User roles

Edit online

Access to environments and tools is controlled through a fine-grained authorization model that uses roles and permissions.

To authorize users to environments and tools you must have the Account Administrator role. For more information, see Assigning roles and permissions. The following tables show the mapping of automation roles to capability roles and the typical tasks users perform who have these roles.

Cloud Portal roles

Your cloud subscription has the following Cloud Portal roles:

Table 1. Cloud Portal roles and typical tasks
Automation role Cloud Portal roles Typical tasks
Subscription Admin Account Administrator Manage accounts of other users and monitor usage of the subscription. For example,
  • Invite users.
  • Assign user roles and environments.
  • Manage permissions for accessing cloud environments.
  • Assign users to cloud authorization groups.
  • Monitor usage.
System Operator Operator Monitor and manage the servers in the cloud subscription. For example,
  • Manage events that are logged and retrieve log files.
  • View the status of the environment.
  • Restart a workflow system in an environment.
  • Restart content services components.

Global roles

Table 2. Global roles and typical tasks
Automation role Global role Typical tasks Tools used
Business user Salesforce Users Store Salesforce attachments as documents in the Content Services repository.
Note: Users also need a password to access Salesforce:
  • If they log into the cloud subscription with a login ID and password, they must activate their login password to be their Salesforce password by going to the user menu and selecting Activate Tools Password.
  • If they log into the cloud subscription through their organization's Identity Provider server (SAML login), they must create a password by going to the user menu and selecting Set Tools Password.
 IBM® Salesforce Connector App

Business automations roles

These roles give users permission to create and administer business automations and applications.

Table 3. Business automations and typical tasks
Automation role Application roles Typical tasks Tools used
Automation Specialist Studio Authors Create applications.
  • Studio
Workflow Authors Create workflow automations.
  • Studio
  • Workflow Process APIs
  • REST API Tester
Automation Solution Admin Studio Administrators Publish applications to the Studio repository.
Note: Users also require the Navigator Administrators role to make applications available to business users through Business Automation Navigator.
  • Studio
  • Business Automation Navigator
Workflow Administrators Administer workflow assets, servers, and security.
  • Studio
  • Process Admin Console
  • Workflow Operations APIs
Workplace Administrators
  • Assign users to administrator and supervisor roles.
  • Enable access to workstream services.
  • Workplace
Business User None
  • Manage and complete tasks and workflows.
  • Create workstreams.
  • Work with applications.
  • Workplace
  • Business Automation Apps

Content roles

Note: When you assign a content role to a user who is currently logged into Administration Console for Content Platform Engine or IBM Navigator, the new role assignment takes effect after one hour. This is because the Content Platform Engine token cache stores a local copy of the mapping from a security principal (a user or group) to its list of security IDs (SIDs) used by Content Platform Engine to authorize the principal.
Table 4. Content roles and typical tasks
Automation role Content roles Typical tasks Tools used
Automation Solution Admin Content Platform Engine Class Designer Create and update the data models for an application or applications. Create classes that are used by multiple applications. For more information about this role, see Designer group access in the FileNet® P8 Platform documentation.
  • Administration Console for Content Platform Engine
Content Platform Engine Application Designer In addition to the Class Designer data model privileges, these users can also create properties that affect a wider set of components. Users are also responsible for the components that are needed to create a Content Platform Engine application. For more information about this role, see Designer group access in the FileNet P8 Platform documentation.
  • Administration Console for Content Platform Engine
Content Platform Engine Administrator In addition to the privileges of the Class Designer and the Application Designer, these users can administer the object store provisioned for the cloud subscription. They also have access to the Content Platform Engine Administration Tools.
Note: Users also need a password to access the administration tools:
  • If they log into the cloud subscription with a login ID and password, they must activate their login password to be their administration tools password by going to the user menu and selecting Activate Tools Password.
  • If they log into the cloud subscription through their organization's Identity Provider server (SAML login), they must create a password by going to the user menu and selecting Set Tools Password.
  • Administration Console for Content Platform Engine
  • Enterprise Records Administration Client Administration Tools
Enterprise Records Administrator
  • Assign permissions to different users and groups.
  • Define and modify security markings. Configure auditing.
  • Delete file plans, categories, and records. Import and export records.
  • Back up and restore file plan and records.
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
Note: Users also need a tools password to create and schedule a sweep:
  • If they log into the cloud subscription with a login ID and password, they must activate their login password to be their administration tools password by going to the user menu and selecting Activate Tools Password.
  • If they log into the cloud subscription through their organization's Identity Provider server (SAML login), they must create a password by going to the user menu and selecting Set Tools Password.
  • Enterprise Records Administration Client
Enterprise Records Manager
  • Create and modify file plans and levels of hierarchy, such as record categories, folders, and volumes.
  • Create other associated objects, such as naming patterns, record types, actions, phases, and holds.
  • Define and maintain disposition schedules to control the retention and destruction of entities.
  • Associate disposal schedules to record categories, record folders, and record types.
  • Perform records management activities, such as relocating categories and folders, setting vital records, and activating records.
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
  • Enterprise Records Administration Client
Enterprise Records Privileged User
  • Review entities that are due for disposition.
  • Perform basic record-related operations, such as file and copy record.
  • Search and display records, folders, and categories.
  • Declare records.
  • Enterprise Records Administration Client

