Help

Process Definition and Access Control

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
sonalik
Member II
‎14 Apr 2017 7:02 AM

Process Definition and Access Control

Hi Team,

I have a query regarding process definition and access control.

Consider a scenario: I have created a user="admin" and role="admin_custom". Using this admin user i have created a new process definition and deployed the same. By default this process definition is accessible to all users. For example when i login using gonzo/gonzo i can see this process even if the access role is different and can simply start the process.

So the question is, how can we set access control at process definition level so that it can be deployed/started my specific set of users only?

Looking forward for your support. Thanks in advance.

--Sonali

0 Kudos
Reply
1 Reply
jearles
Established Member II
‎14 Apr 2017 6:40 PM

Re: Process Definition and Access Control

Sonali,

There are several possibilities in order to achieve this, which I'll call "Multi-tenancy" henceforth. Check out this blog post by Joram Borraz, which highlights a couple of potential methods to partition data by tenants - which, if you treat the tenant structure like a 'roles' structure, then you can partition the data in very similar ways with little to know additional customization overhead.

However, if these options don't fit your desires:


Note: When you see 'tenant', feel free to substitute whatever phrasing you'd prefer, perhaps "role".

To get this functionality you're going to need to modify the existing DB structure and the corresponding object structures that are used to maintain the communication with the database. You could create a user_tenant_mapping table that would check that a user is tied to the data being pulled from the database, or just add a tenant_id column to the act_id_users/act_id_groups table. Both of those have their own difficulties, but could function to do the job you're looking for. You could also extract out the tenant information into its own table and correlate the IDs to the data and the users.

The difficult thing here is that Activiti Community doesn't support any OOTB methods to enforce multi-tenancy rules; it just provides the ability to 'partition' data into different tenants, but the ability to implement privacy if necessary is on the developer.

Hope this helps,
-JEarles

0 Kudos
Reply
Alfresco Process Services Forum

Ask for and offer help to other Alfresco Process Services and Activiti Users and members of the Alfresco team.

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.