The Workflow REST APIs use authorization roles to determine the actions that a user can
take on objects, such as processes, tasks, and user data.
Authorization roles
The following list includes the roles that are used by
the Workflow REST APIs:
- Business Automation Workflow
administrators
- Users with wide-ranging privileges for actions on Business Automation Workflow objects
including users, groups, teams, tasks, and processes.
- Process application administrators (IBM® Process
Portal
administrator team)
- Users who can perform actions on instances or tasks in a specific process application.
- Team managers
- Users who can perform actions on tasks and processes that are accessible to the members of the
managed team.
- Potential task owners
- Users who can work on a task in a process.
- Manager team of task team
- Users who can work on and reassign tasks assigned to members of the managed team.
- Task owner
- The user who is assigned to or has claimed the task and is responsible for completing it.
- Task collaborator
- A user whom was invited by the task owner to collaborate on the task, that is, to provide
relevant data but not complete the task.
- Instance owners
- Users who can administer instances of a specific process.
Retrieve and delete user
data
The following actions facilitate compliance with the EU's General Data Protection Regulation.
Table 1. Eligible roles for actions on the personal information of users
Action |
Eligible roles |
Retrieve a list of personal information about a user
(GET)GET https://host:port/ops/std/bpm/users/{user_id}/personal_data
|
Business Automation Workflow administrator |
Delete personal information about a user
(DELETE)DELETE https://host:port/ops/std/bpm/users/{user_id}/personal_data
|
Business Automation Workflow administrator |
Process APIs
Table 2. Eligible roles
for actions on processes and process instances
Action |
Eligible roles |
Retrieve a list of processes that the user is
allowed to see (GET)/bpm/processes
|
- Business Automation Workflow administrator
- Process application administrator
|
Start a new instance of a process (POST)/bpm/processes/{process-id}
|
Members of teams assigned to the Expose
to start option for the process |
Retrieve the details of a process instance (GET)/bpm/processes/{process-id}
|
- Business Automation Workflow administrator
- Process application administrator
- Instance owner
- Follower of the instance
- Tagged in the instance
- Members of teams assigned to the Expose Performance
Metrics option for the process
|
Delete a process instance (DELETE)/bpm/processes/{process-id}
|
- Business Automation Workflow administrator
- Process application administrator
- Instance owner
|
User tasks APIs
Table 3. Eligible roles
for actions on user tasks
Action |
Eligible roles |
Retrieve a list of tasks that the user is allowed
to see (GET)/bpm/user-tasks
|
- Business Automation Workflow administrator
- Task owner
- Potential task owner for unclaimed tasks
|
Retrieve task details (GET)/bpm/user-tasks/{task-id}
|
- Business Automation Workflow administrator
- Process application administrator
- Instance owner
- Task team manager
- Task owner
- Potential task owner
- Collaborator
|
Claim a task (PUT)/bpm/user-tasks/{task-id}/claim
|
- Business Automation Workflow administrator
- Process application administrator
- Potential task owner if an owner is not assigned
|
Complete a task (PUT)/bpm/user-tasks/{task-id}/complete
|
- Business Automation Workflow administrator
- Process application administrator
- Instance owner
- Task owner
|