Declarative security is applied in case Reporting is used in the Rapid Application Development environment. If using standalone deployment, no declarative security is provided.
To enable declarative security, make sure the property QueryService.Guarded in your carnot.properties file is to true (default value).
QueryService.Guarded = true
In the Stardust modeler, add the according security settings in the property pages of the elements you want to apply the security to. Please refer to the chapter Authorization of the Modeling Guide for detailed information on adding declarative security to model elements.
Declarative Security is applied by checking if the logged-in user has the following permissions for the reporting views:
|Process Instances View||Read Process Instance Data|
|Process Instance State View||Read Process Instance Data|
|Activity Instances View||Read Activity Instance Data, Read Process Instance Data|
|Activity Instances State Change View||Read Activity Instance Data, Read Process Instance Data|
|Process Data Values View||Read Data Values, Read Process Instance Data|
|Process Pathes View||Obtain Model Data|
|User Worklists View||Obtain Model Data|
|Organization Worklists View||Obtain Model Data, Read Activity Instance Data, Read Process Instance Data|
|Log Entries View||Obtain Audit-Trail-Statistics|
|Transitions View||Obtain Model Data|
|Data Value View||Read Data Values|
|Quality Assurance View||Read Activity Instance Data|
|Quality Assurance Codes View||Read Activity Instance Data|
For each declarative security, scoped and unscoped roles or organizations can be chosen. In case a report gets evaluated, all process instances, activity instances and data out of scope are not displayed.
For example, a user, with grant on a specific department, who wants to run a report and see all process instances fulfilling specific parameter settings, sees:
For the Activity Instances View and the Activity Instances State Change View, the grants for Read Activity Instance Data and Read Process Instance Data are checked. If a user has a grant only for Read Process Instance Data, this applies automatically also to the activity instances. For example, if a user is not allowed to read process instance data then he is automatically also not allowed to read activity instance data.
For the Process Data Values View, the grants for Read Data Values and Read Process Instance Data are checked. If a user has a grant only for Read Process Instance Data, this applies automatically also to the activity instances. For example, if a user is not allowed to read process instance data then he is automatically also not allowed to read data values.
For the Organization Worklists View, the grants for Obtain Model Data, Read Activity Instance Data and Read Process Instance Data are checked. If a user has no grant for Obtain Model Data, this applies automatically also to the activity instances. Also if reading model data, and reading activity instance data is allowed, but not reading process data, the Organization Worklists View is not displayed.
Declarative Security in Transitions View works
in the following way:
First the process definition (containing the declarative security Obtain Model Data) of the transition is searched in the active model. If it cannot be found, it will be searched in the previous deployed models.
Declarative Security in the Data Value View works
in the following way:
only data is displayed, the logged-in user has the grant Read Data Values for in the active model.
An example model has two data, RestrictedAuthorizationData and SecurityAllData. In the data RestrictedAuthorizationData, the permission Read Data Value is set only to Administrator. Data SecurityAllData has this permission set to All per default. When logging into the Stardust Portal as Administrator and uploading an example report created from the model to the My Reports Design section in the Business Control Center perspective, data values for both data are displayed in the Data Value View, e.g.:
Figure: Data Values displayed to Administrator.
Whereas, in case logging in with a user without Administrator role, only data values for the SecurityAllData is displayed, e.g.:
Figure: Data Values displayed to user without Administrator role.