User Access Control to System Action Mapping

This topic lists each of the user access controls, and all of the system actions that you need to have access to the function provided by the user access control.

Select the user access control name in the table to link to a description of the function.

Note: The DE.userAdmin system action does not control access to a function like other system actions. Although its name implies it has to do with user administration, it doesn’t. It is used to control whether or not the application will persist user settings. If the user does not have this system action, user settings (e.g., any views that are created, columns that are changed, any changes made via the User Options dialog, etc.) are not persisted. The changes can be made by the user (if they have the appropriate access to make the changes), but they will persist only for the current login session.

Note that the DE.userAdmin system action also controls where the application reads configuration information (including user access):

  • If the user has the DE.userAdmin system action, configuration information (including user access) is read from the database (if the Configuration Administrator had previously been used, which causes configuration to be written to the database).
  • If the user does not have the DE.userAdmin system action, configuration information (including user access) is always read from disk (even if the Configuration Adminstrator had previously been used).

Some functions do not require a system action (e.g., all of the event view functions).

If the user is mapped to the System Administrator group in the version 0 organization model (i.e., the user has the “All System Actions” privilege), the application does not check the system actions—the user is given access to all system actions. For more information, see Provided User Access Sets.

Note that the system action names provided in the table below are the names shown in the User Access Privileges dialog that is available from the application (see Determining a User’s System Actions and User Access Controls). However, these are not the labels that are shown for the system actions in TIBCO Business Studio—those labels are not available to the application. They are, however, very similar. For example, the BRM.autoOpenNextWorkItem system action is labelled “Auto Open Next Work item” in Business Studio, the DE.LDAPAdmin system action is labelled “LDAP Admin” in Business Studio, and so on. One notable exception is the DE.userAdmin system action, which is labelled “User Settings” in Business Studio.

User Access Control System Actions Needed
StartInstance None
DataView BDS.readGlobalData
DataView

      NewView

BDS.manageDataViews, BDS.readGlobalData
DataView

      EditView

BDS.manageDataViews, BDS.readGlobalData
DataView

      RemoveView

BDS.manageDataViews, BDS.readGlobalData
DataView

      NewCategory

BDS.manageDataViews, BDS.readGlobalData
DataView

      DataViewList

BDS.readGlobalData
DataView

      DataViewList

            PageSize

BDS.readGlobalData
DataView

      DataViewList

            DataViewResults

BDS.readGlobalData
DataView

      DataViewList

            DataViewResults

                  GlobalDataPreview

BDS.readGlobalData
DataView

      DataViewList

            DataViewResults

                  WorkItems

BRM.viewGlobalWorkList, BDS.readGlobalData
DataView

      DataViewList

            DataViewResults

                  ProcessInstances

BDS.readGlobalData

PE.queryProcessTemplate

PE.queryProcessInstance

DataView

      DataViewList

            DataViewResults

                  EventViewer

EC.queryAudit, BDS.readGlobalData
EventView EC.queryAudit
EventView


         NewView

EC.queryAudit
EventView
      

   NewView

   
CustomView

EC.queryAudit
EventView

   
EditView

EC.queryAudit
EventView

   
RemoveView

EC.queryAudit
EventView

   
BaseFilter

EC.queryAudit
EventView


   CreateSystemView

EC.queryAudit

WSB.applicationConfiguration

EventView

   
AuthorSystemView

EC.queryAudit

WSB.applicationConfiguration

EventView


   EventViewer

EC.queryAudit
EventView
      

   EventViewer


      SaveView

EC.queryAudit
EventView
      

   EventViewer


      SetRetrieveCount

None
EventView

   EventViewer


      SaveViewAs

EC.queryAudit
EventView
      

   EventViewer


       CorrelatedEvents

EC.queryAudit
EventView

   EventViewer

      
EventAttributes

EC.queryAudit
EventView

   EventViewer


      EventLinks

EC.queryAudit
EventView


   EventViewer


      Filter

EC.queryAudit
EventView

   EventViewer


      Sort

EC.queryAudit
EventView
      

   EventViewer


      Find

EC.queryAudit
EventView
      

   EventViewer


      SelectAttributes

EC.queryAudit
EventView
      

   EventViewer


      SelectColumns

EC.queryAudit
EventView

      EventViewer

            SelectColumns

                   DefaultColumns

EC.queryAudit
EventView

      EventViewer

            PageSize

EC.queryAudit
BusinessService BIZSVC.listBusinessService(1)
BusinessService


      StartBusinessService

BIZSVC.listBusinessService(1)

BIZSVC.executeBusinessService

BusinessService


      StartBusinessService

            Favorites

BIZSVC.listBusinessService(1)

