How to manage access permissions
During a business process execution, various actions are performed with bpm’online records. These actions can be fully automatic (system actions) or they can be performed with some form of input from users (user actions).
When executing user actions as part of a business process, the access permissions of the corresponding user still apply. For instance, a business process is supposed to open a record page for a user that has no permission to view and edit the corresponding record. In this case, the user will not be able to complete this process action and consequently – advance or even complete the business process.
This must be taken into account when designing business processes. Usually, a user task requires 2 changes in access permissions:
-
Before executing the user action, corresponding access permissions must be granted to the corresponding user.
-
After the user action is complete, the changes in access permissions must be reverted to restore the permissions that the user had initially.
Use the [Change access rights] element to grant or deny access permissions automatically, as part of business process flow. The element sets specified permissions for specific records for the specified users. Read more >>>
Example
Whenever an account owner changes, the new owner employee must be granted access to view and edit the account record, while other employees must have only permission to view this account.
Add the [Change access rights] on the process diagram (Fig. 1) and set up its properties (Fig. 2).
1.In the [Which object to apply access rights to?] field, select "Account".
2.In the [Apply access rights to all records that match conditions], set up a filter to select the needed records. For instance, to select the account that triggered the object signal that initiates the process, set up a filter by the [Id] column: “Id = Account owner modified.Unique identifier of record”. To do this:
a.In the filter area, click <Add condition> and select the [Id] column.
b.In the opened context menu, select [Compare with parameter].
c.In the opened parameter value window, select the [Account owner modified] element and its parameter [Unique identifier of record].
3.In the [Which access rights to remove?] area, click [+] and add users and roles whose access rights to the selected records must be removed. For instance, to limit access rights to all other users, except for the record owner:
a.Select [For all roles and users] in the menu.
b.Select checkboxes for permissions that must be revoked. To leave only permission to view the records, select (edit) and (delete) checkboxes.
4.In the [Which access rights to add?] area, click [+] and specify who should be granted the new permissions. For instance, to grant full access to the record for its new owner:
a.Select [For an employee] from the menu.
b.In the field that appears afterwards, specify the employee contact who will be granted the permissions. You can select an employee contact from the [Contacts] lookup, or map this field to a process or element parameter that already contains the needed contact record.
You can obtain the employee who was set as the new owner of an account record by reading the data in the [Owner] column of the corresponding account record. To do this, click the button in the [Employee] field and select [Process parameter] from the menu.
In the opened parameter value window, on the [Process elements] tab, select the [Read account data] element and its [Owner] parameter. Click “Select” to save the entered value.
Select operations to grant permissions for. To permit a user to view and edit the records, select the (read) and (edit) checkboxes.
5.If necessary, click and select [Permit with right to delegate] from the menu, so that the user could grant same permissions for the record to other users (Fig. 3).
Note
To use parameters of other elements, make sure that you properly add and set up them in your business process. More information about using process parameters can be found in the “Process parameters” article.
As a result, the process will run whenever an owner of an account record is changed. All users, except for the owner, will be denied permission to edit and delete the record, while the owner user will be granted permissions to view and edit the record.
Next