System Actions and Organization Model Versions

When testing whether a user has the authorization to perform a system action, that is that the user holds the required privileges, all major versions of the organization model are taken into account.

The privileges required to perform a system action are applied on a per-major-version basis. That is, the same system action may require a different set of privileges in different major versions of the organization model, and each set of required privileges is tested independently. Similarly, it is possible that a position to which a user is mapped may be granted different privileges in different versions of the organization model.

To use a system action, a user must be mapped to a position that has been granted all of the privileges that are required in any major version of the organization model.

To test for this, TIBCO BPM Enterprise examines each major version of the organization model in turn. For each major version, TIBCO BPM Enterprise gathers the required privileges defined in that version for the system action. Then:

  • If no required privileges have been defined in a given major version, that version is ignored.
  • If required privileges are found in a version, and the user does not hold all those privileges, it proceeds to test other major versions.
  • If any required privileges are found in a version, and the user holds all those privileges in that version, access to the system action is granted and the search stops: no further major versions of the organization model are checked.

When all of the major versions of the organization model have been checked:

  • If a required privilege is defined in any major version, but the user does not qualify for access (see third bullet above), then access to the system action is denied.
  • If there are no required privileges for the system action in any major version, access is granted or denied using the default access for that system action. Some system actions are open to all users by default unless any required privileges have been defined to override this default, while other system actions are denied by default.

Different Organization Models with the Same Major Version

All organization models of the same major version - for instance, versions 2.0, 2.1, 2.2, 2.2.1, and 2.3—are merged, and any required privileges set against any system action in any such version are similarly merged. Therefore, to use a system action, a user must hold all the required privileges that are defined in all organization models of the same major version.

Example of using System Actions to Control Users’ Access to System Functions, continued

See: Example of using System Actions to Control Users’ Access to System Functions.

In the organization described in the example, changes in the business lead to the introduction of a new version of the organization model, Version 2.0, and the system action, View Work List, no longer requires the Manage Work privilege.

Carol Watts tries to view her colleague Phil Gregg’s worklist. In the current version of the organization model, there are no required privileges to prevent her doing this. Therefore:

  • TIBCO BPM Enterprise examines each major version of the organization model in turn. It starts with the current Version 2.0. No required privileges have been defined in this major version, so that version is ignored.
  • Testing Version 1.0. however, TIBCO BPM Enterprise finds that a required privilege has been defined, the Manage Work privilege. In that same version, Carol Watts does not hold this privilege.
  • TIBCO BPM Enterprise therefore does not grant Carol access, but proceeds to look for other major versions to test. Finding none, it refuses Carol access to the View Work List system action, even though there is no restriction in the latest version of the organization model to prevent her.