REST API authorization for user, group, and team actions

Two authorization modes are provided for the REST APIs granting access to user, group, and team information. A default mode provides limited authorization control while an enhanced mode is available to extend authorization control to all concerned APIs.

To enable the enhanced mode, add the following configuration property to the 100Custom.xml file in your topology:
<server>
      <portal merge="mergeChildren">
            <authorization-enabled-for-org-info>true</authorization-enabled-for-org-info>
      </portal>
</server>
For more information about roles, see Authorization roles. For more information about action policies, see Configuration properties for Process Portal action policies.
Table 1. Authorization behavior when enhanced authorization control is enabled
User/group/team action Enabled for authorization roles and action policies Other preconditions
View user information
/user/<userIdOrName>
  • IBM® Business Process Manager (BPM) administrator (member of the bpmAdminGroup) for all users
  • A user invoking the API for viewing the user's own data
  • A user who is authorized by the ACTION_REFRESH_USER policy and the ACTION_MANAGE_ANY_USERATTRIBUTE policy
  
Refresh user information
/user/<userIdOrName>?refreshUser=true
  • IBM BPM administrator (member of the bpmAdminGroup) for all users
  • A user who is authorized by the ACTION_REFRESH_USER policy
  
Update user attributes
/user/{userNameOrID}?action=setPreference
  • IBM BPM administrator (member of the bpmAdminGroup) for all users
  • A user who is authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy
  • Users calling the API can update self-manageable attributes
  • IBM BPM administrators can update any attribute
  • Policy-enabled users can update any attribute
View user information
/users
 IBM BPM administrator (member of the bpmAdminGroup) for all users  
View potential collaborators for a claimed task
/users?collabTaskidFilter=
  • IBM BPM administrator (member of the bpmAdminGroup)
  • A user who is authorized to invite others to collaborate on a task: Task owner
  • Task must be claimed.
  • Collaboration is enabled.
  • Task involves at least one potential collaborator:
    • Task expert
    • Another potential owner
View potential reassignees for a received or claimed task
/users?assignTaskidFilter=
  • IBM BPM administrator (member of the bpmAdminGroup)
  • A user who is authorized to reassign the task to another user, such as
    • Task owner, if authorized by ACTION_REASSIGN_TASK_USER_ROLE policy
    • Task team manager
    • Instance owner
 Task must be received or claimed.
View group information
/group/<groupIdOrName>
  • IBM BPM administrator (member of the bpmAdminGroup)
  • Team managers (if the specified group corresponds to a team)
  
Change group membership
  • /group/<groupIdOrName>?action=addMember
  • /group/<groupIdOrName>?action=removeMember
 IBM BPM administrator (member of the bpmAdminGroup)  
View groups information
/groups
 IBM BPM administrator (member of the bpmAdminGroup)  
View team information
/team/<teamIdOrName>
  • IBM BPM administrator (member of the bpmAdminGroup)
  • Team manager
  
View participant group information
/participantGroup/<pgIdOrName>
 IBM BPM administrator (member of the bpmAdminGroup)  
Table 2. Authorization restrictions when enhanced control is not enabled by configuration
User/group/team action Enabled for roles and action policies Other preconditions
View user information
  • /user/<userIdOrName>
  • /users
 Any authenticated user
  • Users can view their own information including all attributes
  • Users can view the public attributes of other users
  • Users who are enabled by ACTION_MANAGE_ANY_USERATTRIBUTE can view all the attributes of another user
Refresh user information
/user/<userIdOrName>?refreshUser=true
 A user who is authorized by the ACTION_REFRESH_USER policy  
Update user attributes
/user/{userNameOrID}?action=setPreference
 A user who is authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy
  • Users calling the API can update self-manageable attributes
  • Policy-enabled users can update any attribute
View potential collaborators for a task
/users?collabTaskidFilter=
  • IBM BPM administrator (member of the bpmAdminGroup)
  • Process application administrator
  • A user who is authorized to view the task (assigned to another user):
    • Task owner
    • Task team manager
    • Task collaborator
    • Instance owner
  
View potential reassignees for a task
/users?assignTaskidFilter=
  • IBM BPM administrator (member of the bpmAdminGroup)
  • Process application administrator
  • A user who is authorized to view the task (assigned to another user):
    • Task owner
    • Task team manager
    • Task collaborator
    • Instance owner
  
View group information
/group/<groupIdOrName>
  • IBM BPM administrator (member of the bpmAdminGroup)
  • Team managers (if the specified group corresponds to a team)
  
Change group membership
  • /group/<groupIdOrName>?action=addMember
  • /group/<groupIdOrName>?action=removeMember
 IBM BPM administrator (member of the bpmAdminGroup)  

There are no default restrictions for the group and team-related APIs.

Parent topic: Authorization control for runtime REST API calls
Related information:
Location of configuration files