Decisions roles

Table 5. Decisions roles and typical tasks
Automation role Decisions role Typical tasks Tools used
Automation Solution Admin Decision Center administrator
  • Work with the Decision Center Business console.
  • Implement security on Decision services.
  • Create groups, set the permissions, add users to the groups, and set the groups on decision services.
  • Can create deployment configurations in the Business console for any cloud environment.
  • Can deploy decision services from any cloud environment.
  • Can hold Decision Center developer and operator roles in the case of, for example, a small team.
  • Decision Center Business console
Automation Specialist Decision Center operator
  • Work mainly with the Decision Center Business console.
  • Can create deployment configurations in the Business console for any cloud environment.
  • Orchestrate the lifecycle of a decision service, and be responsible for the deployment of a decision service release to production.
  • Follow a staged progression from development to production.
  • Create development branches or releases.
  • Define change and validation activities for Developers
  • Assign ownership for work, reviews, and approvals.
  • Can deploy a decision service to environments to validate changes (if permission defined by the Decision Center administrator).
  • Decision Center Business console
Automation Specialist Decision Center developer
  • Work with the Rule Designer and the Decision Center Business console.
  • Create the model of a decision service.
  • Use the Rule Designer component to convert the knowledge from the business domain into decision artifacts.
  • Make the initial version of the business rule artifacts, including action rules, decision tables, and rule flows.
  • Implement and maintains some or all of the business rule artifacts that are in a decision service.
  • Run functional tests and simulations in the development environment to validate the changes that are made for a release (if permission defined by the Decision Center administrator or operator).
  • Can deploy a decision service to environments to validate changes (if permission defined by the Decision Center administrator or operator).
  • Publish the decision service from Rule Designer to Decision Center (if permission defined by the Decision Center administrator).
  • Can participate in the review or approval process with other developers (if permission defined by the Decision Center operator).
  • Collaborate with the Decision Center operator.
  • Rule Designer
  • Decision Center Business console
Automation Specialist Decision Server operator (per environment)
  • Work with Rule Execution Server.
  • Run the decision service locally or in the cloud development environment until achieving the expected results.
  • Can execute rule sets in the defined environment.
  • Rule Execution Server
Business Analyst Decision Server analyst (per environment)
  • Work with the hosted transparent decision service (HTDS).
  • Can execute rule sets in the defined environment.
  • Hosted transparent decision service (HTDS)

Insights roles

Table 6. Insights roles and typical tasks
Automation role Insights role Typical tasks Tools used
Business Analyst Insights Analyst Access and work with dashboards in Business Performance Center dashboards.
  • Business Performance Center
Insights Administrator
  • Access and work with Business Performance Center dashboards.
  • Assign permissions to monitoring sources on the Team permissions tab.
  • Business Performance Center

Workflow roles

These roles give users permission to perform certain basic actions on processes and cases, such as creating a process application or a case solution. Lower level tasks, such as collaborating on process or case development might require membership in a workflow group or team too. For more information, see the task descriptions in Working with business processes and Working with case management solutions.

Table 7. Workflow roles and typical tasks
Automation roles Workflow roles Typical tasks Tools used
Automation Specialist Process App Creators Create process applications and toolkits and control access to them.
  • Workflow Center
  • REST API Tester
Case Administrators Administer case assets, servers, and security.
Note: If users require access to the Content Platform Engine Administration Tools they also need a password to access the administration tools:
  • If they log into the cloud subscription with a login ID and password, they must activate their login password to be their administration tools password by going to the user menu and selecting Activate Tools Password.
  • If they log into the cloud subscription through their organization's Identity Provider server (SAML login), they must create a password by going to the user menu and selecting Set Tools Password.
  • Case administration client
  • IBM Navigator
  • Administration Console for Content Platform Engine
Automation Solution Admin Process Administrators Administer process assets, servers, and security.
  • Workflow Center
  • Process Admin Console
  • REST API Tester
Performance Monitor Starters Start performance monitoring for processes and services in the Process Admin Console.
  • Process Admin Console
  • Performance Data Warehouse
Navigator Administrators Create IBM Navigator desktops, for example, for different case solutions and user groups.
  • IBM Navigator
Business User None Manage and complete tasks.
  • Process Portal

Platform foundation tools

These roles give permissions for working with the Platform foundation tools, Business Automation Navigator and Team Management.

Table 8. Business Automation Navigator and Team Management roles and typical tasks
Automation role Application roles Typical tasks Tools used
Automation Solution Admin Navigator Administrators
  • Deploy applications developed in Studio to the test and production environments.
  • Create custom desktops.
  • Assign users and groups to desktops.
  • Business Automation Navigator
  • Team Management
Automation Solution Admin Teams Administrators Create and manage global teams.
  • Team Management