Security (Permissions)

Overview

In order to secure AutoMate BPA Server and its resources, administrators and users with administrative rights can set security permissions on objects and folders. Permissions define the type of access granted to a user or group for a specific object or group of objects such as tasks, workflows, users and folders. For example, you can grant one user permission to view, edit or run all tasks but deny permission to create them, and grant another user permission to create tasks but deny permission to run them. Permissions can be set for an individual object or all objects contained in a folder.    

Related Topics

Permission Precedence

Because objects can have many different permission settings, it is possible that conflicting permissions might apply to a particular object. When this occurs, the server performs a process of resolving the various permissions to determine which ones should govern the access.

First, it will determine if the user or any group in which the user belongs to has permission for the object. If there is a conflict among the user or group regarding whether the permission is granted or denied, the permission with the least privilege takes precedence.

If no user/group can be resolved for the object, the server examines the permissions set for the folder containing the object. The same logic applies at this level. If no user/group can be resolved at this level, the folder’s parent folder is inspected, and on up the folder structure until either the permission is resolved or the root folder is reached. If the permission hasn’t been resolved once the root folder is evaluated, the permission is denied.

Here are some rules for resolving permissions conflicts:

To view permissions for an individual object:

  1. From Server Management Console, navigate to and right-click the object.

  2. From the pop-up menu, select Go To -> Security. The Security page for that object is displayed.

  3. From the Available Group/User Name panel, select the user or group whose permissions you want to access and click Add or simply double-click the user/group. The user/group is then added to the Selected Group/User Name panel.

  4. Select the user or group from the Selected Group/User Name panel and for each permission level, specify whether that user/group should have access (Allow) or not have access (Deny) to the resource.

  5. Click OK to save.

To view permissions for a group of objects:

  1. From Server Management Console, navigate to and right-click the folder that contains the objects you want to work with (permissions will be set for all objects in that folder).

  2. From the pop-up menu, select Go To -> Security. The Security page for that folder is displayed.

  3. Double-click the Security icon. The Security page for that folder is displayed.

  4. From the Available Group/User Name panel, select the user or group whose permissions you want to access and click Add or simply double-click the user/group. The user/group is then added to the Selected Group/User Name panel.

  5. Select the user or group from the Selected Group/User Name panel and for each permission level, specify whether that user/group should have access (Allow) or not have access (Deny) to the resource.

  6. Click OK to save.

Permissions Levels

The kind of permissions that are allowed or denied may depend largely on the type of object. For example, permission to manually resume execution from the last error can be set only at the workflow level but not the task level, mainly because only workflows possess this functionality. Most permissions, however, are common to most object types. The following table lists the permission levels that are typically available for each object.

Permission Level

Description

Workflow

Task

Condition

User

User Group

Agent

Agent Group

Folder

Full Control

Allow or deny full control on the object.

X

X

X

X

X

X

X

X

Create

Allow or deny creating the object.

X

X

X

X

X

 

 

X

Read

Allow or deny permission to view the object's properties.

X

X

X

X

X

X

X

X

Edit

Allow or deny permission to modify the object.

X

X

X

X

X

X

X

X

Delete

Allow or deny permission to delete the object.

X

X

X

X

X

X

X

X

Move

Allow or deny permission to move the object from its original folder to another folder.

X

X

X

X

X

X

X

X

Toggle Enable

Allow or deny permission to enable this object if it is currently disabled.

X

X

X

X

X

X

X

X

Manual Run

Allow or deny permission to manually run the object.

X

X

 

 

 

 

 

 

Stop

Allow or deny permission to manually stop the object when it is running.

X

X

X

 

 

X

X

 

Import

Allow or deny permission to import the object.

X

X

X

       

X

Export

Allow or deny permission to export the object.

X

X

X

       

X

Staging

Allow or deny staging for the object.

X

X

X

   

X

X

 

Assign in Workflows

Allow or deny permission to assign the object to a workflow.

X

X

X

 

 

X

X

 

Change Security

Allow or deny permission to modify the security (permissions) settings of the object.

X

X

X

X

X

X

X

 

Restore previous version

Allow or deny permission to restore a previous version of the object.

X

X

X

       

 

Manual resume from last error

Allow or deny the object to resume execution from where it last encountered an error.

X

 

 

       

 

Manual run from here

Allow or deny permission to manually run the object from the specified step or workflow location.

X

 

 

   

 

 

 

Toggle Lock

Allow or deny permission to lock an object.

X

X

X

X

X

X

X

 

 

NOTE: If two or more sets of permissions conflict, the set of permissions with least privilege is followed.