Retrieving personal data of BPM users

Edit online
Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-01-20 10:38
To comply with the General Data Protection Regulation (GDPR) requirement that EU data subjects have a right to find out what personal data an organization has stored about them, users that are assigned to the action policy roles ACTION_VIEW_USER_PERSONAL_DATA or ACTION_DELETE_USER_PERSONAL_DATA can use REST API calls to retrieve the personal data that is associated with a specific BPM user. By default, BPM administrators are assigned to this role. For information about how to modify the action policies that are contained in the BPMActionPolicy configuration object, see Configuration properties for action policies.
Calling the BPM operations REST API GET https://host:port/ops/std/bpm/users/user_id/personal_data returns a JSON object that contains the following personal information about the user with the user ID user_id:
  • User ID
  • User name
  • Full name
  • Is deactivated
  • User attributes, including the user's email address
  • Group memberships
  • A link to a REST API to retrieve the user's avatar image
  • Online status
  • Online server ID
  • Task measurement data

For more information about the personal data operations API, see Workflow REST API programming.

Important: The get personal data API must be called with an HTTP header that contains a valid BPMCSRFToken, which is obtained as described in Preventing cross site request forgery.