Access to environments and tools is controlled through
a fine-grained authorization model that uses roles and permissions.
To authorize users to environments and tools you must have the Account Administrator role.
For more information, see
Assigning roles and permissions. The following tables show the
mapping of automation roles to capability roles and the typical tasks users perform who have these roles.
Cloud Portal roles
Your cloud
subscription has the following Cloud Portal roles:
Table 1. Cloud Portal roles and typical tasks
Automation role |
Cloud Portal roles |
Typical tasks |
Subscription Admin |
Account Administrator |
Manage accounts of other users and monitor usage
of the subscription. For example,
- Invite users.
- Assign user roles and environments.
- Manage permissions for accessing cloud environments.
- Assign users to cloud authorization groups.
- Monitor usage.
|
System Operator |
Operator |
Monitor and manage the servers in the cloud
subscription. For example,
- Manage events that are logged and retrieve log files.
- View the status of the environment.
- Restart a workflow system in an environment.
- Restart content services components.
|
Global roles
Table 2. Global roles and typical tasks
Automation role |
Global role |
Typical tasks |
Tools used |
Business user |
Salesforce Users |
Store Salesforce attachments as documents in the Content Services repository.Note: Users also
need a password to access Salesforce:
- If they log into the cloud subscription with a login ID and password, they must activate their
login password to be their Salesforce password by going to the user menu and selecting
Activate Tools Password.
- If they log into the cloud subscription through their organization's Identity Provider server
(SAML login), they must create a password by going to the user menu and selecting Set
Tools Password.
|
IBM® Salesforce Connector
App |
Business automations roles
These roles give users permission to create and administer business automations and applications.
Table 3. Business automations and typical tasks
Automation role |
Application roles |
Typical tasks |
Tools used |
Automation Specialist |
Studio Authors |
Create applications. |
|
Workflow Authors |
Create workflow automations. |
- Studio
- Workflow Process APIs
- REST API Tester
|
Automation Solution Admin |
Studio Administrators |
Publish applications to the Studio repository. Note: Users
also require the Navigator Administrators role to make applications
available to business users through Business
Automation Navigator.
|
- Studio
- Business
Automation Navigator
|
Workflow Administrators |
Administer workflow assets, servers, and security. |
- Studio
- Process Admin Console
- Workflow Operations APIs
|
Workplace Administrators |
- Assign users to administrator and supervisor roles.
- Enable access to workstream services.
|
|
Business User |
None |
- Manage and complete tasks and workflows.
- Create workstreams.
- Work with applications.
|
- Workplace
- Business Automation Apps
|
Content roles
Note: When you assign
a content role to a user who is currently logged into Administration Console for Content
Platform Engine or IBM Navigator,
the new role assignment takes effect after one hour. This is because
the Content Platform Engine token
cache stores a local copy of the mapping from a security principal
(a user or group) to its list of security IDs (SIDs) used by Content Platform Engine to
authorize the principal.
Table 4. Content roles and typical
tasks
Automation role |
Content roles |
Typical tasks |
Tools used |
Automation Solution Admin |
Content Platform Engine Class
Designer |
Create and update the data models for an application
or applications. Create classes that are used by multiple applications.
For more information about this role, see Designer group access in
the FileNet® P8
Platform documentation. |
- Administration Console for Content
Platform Engine
|
Content Platform Engine Application
Designer |
In addition to the Class Designer data model
privileges, these users can also create properties that affect a wider
set of components. Users are also responsible for the components that
are needed to create a Content Platform Engine application.
For more information about this role, see Designer group access in
the FileNet P8
Platform documentation. |
- Administration Console for Content
Platform Engine
|
Content Platform Engine Administrator |
In addition to the privileges of the Class Designer
and the Application Designer, these users can administer the object
store provisioned for the cloud subscription. They also have access
to the Content Platform Engine Administration
Tools.Note: Users also need a password to access the administration
tools:
- If they log into the cloud subscription with a login ID and password,
they must activate their login password to be their administration
tools password by going to the user menu and selecting Activate
Tools Password.
- If they log into the cloud subscription through their organization's
Identity Provider server (SAML login), they must create a password
by going to the user menu and selecting Set Tools Password.
|
- Administration Console for Content
Platform Engine
- Enterprise Records Administration
Client Administration
Tools
|
Enterprise Records Administrator |
- Assign permissions to different users and groups.
- Define and modify security markings. Configure auditing.
- Delete file plans, categories, and records. Import and export
records.
- Back up and restore file plan and records.
- Perform tasks assigned to any of the other IBM Enterprise
Records roles.
Note: Users also need a tools password to create and schedule
a sweep:
- If they log into the cloud subscription with a login ID and password,
they must activate their login password to be their administration
tools password by going to the user menu and selecting Activate
Tools Password.
- If they log into the cloud subscription through their organization's
Identity Provider server (SAML login), they must create a password
by going to the user menu and selecting Set Tools Password.
|
- Enterprise Records Administration
Client
|
Enterprise Records Manager |
- Create and modify file plans and levels of hierarchy, such as
record categories, folders, and volumes.
