProcessAdministration |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.cancelProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.resumeProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.suspendProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.haltedProcessAdministration |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.haltedProcessAdministration |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance PE.haltedProcessAdministration |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance DE.browseModel |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance SelectColumns |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
ProcessView
ProcessInstance |
PE.queryProcessTemplate
PE.queryProcessInstance |
WorkView | None |
WorkView | None |
WorkView | None |
WorkView | None |
WorkView | None |
WorkView | None |
WorkView | WSB.applicationConfiguration |
WorkView | WSB.applicationConfiguration |
WorkView | DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check(2) ) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewGlobalWorkList |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) BRM.closeOtherResourcesItems (scope check2) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity. |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) BRM.skipWorkItem (scope check2) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity. |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) BRM.changeAnyWorkItemPriority (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity. |
WorkView
SupervisedWorkItem |
n/a
See the following two rows in this table for the system actions required for the work item allocation functions. |
WorkView
SupervisedWorkItem AllocateToAnother |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) BRM.reallocateToOfferSet (scope check2) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.) |
WorkView
SupervisedWorkItem AllocateToAnother |
DE.browseModel
DE.resolveResource DE.resourceAdmin BRM.viewWorkList (scope check2) BRM.reallocateWorkItemToWorld (You must have this system action at the organization model level, as the one at the scoped level is not used.) BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.) Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity. Also note that the function this controls is actually named Allocate to World. |
WorkView
SupervisedWorkItem AllocateToAnother |
n/a
There are no system actions that control access to the Toggle Preview button / menu selection. |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem Preview |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem Preview |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem Preview |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView
SupervisedWorkItem |
DE.browseModel
DE.resolveResource BRM.viewWorkList (scope check2) |
WorkView | DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource
BRM.autoOpenNextWorkItem |
WorkView
WorkItem |
DE.resolveResource
BRM.autoOpenNextWorkItem |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource
BRM.skipWorkItem |
WorkView
WorkItem |
DE.resolveResource
BRM.pendWorkItem |
WorkView
WorkItem |
DE.resolveResource
BRM.changeAllocatedWorkItemPriority |
WorkView
WorkItem |
DE.resolveResource
BRM.changeAnyWorkItemPriority |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource
BRM.workItemAllocation |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem AllocateToAnother |
DE.browseModel
DE.resolveResource BRM.workItemAllocation |
WorkView
WorkItem AllocateToAnother |
DE.browseModel
DE.resolveResource DE.resourceAdmin BRM.workItemAllocation BRM.reallocateWorkItemToWorld |
WorkView
WorkItem AllocateToAnother |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
WorkView
WorkItem Preview |
DE.resolveResource |
WorkView
WorkItem Preview |
DE.resolveResource |
WorkView
WorkItem Preview |
DE.resolveResource |
WorkView
WorkItem |
DE.resolveResource |
ProcessTemplate | PE.queryProcessTemplate |
ProcessTemplate | PE.queryProcessTemplate |
ProcessTemplate | PE.queryProcessTemplate |
ProcessTemplate | PE.queryProcessTemplate |
ShowPrivileges | None |
ExportFilterXML | None |
ApplicationLog | None |
ConfigureOptions | DE.userAdmin (also see note on page 41 ) |
ConfigureOptions | DE.userAdmin (also see note on page 41 ) |
ConfigureOptions | None |
ConfigureOptions | None |
ConfigureOptions | None |
ConfigureOptions
LocaleSelector |
None |
Administration | None |
Administration | DE.userAdmin
WSB.applicationConfiguration |
ShowErrorDetail | None |
ShowErrorDetail | None |
ShowMainOrganizationBrowser | None |
OrganizationBrowser | DE.browseModel |
OrganizationBrowser | DE.browseModel
DE.LDAPAdmin |
OrganizationBrowser | DE.browseModel |
OrganizationBrowser | DE.browseModel |
OrganizationBrowser | DE.browseModel
DE.LDAPAdmin |
OrganizationBrowser | DE.browseModel |
OrganizationBrowser | DE.browseModel
And one of the following is needed to see a resource: |
OrganizationBrowser | DE.browseModel
DE.readParameters And one of these is required to see a resource: |
OrganizationBrowser | n/a
This is never directly checked. |
OrganizationBrowser
ManageLDAPContainers |
DE.browseModel
DE.LDAPAdmin |
OrganizationBrowser
ManageLDAPContainers |
DE.browseModel
DE.LDAPAdmin |
OrganizationBrowser
ManageLDAPContainers |
DE.browseModel
DE.LDAPAdmin DE.deleteLDAPAdmin DE.deleteResourceAdmin(3) |
OrganizationBrowser | DE.browseModel |
OrganizationBrowser
ShowOrganizationPreview |
DE.browseModel |
OrganizationBrowser
ShowOrganizationPreview |
DE.browseModel |
OrganizationBrowser
ShowOrganizationPreview |
DE.browseModel
DE.readPushDestinations |
OrganizationBrowser | DE.browseModel
DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource DE.readParameters And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
ShowResourcePreview |
DE.browseModel
DE.resolveResource DE.readPushDestinations And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser | n/a
This is never directly checked. |
OrganizationBrowser
EditOrganization |
DE.browseModel
DE.readPushDestinations DE.writePushDestinations |
OrganizationBrowser
EditOrganization |
DE.browseModel
DE.importLDAPAdmin |
OrganizationBrowser
EditOrganization |
DE.browseModel
DE.exportLDAPAdmin |
OrganizationBrowser | n/a
This is never directly checked. |
OrganizationBrowser
EditResources |
DE.browseModel
DE.resolveResource DE.resourceAdmin And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.resolveResource DE.resourceAdmin And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.readParameters DE.writeParameters And one of these is required to see a resource: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.resourceAdmin And one of these is required to see a resource: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.readPushDestinations DE.writePushDestinations And one of these is required to see a resource: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.createResourceAdmin DE.LDAPAdmin (indirectly needed—required to view lists of resources for an LDAP container, the only place where potential resources will exist) |
OrganizationBrowser
EditResources |
DE.browseModel
DE.deleteResourceAdmin One of these is required to see a resource: |
OrganizationBrowser
EditResources |
DE.browseModel
DE.resolveResource DE.resourceAdmin DE.LDAPAdmin |
Help | None |
Help | None |
Help | None |
Help | None |
CustomMenuAccess | None |
CustomInterfaces | None (Note, however, that you may need a system action for the location at which the custom interface launch control appears. For example, if a custom interface menu appears on the work item list, you need the appropriate system to access the work item list.) |
(1) Although you need the
BIZSVC.listBusinessService system action to list business services, and the
BIZSVC.executeBusinessService system action to execute business services, you might need other system actions for your business services to execute correctly. For example, if your business service creates statefull instances of processes, you will also need the
PE.startprocess system action. If that instance then creates a user task (work item) for the first step, you would also need the
BRM.scheduleWorkItem system action.
(2) A scope check means that it checks to see if the system action is set on a specific group, organization unit, or position (for the purpose of providing access to supervised work views). If the system action is not set on a scoped level, it checks to see if it is set at the organization model level. For more information, see Scope of System Actions . (3) This system action is needed to delete an LDAP container that contains resources. |