Users and administrators in Process Manager

In addition to authentication, Process Manager uses role-based access control to secure certain types of objects.

By default, any user in Process Manager can create and submit their own flow definitions, and monitor and control their own flows, as long as their user ID is recognized by LSF®. In addition, by default all users can view calendars and flows submitted by another user. However, special permissions are required to install and configure Process Manager, or to modify Process Manager items on behalf of another user.

Configuration of user roles

Role	Where defined	Summary of permissions
Normal user	Any operating system user on LSF hosts. All users are automatically assigned this role.	Normal users can view flow definitions, flows, calendars, and jobs that are owned by all users but can control only work items that they own.
Primary Process Manager administrator	First user that is specified in `JS_ADMINS` in the file js.conf.	Required to install a Process Manager Server and change permissions. It is also the user under which the Process Manager Server runs, and is the minimum authority that is required to stop the Process Manager Server. The Primary Process Manager administrator has full control over all work items of all users and can view, control, and modify flow definitions, flows, calendars, and jobs on behalf of other users.
Process Manager administrator	Users that are specified in `JS_ADMINS` in the file js.conf after the first one that is listed.	Process Manager administrators have full control over all Process Manager items of all users. Process Manager administrators can view, control, and modify flow definitions, flows, calendars, and jobs on behalf of other users.
Process Manager Control administrator	Users that are specified in `JS_CONTROL_ADMINS` in the file js.conf.	Process Manager Control administrators can view flow definitions, flows, calendars, and jobs that are owned by all users and can control flows (not flow definitions) and jobs on behalf of other users.
Process Manager Group administrator	Users that are specified as GROUP_ADMIN in LSF user groups in the lsb.users file when `JS_ENABLE_GROUP_ADMIN=true` in js.conf.	Group administrators can view flow definitions, flows, and calendars owned by all users. Group administrators can control flow definitions, flows and jobs on behalf of users who are members of the same LSF user group.

Normal users permissions details

Item	View	Control	Specify Owner(when `JS_ENABLE_GROUP_ADMIN=true` in js.conf)
Flow definitions	All flow definitions of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view only flow definitions that they own. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can view only the flow chart of flow definitions that they own.	Can perform all operations only on flow definitions that they own(saved by that user account and as a result, owned by that user account). When `JS_CHANGE_FLOW_OWNER=true` in js.conf and the flow definition is published, can additionally trigger flows from other users' flow definitions and own those flows.	Cannot set a flow definition owner. The default owner of the flow is the submission user.
Flows	All flows of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view only flows that they own. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can view only the flow chart of flows if they are the owner of both the flow definition and the flow.	Only flows owned by themselves(from flow definitions that they submitted), all operations. When `JS_CHANGE_FLOW_OWNER=true` in js.conf and the flow definition is published, can own and perform all operations on flows triggered from other users' flow definitions.	Cannot set a flow owner. Flows are owned by the user that is specified as the owner in the flow definition.
Jobs	All jobs of all users.	Only jobs that they own(running as their user account), all operations.	Cannot set a job owner. The job is owned by the user specified as the Run As user in the job definition.
Calendars	All calendars of all users.	Only calendars that they own(that they added), all operations.	Cannot set a calendar owner. The calendar is owned by the user specified as the owner in Calendar Editor.

Process Manager Administrators permissions details

Item	View	Control	Specify Owner(when `JS_ENABLE_GROUP_ADMIN=true` in js.conf)
Flow definitions	All flow definitions of all users.	All flow definitions of all users, all operations.	The default owner of the flow definition is the submission user, but Process Manager administrators can specify any valid user name as the owner.
Flows	All flows of all users.	All flows of all users, all operations.	Flows are owned by the user that is specified as the owner in the flow definition.
Jobs	All jobs of all users.	All jobs of all users, all operations.	Jobs are owned by the user that is specified as the Run As user owner in the job definition.
Calendars	All calendars of all users.	All calendars of all users, all operations.	The logged on user is set by default as the calendar owner, but Process Manager administrators can specify any valid user name as the calendar owner.

Process Manager Control Administrators permissions details

Item	View	Control	Specify Owner(when `JS_ENABLE_GROUP_ADMIN=true` in js.conf)
Flow definitions	All flow definitions of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view all flow definitions of all users. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can view only the flow chart of flow definitions that they own.	All flow definitions of all users, but cannot submit or remove flow definitions that belong to other users. When `JS_CHANGE_FLOW_OWNER=true` in js.conf, can trigger flows from other users' flow definitions and own those flows. When `JS_CHANGE_FLOW_OWNER=false` in js.conf, can trigger flows from other users' flow definitions. The flow owner is the user who submitted the flow definition.	Cannot specify an owner for the flow definition. The flow definition is owned by the user who saves the flow definition.
Flows	All flows of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view all flows of all users. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can view only the flow chart of flows if they are the owner of both the flow definition and the flow.	All flows of all users, all operations.	Cannot specify an owner for the flow. The flow is owned by the user that is specified as owner in the flow definition. When `JS_CHANGE_FLOW_OWNER=true` in js.conf, flows are owned by the triggering user. When `JS_CHANGE_FLOW_OWNER=false` in js.conf, the flow owner is the user who submitted the flow definition.
Jobs	All jobs of all users.	All jobs of all users, all operations.	Cannot specify an owner for the job. The job is owned by the user that is specified as the Run As user in the job definition.
Calendars	All calendars of all users.	All calendars of all users, all operations.	Cannot specify a calendar owner. The calendar is owned by the user that is specified as the owner in Calendar Editor.

Process Manager Group Administrators permissions details

Item	View	Control	Specify Owner
Flow definitions	All flow definitions of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view only flow definitions owned by members of their user groups. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can see the flow chart of a flow definition if a member of their group is the owner of the flow definition.	All flow definitions that they own and that are owned by users in their user group, all operations. When `JS_CHANGE_FLOW_OWNER=false` in js.conf and the flow definition is published or unpublished, Group administrators can trigger flows that are owned by members of their user groups and the flow owner is that defined in the flow definition. Can perform all operations on those flows. When `JS_CHANGE_FLOW_OWNER=true` in js.conf and the flow definition is published or unpublished, Group administrators can trigger flows from flow definitions that are owned by members of their user groups and flows are owned by the triggering user. Can perform all operations on those flows.	The default owner of the flow definition is the submission user. The Process Manager Group administrator can specify a different owner. Valid users for owners are members of the same groups as the Group administrator.
Flows	All flows of all users. When `JS_LIMIT_USER_VIEW=true` in js.conf, can view only flows owned by members of their user groups. When `JS_LIMIT_FLOW_CHART_VIEW=true` in js.conf, can see the flow chart of a flow only if both the flow definition and flow are owned by members of their group. If the Group member triggers a flow from a published flow definition that is owned by someone not belonging to the user group, the Group administrator and the group member will not be able to see the flow chart of the flow.	All flows that are owned by themselves and users in their user groups, all operations.	The owner of the flow is the user that is specified as owner in the flow definition.
Jobs	All jobs of all users.	All jobs running as themselves and as user accounts in their user groups, all operations.	The owner of the job is the user that is specified as the Run As user in the job definition.
Calendars	All calendars of all users.	All calendars that are owned by themselves and by user accounts in their user group, all operations.	By default, the user who adds the calendar is the calendar owner. Process Manager Group administrators can specify a different calendar owner. Valid users for owners are members of the same groups as the Group administrator.