BIZSVC.executeBusinessService

BusinessService

      Find

BIZSVC.listBusinessService(1)
BusinessService

      DockFloatOption

BIZSVC.listBusinessService(1)
ProcessView PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      ShowAllInstances

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      NewView

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      EditView

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      RemoveView

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      BaseFilter

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      CreateSystemView

PE.queryProcessTemplate

PE.queryProcessInstance

WSB.applicationConfiguration

ProcessView

      AuthorSystemView

PE.queryProcessTemplate

PE.queryProcessInstance

WSB.applicationConfiguration

ProcessView

      ProcessInstance

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            DefineHaltedView

PE.queryProcessTemplate

PE.queryProcessInstance

PE.haltedProcessAdministration

ProcessView


      ProcessInstance

            ShowTerminalInstances

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            SaveView

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            SaveViewAs

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            Cancel

PE.queryProcessTemplate

PE.queryProcessInstance

PE.cancelProcessInstance

ProcessView


      ProcessInstance

            Resume

PE.queryProcessTemplate

PE.queryProcessInstance

PE.resumeProcessInstance

ProcessView


      ProcessInstance

            Suspend

PE.queryProcessTemplate

PE.queryProcessInstance

PE.suspendProcessInstance

ProcessView


      ProcessInstance

            ResumeHalted

PE.queryProcessTemplate

PE.queryProcessInstance

PE.haltedProcessAdministration

ProcessView


      ProcessInstance

            Retry

PE.queryProcessTemplate

PE.queryProcessInstance

PE.haltedProcessAdministration

ProcessView


      ProcessInstance

            Ignore

PE.queryProcessTemplate

PE.queryProcessInstance

PE.haltedProcessAdministration

ProcessView


      ProcessInstance

            Filter

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            Sort

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            Find

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

           ShowOutstanding

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            ShowOutstandingAdmin

PE.queryProcessTemplate

PE.queryProcessInstance

DE.browseModel

ProcessView


      ProcessInstance

            EventViewer

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView


      ProcessInstance

            SelectColumns

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      ProcessInstance

            SelectColumns

                   DefaultColumns

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      ProcessInstance

            PageSize

PE.queryProcessTemplate

PE.queryProcessInstance

ProcessView

      ProcessInstance

            ShowCustomAttributes

PE.queryProcessTemplate

PE.queryProcessInstance

WorkView None
WorkView

      ShowInbox

None
WorkView

      NewView

None
WorkView

      EditView

None
WorkView

      RemoveView

None
WorkView

      BaseFilter

None
WorkView

      CreateSystemView

WSB.applicationConfiguration
WorkView

      AuthorSystemView

WSB.applicationConfiguration
WorkView

      SupervisedWorkItem

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check(2) )

WorkView


      SupervisedWorkItem

            AllWorkItems

DE.browseModel

DE.resolveResource

BRM.viewGlobalWorkList

WorkView


      SupervisedWorkItem

            Cancel

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

BRM.closeOtherResourcesItems (scope check2)

Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.

WorkView


      SupervisedWorkItem

            Skip

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

BRM.skipWorkItem (scope check2)

Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.

WorkView


      SupervisedWorkItem

            PrioritizeAny

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

BRM.changeAnyWorkItemPriority (scope check2)

WorkView


      SupervisedWorkItem

            Reoffer

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.)

Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.

WorkView


      SupervisedWorkItem

            AllocateToAnother

n/a

See the following two rows in this table for the system actions required for the work item allocation functions.

WorkView


      SupervisedWorkItem


            AllocateToAnother

                 CanAllocateFromOfferSet

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

BRM.reallocateToOfferSet (scope check2)

BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.)

WorkView


      SupervisedWorkItem


            AllocateToAnother

                 CanAllocateFromOrganization

DE.browseModel

DE.resolveResource

DE.resourceAdmin

BRM.viewWorkList (scope check2)

BRM.reallocateWorkItemToWorld (You must have this system action at the organization model level, as the one at the scoped level is not used.)

BRM.workItemAllocation (You must have this system action at the organization model level, as the one at the scoped level is not used.)

Note - This function is available only from a supervised work view for a resource; it is not available from a supervised work view for an organizational entity.

Also note that the function this controls is actually named Allocate to World.

WorkView


      SupervisedWorkItem


            AllocateToAnother

                 ShowResourcePreview

n/a

There are no system actions that control access to the Toggle Preview button / menu selection.

