The concept of User Groups is a means of providing access and security to objects and items encompassed in AutoMate BPA Server 7. Because items such as workflows, tasks, conditions, agents and users are securable objects, access to them is regulated by the User Group model that governs access to BPA Server 7 objects. This system is modeled after the Windows File Security system to provide familiarity for the user. The User Groups folder essentially allows for the creation and management of user groups. See Creating and Managing User Groups for more details.
The User Groups folder is located below the Users folder in the tree on the Users section of the SMC. The same procedures that can be performed in the Users branch (i.e. Add, Edit, New Folder, etc) is available in the User Groups branch. The editing dialog for a User Group displays the list of users assigned to the group, as well as the other users in the system. A User can be assigned to multiple User Groups.
There are two types of permissions that can be assigned to a User/User Group; Item Permission and System Permission.
For more on Item Permissions, see Item Permissions.
For more on System Permissions, see System Permissions.
When resolving a user permission on an item, the system will look to see if the user or a group the user belongs to has permissions for the item. If there is a conflict among the user/groups regarding the whether the permission is granted or denied, the permission with the least privilege is used. If no user/group can be resolved for the item, the system looks at the permissions on the folder containing the item. The same logic applies at this level. If no user/group can be resolved at this level, the folder’s parent folder is inspected, and on up the folder structure until either the permission is resolved or the root folder is reached. If the permission hasn’t been resolved once the root folder is evaluated, the permission is denied.
When resolving a system permission for an action a user is attempted to perform, the User and all the User Groups that it is assigned to is searched for a "Grant" on that permission. If a single Grant is found, the action is allowed to proceed.
A system User Group is created by default by BPA Server, and cannot be modified or deleted, but it can be added and removed from an item.
The Creator system group will only grant permissions to the User that created the item. This group is associated with all items by default, and granted all permissions.
Creating and Managing Users