Configuration properties for Process Portal action policies
Action policies for Process Portal restrict actions on business processes and tasks to certain user groups. Some of these policies have default groups assigned to them. You can change the default values to fit the needs of your Process Portal users.
Important: The following information applies to both
Heritage Process Portal
(deprecated) and Process Portal.
The configuration properties for the action policies are contained
in the BPMActionPolicy configuration object. You can use the AdminConfig
object commands in the wsadmin tool to change the default security
group for an action policy. See Commands for the AdminConfig object using wsadmin
scripting.
Prerequisites
The following conditions must be met:
- Run the command on the deployment manager node.
- If the deployment manager is stopped, use the -conntype none option to run the command in disconnected mode.
- If the deployment manager is running, you must connect with a user ID that has WebSphere® Application Server configurator privileges. Do not use the wsadmin -conntype none option.
Location
Start the wsadmin scripting client from the profile_root/bin directory.
List of action policies
The following table lists the action policies and the default security group that is assigned to them. The BPMActionPolicy configuration object is an array of pairs that match each action type with the roles that can perform the action.
| Action policy | Effect | Default security group |
|---|---|---|
| ACTION_MANAGE_ANY_USERATTRIBUTE | Modifies any user attribute of any user. | tw_admins |
| ACTION_REFRESH_USER | Synchronizes a user's full name and group membership using the REST API. | tw_admins |
| ACTION_ABORT_INSTANCE | Permanently terminate a process instance. | tw_admins |
| ACTION_SUSPEND_INSTANCE | Temporarily deactivate a process instance. | tw_admins |
| ACTION_RESUME_INSTANCE | Resume a suspended process instance. | tw_admins |
| ACTION_ADD_COMMENT | Add comments to a process instance. | None; available to all users by default |
| ACTION_ADD_HELP_REQUEST | Request help from other process participants on a process instance or its related tasks. | None; available to all users by default |
| ACTION_RESPOND_HELP_REQUEST | Respond to help requests from other process participants. | None; available to all users by default |
| ACTION_ASSIGN_TASK | Claim a task that is assigned to a group of which you are a member. You become the owner of the task. | None; available to all users by default |
| ACTION_ASSIGN_AND_RUN_TASK | Run a task that is assigned to a group of which you are a member. The task is automatically assigned to you. | None; available to all users by default |
| ACTION_REASSIGN_TASK | Assign a task to the group to which the task was previously assigned. | None; available to all users by default In addition, this policy is always available to members of a team of managers. |
| ACTION_REASSIGN_TASK_USER_ROLE | Assign a task to a different user or a group. | None; available to all users by default In addition, this policy is always available to members of a team of managers. |
| ACTION_CHANGE_TASK_DUEDATE | Change the due date of a task. | tw_admins In addition, this policy is always available to members of a team of managers. |
| ACTION_CHANGE_INSTANCE_DUEDATE | Change the due date of a process instance. | tw_admins |
| ACTION_CHANGE_TASK_PRIORITY | Change the priority of a task as needed to escalate or de-escalate the task. | tw_admins In addition, this policy is always available to members of a team of managers. |
| ACTION_MOVE_TOKEN | Move the token to any step in the business process definition. | tw_admins |
| ACTION_DELETE_TOKEN | Delete a token at any step in the business process definition. Required to delete ad hoc events. | tw_admins |
| ACTION_INJECT_TOKEN | Create a new token at any step in the business process definition. Required to initiate ad hoc events. | tw_admins |
| ACTION_UPDATE_INSTANCE_VARIABLE | Assigning users to one or more groups to grant them access the REST API to update process instance variables. | tw_admins |
| ACTION_USER_REFRESH | Refresh a user's full name and group memberships by using the user or users REST API resource. | tw_admins |
| ACTION_VIEW_PROCESS_DIAGRAM | View a process diagram in the Gantt chart. | None; available to all users who have access to the process instance |
| ACTION_VIEW_PROCESS_AUDIT | View historical data about process variables. | tw_admins |
| ACTION_VIEW_CRITICAL_PATH | Use the Gantt chart to view the projected path
of a running process instance. Attention: The Allow
Projected Path Management option must be enabled for the
business process in Process Designer.
