Authorization of documents and folders in a process

You can assign various authorization levels to process documents and folders, depending on the user role for the process instance.

Authorization levels on ECM folders and documents

When you start a process, a folder structure is determined by the settings in the Folders tab. IBM® Business Process Manager grants different levels of authorization to users to access documents and folders. It also grants references to documents and folders in external Enterprise Content Management (ECM) systems. These levels of authorization depend on the role that the current user is assigned for the specific process instance.

The following table shows the user authorization on the IBM BPM managed folders and the references to external ECM system documents and folders, which are in the managed folders. It also shows the operations that an authorized user may perform on the folders and documents. Privileged users are system administrators and members of the Process Portal administration team, as defined in the process application settings of the started process.

In this table, privileged users are members of the process instance owner team that is specified for the process and other process participants are users who may view the process instance, for example to work on a task within the instance.

Table 1. User authorization on ECM folders and documents
Operation or privilege Object creator Privileged users Other process participants Any other user
Add children Not applicable Yes Yes No
View Yes Yes Yes No
Update Yes Yes No No
Remove Yes Yes No No
Examples of user authorization
  • A privileged user may modify and remove content that other users added.
  • A privileged user may not modify the content that was created when the process started. That initial and unchanging content is based on the process definition information, which is on the Folders tab.
  • A non-privileged user who works on a process instance may see the content of the process instance. This user may add references to more documents or folders from the external ECM systems only if you specifically allowed users to add references to more documents or folders. You authorize users to add these references by selecting the corresponding options in the Folders tab. These users may modify and remove the content that they added, but not the content that others added.
  • A non-privileged user who does not work on a process instance is not allowed to see its content.
  • A non-privileged user who may not see a document or folder in the external ECM system cannot see that document or folder in the context of the process.

When a process instance finishes, the system restricts further Create, Update, and Delete operations on the content if the Allow content operations after completion option in the Overview section of the process definition is not selected. IBM BPM has no control over the referenced content. For example, a referenced document might be deleted although it is referenced by a finished process instance. The document then automatically disappears from the process instance.

A process that uses an IBM BPM managed store folder contains references to documents and folders from external ECM systems. These external ECM systems define their own access control lists for the referenced items. When you use Document Explorer or the Get children content integration step, the external ECM system defines the actions that you may perform on an item.

Sometimes, authorization is affected by other sources.
  • The values of properties in the ECMAllowableActions business object, canGetFolderParent and removeObjectFromFolder, are controlled by IBM BPM based on the rules in Table 1. Authorizations are affected in this context because then the folder is an IBM BPM managed store folder.
  • The canRenameReference property value specifies whether the current user is allowed to rename the reference.

Authorizing process instances of IBM BPM authored document types used in a process

If you have the Basic Case Management feature installed, you can use Process Designer to define your own document types. These document types are available in the IBM BPM content store.

You can add those documents to an IBM BPM managed store folder by selecting Add document to folder and by using the ECMServerNames.IBM_BPM_ContentStore constant as input for the Document server name input parameter. As part of the operation, IBM BPM replaces the security of the document so that privileged users and users who may work on a task in the process instance may see and update the document.

If you add the same document to another process, the document gets the replaced permissions.

Nothing differentiates a process instance in native mode, which uses the IBM BPM managed store, from the IBM ECM Exploitation mode. The users who are authorized to access document are replaced with users from the process where the document was last added.

Programmatically determining which children may be added to an IBM BPM managed store folder

In the Folders tab of a process, you define which types of children can be added to the root folder. Depending on the settings, IBM BPM sets the value of the cmis:allowedChildObjectTypeIds property of the ECMFolder object. That object is returned by a Get folder Content Integration operation.
  • If Allow external folder references is selected, the list contains cmis:folder.
  • If Allow external document references is selected, the list contains cmis:document.
Parent topic: Outbound interactions with Enterprise Content Management systems
Related information:
Data mapping in Enterprise Content Management operations
Management of folders and documents for ECM systems