The Users section of the SMC is a centralized user access system where administrators can create, remove and manage Users and User Groups. User passwords may either be maintained by BPA Server or authenticate to Windows/Active Directory. Created users and groups can be assigned specific roles, rights and views. For instance, certain users or groups can be set to have access to build, edit or delete workflows and tasks but not have access to manually execute them, while others can view and execute workflows and tasks but cannot edit or delete them. Unlimited users or groups can be created, each with their own set of abilities.
The Users section contains two folders:
Users: The Users folder allows for the creation and management of users. See Creating and Managing Users for more details.
User Groups: The User Groups folder allows for the creation and management of user groups. See Creating and Managing User Groups for more details.
The concept of Users and User Groups is a means of providing access and security to objects and items encompassed in AutoMate BPA Server 7. Because items such as workflows, tasks, conditions, agents and users are securable objects, access to them can be regulated by the User or User Group that governs access to BPA Server 7 objects. This system is modeled after the Windows File Security system.
There are two types of permissions that can be assigned to a User/User Group; Item Permission and System Permission.
For more on Item Permissions, see Item Permissions.
For more on System Permissions, see System Permissions.
When resolving a user permission on an item, the system will look to see if the user or a group the user belongs to has permissions for the item. If there is a conflict among the user/group regarding whether the permission is granted or denied, the permission with the least privilege is used. If no user/group can be resolved for the item, the system looks at the permissions on the folder containing the item. The same logic applies at this level. If no user/group can be resolved at this level, the folder’s parent folder is inspected, and on up the folder structure until either the permission is resolved or the root folder is reached. If the permission hasn’t been resolved once the root folder is evaluated, the permission is denied.
When resolving a system permission for an action a user is attempted to perform, the User and all the User Groups that it is assigned to is searched for a "Grant" on that permission. If a single Grant is found, the action is allowed to proceed.
The Role field currently on the User dialog is superseded by the introduction of User Groups, and will no longer appear on user interfaces or documentation. To migrate between these two systems when Users already exist, Developer, Manager, and Administrator User Groups will be created by default. These groups can be renamed or deleted at will.
To mimic the behavior of BPA prior to 7.0.8 while allowing the benefit of full customization BPA 7.0.8 offers, the following assignments will be made by default:
1. All users assigned the Developer role will be assigned to the developer group.
2. All users assigned the Manager role will be assigned to the Developer and Manager groups.
3. All users assigned the Administrator role will be assigned to the Developer, Manager, and Administrator groups.
4. All workflows, tasks, conditions and the corresponding root folders will be associated with the Developer, Manager, and Administrator groups, with all permissions granted.
5. Agents and the corresponding root folder will be associated with the Administrator group, with all permissions granted.
6. Agent Groups and the corresponding root folder will be associated with the Administrator group, with all permissions granted.
7. Users and the corresponding root folder will be associated with the Administrator group, with all permissions granted.
8. User Groups and the corresponding root folder will be associated with the Administrator group, with all permissions granted.
Creating and Managing Users
Creating and Managing User Groups