WorkView


      SupervisedWorkItem

            EventViewer

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

            Filter

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

            Sort

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

            Find

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

            AutoRefresh

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

            SelectColumns

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView


      SupervisedWorkItem

                   DefaultColumns

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            Preview

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            PreviewData

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            Preview

                   PreviewOn

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            Preview

                   PreviewFloat

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            Preview

                   PreviewOff

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      SupervisedWorkItem

            PageSize

DE.browseModel

DE.resolveResource

BRM.viewWorkList (scope check2)

WorkView

      WorkItem

DE.resolveResource
WorkView


      WorkItem

            SaveView

DE.resolveResource
WorkView


      WorkItem

            SaveViewAs

DE.resolveResource
WorkView


      WorkItem

            Open

DE.resolveResource
WorkView


      WorkItem

            OpenNext

DE.resolveResource

BRM.autoOpenNextWorkItem

WorkView


      WorkItem

            OpenAuto

DE.resolveResource

BRM.autoOpenNextWorkItem

WorkView


      WorkItem

            Cancel

DE.resolveResource
WorkView


      WorkItem

            Skip

DE.resolveResource

BRM.skipWorkItem

WorkView


      WorkItem

            Pend

DE.resolveResource

BRM.pendWorkItem

WorkView


      WorkItem

            PrioritizeAllocated

DE.resolveResource

BRM.changeAllocatedWorkItemPriority

WorkView


      WorkItem

            PrioritizeAny

DE.resolveResource

BRM.changeAnyWorkItemPriority

WorkView


      WorkItem

            AllocateToSelf

DE.resolveResource
WorkView


      WorkItem

            Reoffer

DE.resolveResource

BRM.workItemAllocation

WorkView


      WorkItem

            AllocateToAnother

DE.resolveResource
WorkView


      WorkItem


            AllocateToAnother

                 CanAllocateFromOfferSet

DE.browseModel

DE.resolveResource

BRM.workItemAllocation

WorkView


      WorkItem


            AllocateToAnother

                 CanAllocateFromOrganization

DE.browseModel

DE.resolveResource

DE.resourceAdmin

BRM.workItemAllocation

BRM.reallocateWorkItemToWorld

WorkView


      WorkItem


            AllocateToAnother

                 ShowResourcePreview

DE.resolveResource
WorkView


      WorkItem

            EventViewer

DE.resolveResource
WorkView


      WorkItem

            Filter

DE.resolveResource
WorkView


      WorkItem

            Sort

DE.resolveResource
WorkView


      WorkItem

            Find

DE.resolveResource
WorkView


      WorkItem

            AutoRefresh

DE.resolveResource
WorkView


      WorkItem

            SelectColumns

DE.resolveResource
WorkView


      WorkItem

                   DefaultColumns

DE.resolveResource
WorkView

      WorkItem

            Preview

DE.resolveResource
WorkView

      WorkItem

            PreviewData

DE.resolveResource
WorkView

      WorkItem

            Preview

                   PreviewOn

DE.resolveResource
WorkView

      WorkItem

            Preview

                   PreviewFloat

DE.resolveResource
WorkView

      WorkItem

            Preview

                   PreviewOff

DE.resolveResource
WorkView

      WorkItem

            PageSize

DE.resolveResource
ProcessTemplate PE.queryProcessTemplate
ProcessTemplate

      Filter

PE.queryProcessTemplate
ProcessTemplate

      Sort

PE.queryProcessTemplate
ProcessTemplate

      Select Columns

PE.queryProcessTemplate
ShowPrivileges None
ExportFilterXML None
ApplicationLog None
ConfigureOptions DE.userAdmin (also see note on page 41 )
ConfigureOptions

      Layout

DE.userAdmin (also see note on page 41 )
ConfigureOptions

      WorkItemFloatOverride

None
ConfigureOptions

      BusinessServiceFloatOverride

None
ConfigureOptions

      LocaleSelector

None
ConfigureOptions

      LocaleSelector

            DisplayInAppHeader

None
Administration None
Administration

      Configuration

DE.userAdmin

WSB.applicationConfiguration

ShowErrorDetail None
ShowErrorDetail

      ShowStackTrace

None
ShowMainOrganizationBrowser None
OrganizationBrowser DE.browseModel
OrganizationBrowser

      ShowContainersTree

DE.browseModel

DE.LDAPAdmin

OrganizationBrowser

      ShowGroupsTree

DE.browseModel
OrganizationBrowser

      ShowOrganizationTree

DE.browseModel
OrganizationBrowser

      ListPotentialResources

DE.browseModel

DE.LDAPAdmin

OrganizationBrowser

      EventViewerForOrganization

DE.browseModel
OrganizationBrowser

      EventViewerForResource

DE.browseModel

And one of the following is needed to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser

      ShowResourceAttributesInResourceList

DE.browseModel

DE.readParameters

And one of these is required to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser

      ManageLDAPContainers

n/a

This is never directly checked.

