Restricting access to actions on BPDs and tasks

IBM BPM, V8.0.1, All platforms > Administer the IT infrastructure > Administer Process Portal > Administer access to Process Portal functions
Restricting access to actions on BPDs and tasks

Both the IBM BPM APIs, and users of client applications, such as Process Portal, can act on BPDs and tasks. To restrict access to particular actions, an administrator can edit the default configuration settings.
The 99Local.xml configuration file includes settings that enable you to restrict access to certain actions on BPDs and tasks, such as allowing only certain security groups to change the due dates of process instances and tasks. The <default-action-policy> section of this file includes the settings for restricting the access to actions.
When changing IBM BPM configuration settings, do not change the default settings in each individual configuration file. Instead, add the section of the configuration file that you want to change to the 100Custom.xml file. IBM BPM merges the changes that you make in the 100Custom.xml file with the original configuration, overwriting the defaults. By including your configuration updates in a single file ( 100Custom.xml) you ensure that can retain these settings when you upgrade IBM BPM.
The following steps describe how to make this configuration change in the 100Custom.xml file.
Stop the dmgr, Process Server, and Process Center server if they are running.
Open the 99Local.xml and 100Custom.xml files in a text editor.
Copy the portal default action policy section from 99Local.xml to 100Custom.xml.
For each action that you want to restrict access to, set the value of the <role> element to the appropriate group name as shown in the following example.
The group that you specify must be an IBM BPM security group.
<portal>
	<default-action-policy> 
		<action type="ACTION_REASSIGN_TASK_USER_ROLE" merge="replace"> <role>project_managers</role> </action> 
	</default-action-policy>
</portal>
Save your changes.
Start IBM Process Server or Process Center Server.
The following table lists the functions to which you can restrict access. In addition, some functions are restricted to the tw_admins group by default.

Actions on BPDs and tasks that can be restricted
Function Description Default security group
ACTION_ABORT_INSTANCE Permanently terminate a process instance. tw_admins
ACTION_SUSPEND_INSTANCE Temporarily deactivate a process instance. tw_admins
ACTION_RESUME_INSTANCE Resume a suspended process instance. tw_admins
ACTION_ADD_COMMENT Add comments to a process instance. None; available to all users by default
ACTION_ADD_HELP_REQUEST Request help from other process participants on a process instance or its related tasks. None; available to all users by default
ACTION_RESPOND_HELP_REQUEST Respond to help requests from other process participants. None; available to all users by default
ACTION_ASSIGN_TASK Assign a task to yourself so that only you can run the task. None; available to all users by default
ACTION_ASSIGN_AND_RUN_TASK Run a task that is currently assigned to a group of which you are a member. The task is automatically assigned to you. None; available to all users by default
ACTION_REASSIGN_TASK Assign a task to the group to which the task was previously assigned. None; available to all users by default
ACTION_REASSIGN_TASK_USER_ROLE Assign a task to a different user or a group. None; available to all users by default
ACTION_CHANGE_TASK_DUEDATE Change the due date of a task. tw_admins
ACTION_CHANGE_INSTANCE_DUEDATE Change the due date of a process instance. tw_admins
ACTION_CHANGE_TASK_PRIORITY Change the priority of a task as needed to escalate or de-escalate the task. tw_admins
ACTION_MOVE_TOKEN Advance the execution of a process instance to the next step in the business process definition. tw_admins
ACTION_INJECT_TOKEN Initiate ad hoc events. tw_admins
ACTION_DELETE_TOKEN Delete ad hoc events. tw_admins
ACTION_VIEW_PROCESS_DIAGRAM View a process diagram and see the currently executing step for each process instance. tw_admins
ACTION_VIEW_PROCESS_AUDIT View historical data about process variables. tw_admins
ACTION_CHANGE_CRITICAL_PATH Use the critical path management tool to change the due date for a process instance, and adjust the due dates of activities and tasks in a process instance. tw_process_owners
ACTION_ADD_DOCUMENT Add a document to a process instance. None; available to all users by default
ACTION_UPDATE_DOCUMENT Update a document that belongs to a process instance. None; available to all users by default
ACTION_DELETE_DOCUMENT Delete a document from a process instance. None; available to all users by default
ACTION_DELETE_INSTANCE Delete a process instance. tw_admins
ACTION_FIRE_TIMER Manually fire a timer. tw_admins

Administer access to Process Portal functions

Related concepts:
The 99Local.xml and 100Custom.xml configuration files

Function	Description	Default security group
ACTION_ABORT_INSTANCE	Permanently terminate a process instance.	tw_admins
ACTION_SUSPEND_INSTANCE	Temporarily deactivate a process instance.	tw_admins
ACTION_RESUME_INSTANCE	Resume a suspended process instance.	tw_admins
ACTION_ADD_COMMENT	Add comments to a process instance.	None; available to all users by default
ACTION_ADD_HELP_REQUEST	Request help from other process participants on a process instance or its related tasks.	None; available to all users by default
ACTION_RESPOND_HELP_REQUEST	Respond to help requests from other process participants.	None; available to all users by default
ACTION_ASSIGN_TASK	Assign a task to yourself so that only you can run the task.	None; available to all users by default
ACTION_ASSIGN_AND_RUN_TASK	Run a task that is currently assigned to a group of which you are a member. The task is automatically assigned to you.	None; available to all users by default
ACTION_REASSIGN_TASK	Assign a task to the group to which the task was previously assigned.	None; available to all users by default
ACTION_REASSIGN_TASK_USER_ROLE	Assign a task to a different user or a group.	None; available to all users by default
ACTION_CHANGE_TASK_DUEDATE	Change the due date of a task.	tw_admins
ACTION_CHANGE_INSTANCE_DUEDATE	Change the due date of a process instance.	tw_admins
ACTION_CHANGE_TASK_PRIORITY	Change the priority of a task as needed to escalate or de-escalate the task.	tw_admins
ACTION_MOVE_TOKEN	Advance the execution of a process instance to the next step in the business process definition.	tw_admins
ACTION_INJECT_TOKEN	Initiate ad hoc events.	tw_admins
ACTION_DELETE_TOKEN	Delete ad hoc events.	tw_admins
ACTION_VIEW_PROCESS_DIAGRAM	View a process diagram and see the currently executing step for each process instance.	tw_admins
ACTION_VIEW_PROCESS_AUDIT	View historical data about process variables.	tw_admins
ACTION_CHANGE_CRITICAL_PATH	Use the critical path management tool to change the due date for a process instance, and adjust the due dates of activities and tasks in a process instance.	tw_process_owners
ACTION_ADD_DOCUMENT	Add a document to a process instance.	None; available to all users by default
ACTION_UPDATE_DOCUMENT	Update a document that belongs to a process instance.	None; available to all users by default
ACTION_DELETE_DOCUMENT	Delete a document from a process instance.	None; available to all users by default
ACTION_DELETE_INSTANCE	Delete a process instance.	tw_admins
ACTION_FIRE_TIMER	Manually fire a timer.	tw_admins