- Create other associated objects, such as naming patterns, record
types, actions, phases, and holds.
- Define and maintain disposition schedules to control the retention
and destruction of entities.
- Associate disposal schedules to record categories, record folders,
and record types.
- Perform records management activities, such as relocating categories
and folders, setting vital records, and activating records.
- Perform tasks assigned to any of the other IBM Enterprise
Records roles.
|
- Enterprise Records Administration
Client
|
Enterprise Records Privileged
User |
- Review entities that are due for disposition.
- Perform basic record-related operations, such as file and copy
record.
- Search and display records, folders, and categories.
- Declare records.
|
- Enterprise Records Administration
Client
|
Decisions roles
Table 5. Decisions roles and typical tasks
Automation role |
Decisions role |
Typical tasks |
Tools used |
Automation Solution Admin |
Decision Center administrator |
- Work with the Decision Center Business
console.
- Implement security on Decision services.
- Create groups, set the permissions, add users to the groups, and
set the groups on decision services.
- Can create deployment configurations in the Business console for
any cloud environment.
- Can deploy decision services from any cloud environment.
- Can hold Decision Center
developer and operator roles in the case of, for example, a small team.
|
- Decision Center Business
console
|
Automation Specialist |
Decision Center operator |
- Work mainly with the Decision Center Business
console.
- Can create deployment configurations in the Business console for
any cloud environment.
- Orchestrate the lifecycle of a decision service, and be responsible
for the deployment of a decision service release to production.
- Follow a staged progression from development to production.
- Create development branches or releases.
- Define change and validation activities for Developers
- Assign ownership for work, reviews, and approvals.
- Can deploy a decision service to environments to validate changes (if permission defined by the
Decision Center
administrator).
|
- Decision Center Business
console
|
Automation Specialist |
Decision Center developer |
- Work with the Rule Designer and
the Decision Center Business
console.
- Create the model of a decision service.
- Use the Rule Designer component
to convert the knowledge from the business domain into decision artifacts.
- Make the initial version of the business rule artifacts, including
action rules, decision tables, and rule flows.
- Implement and maintains some or all of the business rule artifacts
that are in a decision service.
- Run functional tests and simulations in the development environment to validate the changes that
are made for a release (if permission defined by the Decision Center administrator or
operator).
- Can deploy a decision service to environments to validate changes (if permission defined by the
Decision Center administrator
or operator).
- Publish the decision service from Rule Designer to Decision Center (if permission defined
by the Decision Center
administrator).
- Can participate in the review or approval process with other developers (if permission defined
by the Decision Center
operator).
- Collaborate with the Decision Center operator.
|
- Rule Designer
- Decision Center Business
console
|
Automation Specialist |
Decision Server operator (per environment) |
- Work with Rule Execution
Server.
- Run the decision service locally or in the cloud development environment
until achieving the expected results.
- Can execute rule sets in the defined environment.
|
|
Business Analyst |
Decision Server analyst (per environment) |
- Work with the hosted transparent decision service (HTDS).
- Can execute rule sets in the defined environment.
|
- Hosted transparent decision service (HTDS)
|
Insights roles
Table 6. Insights
roles and typical tasks
Automation role |
Insights role |
Typical tasks |
Tools used |
Business Analyst |
Insights Analyst |
Access and work with dashboards in Business Performance Center dashboards. |
- Business Performance Center
|
Insights Administrator |
- Access and work with Business Performance Center dashboards.
- Assign permissions to monitoring sources on the Team
permissions tab.
|
- Business Performance Center
|
Workflow roles
These roles give
users permission to perform certain basic actions on processes and
cases, such as creating a process application or a case solution.
Lower level tasks, such as collaborating on process or case development
might require membership in a workflow group or team too. For more
information, see the task descriptions in Working with business processes and Working with case management solutions.
Table 7. Workflow roles and typical tasks
Automation roles |
Workflow roles |
Typical tasks |
Tools used |
Automation Specialist |
Process App Creators |
Create process applications and toolkits and
control access to them. |
- Workflow Center
- REST API Tester
|
Case Administrators |
Administer case assets, servers, and security. Note: If
users require access to the Content Platform Engine Administration
Tools they also need a password to access the administration tools:
- If they log into the cloud subscription with a login ID and password,
they must activate their login password to be their administration
tools password by going to the user menu and selecting Activate
Tools Password.
- If they log into the cloud subscription through their organization's
Identity Provider server (SAML login), they must create a password
by going to the user menu and selecting Set Tools Password.
|
- Case administration client
- IBM Navigator
- Administration Console for Content
Platform Engine
|
Automation Solution Admin |
Process Administrators |
Administer process assets, servers, and security. |
- Workflow Center
- Process Admin Console
- REST API Tester
|
Performance Monitor Starters |
Start performance monitoring for processes and
services in the Process Admin Console. |
- Process Admin Console
- Performance Data Warehouse
|
Navigator Administrators |
Create IBM Navigator desktops,
for example, for different case solutions and user groups. |
|
Business User |
None |
Manage and complete tasks. |
|