OrganizationBrowser


      ManageLDAPContainers

           NewContainer

DE.browseModel

DE.LDAPAdmin

OrganizationBrowser


      ManageLDAPContainers

           EditContainer

DE.browseModel

DE.LDAPAdmin

OrganizationBrowser


      ManageLDAPContainers

           DeleteContainer

DE.browseModel

DE.LDAPAdmin

DE.deleteLDAPAdmin

DE.deleteResourceAdmin(3)

OrganizationBrowser

      ShowOrganizationPreview

DE.browseModel
OrganizationBrowser


      ShowOrganizationPreview

           PreviewPrivileges

DE.browseModel
OrganizationBrowser


      ShowOrganizationPreview

           PreviewCapabilities

DE.browseModel
OrganizationBrowser


      ShowOrganizationPreview

           PreviewPushDestinations

DE.browseModel

DE.readPushDestinations

OrganizationBrowser

      ShowResourcePreview

DE.browseModel

DE.resolveResource

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewGroupMembership

DE.browseModel

DE.resolveResource

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewPositionsHeld

DE.browseModel

DE.resolveResource

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewResourceAttributes

DE.browseModel

DE.resolveResource

DE.readParameters

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewPrivileges

DE.browseModel

DE.resolveResource

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewCapabilities

DE.browseModel

DE.resolveResource

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      ShowResourcePreview

           PreviewPushDestinations

DE.browseModel

DE.resolveResource

DE.readPushDestinations

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser

      EditOrganization

n/a

This is never directly checked.

OrganizationBrowser


      EditOrganization

           EditOrgPushDestinations

DE.browseModel

DE.readPushDestinations

DE.writePushDestinations

OrganizationBrowser


      EditOrganization

           Import

DE.browseModel

DE.importLDAPAdmin

OrganizationBrowser


      EditOrganization

           Export

DE.browseModel

DE.exportLDAPAdmin

OrganizationBrowser

      EditResources

n/a

This is never directly checked.

OrganizationBrowser


      EditResources

            EditGroupMembership

DE.browseModel

DE.resolveResource

DE.resourceAdmin

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      EditResources

            EditPositionsHeld

DE.browseModel

DE.resolveResource

DE.resourceAdmin

And if you are performing this function via the list of resources in an LDAP container, you need the following system action to view the resources in the container:

  • DE.LDAPAdmin
OrganizationBrowser


      EditResources

            EditResourceAttributes

DE.browseModel

DE.readParameters

DE.writeParameters

And one of these is required to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser


      EditResources

            EditCapabilities

DE.browseModel

DE.resourceAdmin

And one of these is required to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser


      EditResources

            EditPushDestinations

DE.browseModel

DE.readPushDestinations

DE.writePushDestinations

And one of these is required to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser


      EditResources

            CreateResources

DE.browseModel

DE.createResourceAdmin

DE.LDAPAdmin (indirectly needed—required to view lists of resources for an LDAP container, the only place where potential resources will exist)

OrganizationBrowser


      EditResources

            DeleteResources

DE.browseModel

DE.deleteResourceAdmin

One of these is required to see a resource:

  • DE.LDAPAdmin (indirectly needed to list resources from an LDAP Container)
  • DE.resourceAdmin or DE.resolveResource (indirectly needed to list resources in a group or position)
OrganizationBrowser


      EditResources

            RenameResource

DE.browseModel

DE.resolveResource

DE.resourceAdmin

DE.LDAPAdmin

Help None
Help

      Help

None
Help

      About

None
Help

      OrganizationBrowser

None
CustomMenuAccess None
CustomInterfaces None (Note, however, that you may need a system action for the location at which the custom interface launch control appears. For example, if a custom interface menu appears on the work item list, you need the appropriate system to access the work item list.)
(1) Although you need the BIZSVC.listBusinessService system action to list business services, and the BIZSVC.executeBusinessService system action to execute business services, you might need other system actions for your business services to execute correctly. For example, if your business service creates statefull instances of processes, you will also need the PE.startprocess system action. If that instance then creates a user task (work item) for the first step, you would also need the BRM.scheduleWorkItem system action.

(2) A scope check means that it checks to see if the system action is set on a specific group, organization unit, or position (for the purpose of providing access to supervised work views). If the system action is not set on a scoped level, it checks to see if it is set at the organization model level. For more information, see Scope of System Actions .

(3) This system action is needed to delete an LDAP container that contains resources.

 
Note: The following three event-related system actions are also available from TIBCO Business Studio, although they are not currently used. Therefore, they are not shown in the table above:
  • EC.openWorkItemAuditTrail
  • EC.listProcessTemplateAuditTrail
  • EC.showProcessInstanceAuditTrail
Note: There is also a DE.organizationAdmin system action available that does not have a corresponding user access control. This system action overrides container organization relationships as defined in the Organization Browser. Resources with this system action can see all organizations, regardless the organization relationships that have been defined.