Authorization for Workflow REST APIs

The Workflow REST APIs use authorization roles to determine the actions that a user can take on objects, such as processes, tasks, and user data.

Authorization roles

The following list includes the roles that are used by the Workflow REST APIs:
Business Automation Workflow administrators
Users with wide-ranging privileges for actions on Business Automation Workflow objects including users, groups, teams, tasks, and processes.
Process application administrators (IBM® Process Portal administrator team)
Users who can perform actions on instances or tasks in a specific process application.
Team managers
Users who can perform actions on tasks and processes that are accessible to the members of the managed team.
Potential task owners
Users who can work on a task in a process.
Manager team of task team
Users who can work on and reassign tasks assigned to members of the managed team.
Task owner
The user who is assigned to or has claimed the task and is responsible for completing it.
Task collaborator
A user whom was invited by the task owner to collaborate on the task, that is, to provide relevant data but not complete the task.
Instance owners
Users who can administer instances of a specific process.

Retrieve and delete user data

The following actions facilitate compliance with the EU's General Data Protection Regulation.

Table 1. Eligible roles for actions on the personal information of users
Action Eligible roles
Retrieve a list of personal information about a user (GET)
GET https://host:port/ops/std/bpm/users/{user_id}/personal_data
Business Automation Workflow administrator
Delete personal information about a user (DELETE)
DELETE https://host:port/ops/std/bpm/users/{user_id}/personal_data
Business Automation Workflow administrator

Process APIs

Table 2. Eligible roles for actions on processes and process instances
Action Eligible roles
Retrieve a list of processes that the user is allowed to see (GET)
/bpm/processes
  • Business Automation Workflow administrator
  • Process application administrator
Start a new instance of a process (POST)
/bpm/processes/{process-id}
Members of teams assigned to the Expose to start option for the process
Retrieve the details of a process instance (GET)
/bpm/processes/{process-id}
  • Business Automation Workflow administrator
  • Process application administrator
  • Instance owner
  • Follower of the instance
  • Tagged in the instance
  • Members of teams assigned to the Expose Performance Metrics option for the process
Delete a process instance (DELETE)
/bpm/processes/{process-id}
  • Business Automation Workflow administrator
  • Process application administrator
  • Instance owner

User tasks APIs

Table 3. Eligible roles for actions on user tasks
Action Eligible roles
Retrieve a list of tasks that the user is allowed to see (GET)
/bpm/user-tasks
  • Business Automation Workflow administrator
  • Task owner
  • Potential task owner for unclaimed tasks
Retrieve task details (GET)
/bpm/user-tasks/{task-id}
  • Business Automation Workflow administrator
  • Process application administrator
  • Instance owner
  • Task team manager
  • Task owner
  • Potential task owner
  • Collaborator
Claim a task (PUT)
/bpm/user-tasks/{task-id}/claim
  • Business Automation Workflow administrator
  • Process application administrator
  • Potential task owner if an owner is not assigned
Complete a task (PUT)
/bpm/user-tasks/{task-id}/complete
  • Business Automation Workflow administrator
  • Process application administrator
  • Instance owner
  • Task owner