Declarative Security

Declarative security is applied in case Reporting is used in the Rapid Application Development environment. If using standalone deployment, no declarative security is provided.

To enable declarative security, make sure the property QueryService.Guarded in your carnot.properties file is to true (default value).

QueryService.Guarded = true

In the Stardust modeler, add the according security settings in the property pages of the elements you want to apply the security to. Please refer to the chapter Authorization of the Modeling Guide for detailed information on adding declarative security to model elements.

Evaluate Declarative Security Grants

Declarative Security is applied by checking if the logged-in user has the following permissions for the reporting views:

Runtime View Permission
Process Instances View Read Process Instance Data
Process Instance State View Read Process Instance Data
Activity Instances View Read Activity Instance Data, Read Process Instance Data
Activity Instances State Change View Read Activity Instance Data, Read Process Instance Data
Process Data Values View Read Data Values, Read Process Instance Data
Process Pathes View Obtain Model Data
User Worklists View Obtain Model Data
Organization Worklists View Obtain Model Data, Read Activity Instance Data, Read Process Instance Data
Log Entries View Obtain Audit-Trail-Statistics
Transitions View Obtain Model Data
Data Value View Read Data Values
Quality Assurance View Read Activity Instance Data
Quality Assurance Codes View Read Activity Instance Data

For each declarative security, scoped and unscoped roles or organizations can be chosen. In case a report gets evaluated, all process instances, activity instances and data out of scope are not displayed.

For example, a user, with grant on a specific department, who wants to run a report and see all process instances fulfilling specific parameter settings, sees:

Activity Instances View and Activity Instances State Change View

For the Activity Instances View and the Activity Instances State Change View, the grants for Read Activity Instance Data and Read Process Instance Data are checked. If a user has a grant only for Read Process Instance Data, this applies automatically also to the activity instances. For example, if a user is not allowed to read process instance data then he is automatically also not allowed to read activity instance data.

Process Data Values View

For the Process Data Values View, the grants for Read Data Values and Read Process Instance Data are checked. If a user has a grant only for Read Process Instance Data, this applies automatically also to the activity instances. For example, if a user is not allowed to read process instance data then he is automatically also not allowed to read data values.

Organization Worklists View

For the Organization Worklists View, the grants for Obtain Model Data, Read Activity Instance Data and Read Process Instance Data are checked. If a user has no grant for Obtain Model Data, this applies automatically also to the activity instances. Also if reading model data, and reading activity instance data is allowed, but not reading process data, the Organization Worklists View is not displayed.

Transition View

Declarative Security in Transitions View works in the following way:
First the process definition (containing the declarative security Obtain Model Data) of the transition is searched in the active model. If it cannot be found, it will be searched in the previous deployed models.

Data Value View

Declarative Security in the Data Value View works in the following way:
only data is displayed, the logged-in user has the grant Read Data Values for in the active model.

Example

An example model has two data, RestrictedAuthorizationData and SecurityAllData. In the data RestrictedAuthorizationData, the permission Read Data Value is set only to Administrator. Data SecurityAllData has this permission set to All per default. When logging into the Stardust Portal as Administrator and uploading an example report created from the model to the My Reports Design section in the Business Control Center perspective, data values for both data are displayed in the Data Value View, e.g.:

Security Example
Figure: Data Values displayed to Administrator.

Whereas, in case logging in with a user without Administrator role, only data values for the SecurityAllData is displayed, e.g.:

Security Example
Figure: Data Values displayed to user without Administrator role.