Role-specific Access Rights
Granting Role-specific Access Rights
A user can only execute the process steps that are released for his role.
As soon as he switches to the next process step for which he no longer has authorization, the following warning appears:
For example, an applicant can complete the application form, but when he sent the form to approval, he is not able to see the approver's input in the next process step.
However, read and write permission of a role can be adjusted individually for each process step.
In an EPC, as soon as a role is attached to a function, the option Role Rights appears in the settings of the element Function:
Click on the gear wheel to open the editor. All roles attached to this function are displayed here, as well as the read and write permission for each role:
Click on the permission you want to edit and use the checkbox to enable or disable the read and write permission for each role:
If you disable both options, the role does not have any rights for the process step. When the EPC is executed, the role is handled as if it were not linked to the function.
It is possible to assign the combination that writing is allowed but reading is not. However, this combination is not practical, because a user cannot save without read permission.
Use Case
In ACME's Procurement Process, an employee must check and confirm his orders. But Irene Adler wants to grant the Head of Accounting and the Head of Purchasing insight in the process step Confirming delivery to allow them to make corresponding bookings. However, the Head of Accounting and the Head of Purchasing should not be able to fill the form Inspection of Delivery. They should only be able to take a look at it.
The two roles should therefore only have read permission for this process step:
Both roles have already been attached to the process step Confirming delivery, so Irene Adler opens the Role Rights editor of this function:
In the Role Rights editor, all roles attached to the function are displayed:
employee
head_accounting
head_purchasing
Please note: In the Role Rights editor, the technical identifier of a role is displayed. It may differ from the label of the role element shown in the EPC model.
By default, read and write permission is granted to all attached roles.
Irene disables the write option for the roles head_accounting and head_purchasing. The two roles now have read-only access to the process step Confirming delivery: