Business process setup guide (BPMS)
PDF
This documentation is valid for Creatio version 7.15.0. We recommend using the newest version of Creatio documentation.

How to manage access permissions with business processes

During a business process execution, various actions are performed with Creatio records. These actions can be fully automatic (system actions) or they can be performed with some form of input from users (user actions).

When executing user actions as part of a business process, the access permissions of the corresponding user still apply. For instance, a business process is supposed to open a record page for a user that has no permission to view and edit the corresponding record. In this case, the user will not be able to complete this process action and consequently – advance or even complete the business process.

This must be taken into account when designing business processes. Usually, a user task requires 2 changes in access permissions:

  • Before executing the user action, corresponding access permissions must be granted to the corresponding user.

  • After the user action is complete, the changes in access permissions must be reverted to restore the permissions that the user had initially.

Use the [Change access rights] element to grant or deny access permissions automatically, as part of business process flow. The element sets specified permissions for specific records for the specified users. Read more >>>

Example

Whenever an account owner changes, the new owner employee must be granted access to view and edit the account record, while other employees must have only permission to view this account.

Add the [Change access rights] on the process diagram (Fig. 1) and set up its properties (Fig. 2).

Fig. 1 Business process for changing access permissions for a new account owner

scr_chapter_process_designer_change_access_process_scheme.png 

Fig. 2 The [Change access rights] element setup area

scr_chapter_process_designer_change_access.png 

1.In the [Which object to apply access rights to?] field, select "Account".

2.In the [Apply access rights to all records that match conditions] area, set up a filter to select the needed records. For instance, to select the account that triggered the object signal that initiates the process, set up a filter by the [Id] column: “Id = Account owner modified.Unique identifier of record”. To do this:

a.In the filter area, click <Add condition> and select the [Id] column.

b.In the opened context menu, select [Compare with parameter].

c.In the opened parameter value window, select the [Account owner modified] element and its parameter [Unique identifier of record].

3.In the [Which access rights to remove?] area, click [+] and add users and roles whose access rights to the selected records must be removed. For instance, to limit access rights to all other users, except for the record owner:

a.Select [For all roles and users] in the menu.

b.Select checkboxes for permissions that must be revoked. To leave only permission to view the records, select icn_chapter_process_designer_edit_access.png (edit) and icn_chapter_process_designer_delete_access.png (delete) checkboxes.

4.In the [Which access rights to add?] area, click [+] and specify who should be granted the new permissions. For instance, to grant full access to the record for its new owner:

a.Select [For an employee] from the menu.

b.In the field that appears afterwards, specify the employee contact who will be granted the permissions. You can select an employee contact from the [Contacts] lookup, or map this field to a process or element parameter that already contains the needed contact record.

You can obtain the employee who was set as the new owner of an account record by reading the data in the [Owner] column of the corresponding account record. To do this, click the btn_process_element_settings_lookup00021.png button in the [Employee] field and select [Process parameter] from the menu.

In the opened parameter value window, on the [Process elements] tab, select the [Read account data] element and its [Owner] parameter. Click “Select” to save the entered value.

Select operations to grant permissions for. To permit a user to view and edit the records, select the icn_chapter_process_designer_read_access.png (read) and icn_chapter_process_designer_edit_access00022.png (edit) checkboxes.

5.If necessary, click scr_chapter_process_designer_give_access_icon.png and select [Permit with right to delegate] from the menu, so that the user could grant same permissions for the record to other users (Fig. 3).

Fig. 3 Granting permission with right to delegate

scr_chapter_process_designer_change_access_level.png 

Note

To use parameters of other elements, make sure that you properly add and set up them in your business process. More information about using process parameters can be found in the “Process parameters” article.

As a result, the process will run whenever an owner of an account record is changed. All users, except for the owner, will be denied permission to edit and delete the record, while the owner user will be granted permissions to view and edit the record.

Next

[Change access rights] process element

Did you find this information useful?

How can we improve it?