bpm'online service enterprise
PDF

Users and permissions

You can grant permissions to access bpm’online data and functionality for individual users and user groups (referred to as “roles”).

Users

You need to create and license a user account for each bpm’online user. Each user record must be linked to a specific contact. Enterprise organizations with an extensive infrastructure of IT services can benefit from a number of features for centralized user management and authentication.

Synchronization with the LDAP catalog will automatically create bpm’online users with all necessary details from your LDAP directory, such as name, job title, communication options, addresses, roles, etc. In addition, users will be able to use their domain credentials to log in to bpm’online. You can learn more about how to set up LDAP synchronization in the “LDAP integration and user authentication in bpm’online” article.

Single Sign-On (SSO) technology enables using a single user account to log in to multiple services. Once a user authenticates in one of the services, they become authenticated in all services that use single sign-on. Learn more about SSO features in the “Single Sign-On in bpm’online” and “Single Sign-On setup” articles.

Roles

Configuring the structure of user roles (Fig. 1) is the important first step in bpm’online permission management. After this, you can easily set access permissions by assigning new users to the needed roles.

Fig. 1 Example of the role structure

chapter_user_access_management_org_and_functional_roles_hierarchy.png 

There are two types of user roles: organizational and functional. All users assigned to a role inherit the access permissions of that role. An actual access level of a bpm’online user is a combination of access permissions of all of the user’s roles.

Organizational roles represent the structure of access levels. You assign access permissions to organizational roles. Examples of organizational roles are different company branches (e.g., the head office and a regional office), as well as company departments, e.g., “System administrators”, “Sales”, “Administrative department”.

Functional roles are designed to represent the structure of your actual job titles. You assign permissions to functional roles by linking them with organizational roles. Examples of functional roles are usually “Sales manager”, “Office manager”, “Secretary”. For example, if you need to grant the same permissions to secretaries of different offices, set up access permissions for the “Secretaries” functional role.

Note

The data of bpm’online users, organizational and functional roles are stored in the “SysAdminUnit” database table.

Permission inheritance between organizational roles

Subordinate roles inherit all access permissions that have been set up for their parent role. As a result, in addition to any permissions that you assign individually for a user, the user will also obtain any permissions of their role, as well as any permissions inherited by that role from other roles.

For example, the “All employees” organizational role grants minimum access permissions necessary for any employee. If you add a user to any of its subordinate roles, e.g., “Sales department”, such user will inherit all permissions set up for both, the “Sales department” and “All employees” roles. Users with a role that is subordinate to the “Sales department” role will inherit the access permissions from that role, permissions from its parent “Sales department” role and permissions from the “All employees” role, which is a parent role for the “Sales department” role (Fig. 2).

Fig. 2 Example of inheriting parent roles by a user

chapter_user_access_management_inheriting_rights_from_parent_roles.png 

As a result, in addition to any permissions that you assign individually for a user, the user will also obtain any permissions of their role, as well as any permissions inherited by that role from other roles.

For any organizational role, you can assign a manager role. A manager role automatically obtains all permissions from all of its subordinate employees. The main defining feature of the manager role (Fig. 3) is that it automatically obtains all the permissions of the corresponding organizational role and its subordinate roles. For example, the “All employees” organizational role includes a “Head office’ subordinate role, which in its turn includes a “Sales department” subordinate role. If you assign a manager role to the “Head office” role, the managers of the head office will obtain all permissions granted to the “Head office” and “Sales department” roles.

Fig. 3 Example of a manager role for the “Sales department’ organizational role

chapter_user_access_management_management_role.png 

Each bpm’online configuration has a “System administrators” organizational role. By default, this role has maximum possible permissions and can create, read, update and delete any data.

A user can have several roles. For example, you can assign an employee the “Sales managers” and “Account managers” roles. Permissions for each of these roles may conflict with each other. In this case, you need to set up the permission priority. Read more about permission priorities in the “How to configure access to operations in section objects” article.

Types of access permissions

In bpm’online, you can grant access to business data (e.g., to the [Accounts] section records or dashboards), as well as to the bpm’online functions, such as the ability to export records to Excel, design business processes, configure sections, etc.

Access to business data grants permission to perform CRUD (creating, reading, updating and deleting) operations with data. To provide access to business data, you need to configure access permissions to corresponding bpm’online objects. Bpm’online objects are roughly equivalent to database tables and correspond to sections, details, lookups, etc.

You can manage access to business data on several levels:

  • Ability to perform CRUD operations with any data in an object. Learn more about setting up access to object data in the “Managing object operation permissions” article.

  • Ability to view, edit or delete separate records. Learn more about record permissions in the “Managing record permissions” article.

  • Ability to view, edit or delete values in separate object columns. Learn more about column permissions in the “Managing column permissions” article.

Access to functions can be granted through system operations. System operation permissions (access to bpm’online functions) should not be confused with object operation permissions (which imply access to CRUD operations in objects). System operations enable you to manage access to a broad list of bpm’online functions, including user registration, configuring workplaces, managing lookups, system configuration, etc.

Note

A user (as a rule, it is the system administrator) who has access to the “View any data”, “Add any data”, “Edit any data” and “Delete any data” system operations, can create, read, update or delete data in any object, regardless of settings in the [Object permissions] section.

Learn more about system operations in the “System operation permissions” article.

User activity logging and audit

Native tools for logging user activities in bpm’online include Audit log and Change log.

Audit log automatically registers all events related to a modification of user roles, distribution of access permissions, changes in the values of system settings and users' authorization in the system. You can learn more about using the audit log in the “Audit log” article.

Change log enables tracking the history of changes in the database tables of bpm’online. You can set up a list of objects that will be used for tracking changes in the change log. Learn more about using the log in the “Change log” article.

See also

Object permissions

Managing object operation permissions

Managing record permissions

Managing column permissions

Inherited access permissions

Selecting an object to set up access permissions

 

Did you find this information useful?

How can we improve it?