|
None; available to all users who have access to the process instance |
| ACTION_CHANGE_CRITICAL_PATH | Use the pages in the Gantt chart to change the
projected path of a running process instance, and adjust the due dates
of tasks in a process instance. Attention: The Allow
Projected Path Management option must be enabled for the
business process in Process Designer. In
addition, the user must also belong to the security group that is
assigned to the ACTION_VIEW_CRITICAL_PATH action policy.
|
tw_process_owners |
| ACTION_ADD_DOCUMENT | Add a document to a process instance. Attention: This action policy does not apply
to process instances that are based on cases.
|
None; available to all users by default |
| ACTION_UPDATE_DOCUMENT | Update a document that belongs to a process
instance. Attention: This action policy
does not apply to process instances that are based on cases.
|
None; available to all users by default |
| ACTION_DELETE_DOCUMENT | Delete a document from a process instance. Attention: This action policy does not apply
to process instances that are based on cases.
|
None; available to all users by default |
| ACTION_DELETE_INSTANCE | Delete a process instance. | tw_admins |
| ACTION_FIRE_TIMER | Manually fire a timer. | tw_admins |
| ACTION_CREATE_SHARED_SAVED_SEARCH | Create saved searches and share them with a
team that you manage or that you are a member of, or with everyone.
The creator of a saved search becomes its owner. Owners can update
and delete their shared saved searches. Attention: Shared
saved searches from releases of IBM® BPM earlier
than V8.6.0 do
not have owners. Only users who belong to the security group assigned
to the ACTION_ADMINISTER_SHARED_SAVED_SEARCHES action policy can update
or delete these saved searches, by using the /rest/bpm/wle/v1/searches/tasks/saved_search_name
REST API that was introduced in V8.6.0.
|
None; available to all users by default |
| ACTION_ADMINISTER_SHARED_SAVED_SEARCHES | Create, update, and delete saved searches, and share them with any team or everyone. Members of the assigned security group can also update and delete shared saved searches that are owned by other users, by using the appropriate saved search REST APIs. Members can also reassign ownership by using the /rest/bpm/wle/v1/searches/tasks/saved_search_name REST API that was introduced in V8.6.0. | tw_admins |
 ACTION_MANAGE_SAVED_SEARCH |
Restrict the rights to create or edit personal
saved searches to some users or groups of users. These users can see and run the saved searches that are shared with them. They can see, run, and delete their existing personal saved searches, and add them to, remove them from, their list of favorites (star). But they cannot edit or duplicate them. They can also list and run shared saved searches, and manage their list of favorites, but they cannot edit, duplicate, or delete them. In the Process Portal Work dashboard, the buttons for these actions are hidden to the users who do not have creation and update rights. This action is used only to enforce the access to the saved search REST API. It is never explicitly returned by the /rest/bpm/wle/v1/searches/actions REST API. |
Available to all users by default |
 ACTION_VIEW_USER_PERSONAL_DATA |
Authorizes non-administrators to call the IBM BPM operations REST API to get the personal data about an IBM BPM user. For more information, see Retrieving personal data of IBM BPM users. | tw_admins |
| ACTION_DELETE_USER_PERSONAL_DATA |
Authorizes non-administrators to call the IBM BPM operations REST API to get and delete the personal data about a deactivated IBM BPM user or activate/deactivate users by synchronizing users between the IBM BPM database and the user registry. For more information, see Retrieving personal data of IBM BPM users, Deleting personal data of IBM users, or Synchronizing internal and external user data. | tw_admins |
| ACTION_REFRESH_USER |
Authorizes non-administrators to call the IBM BPM operations REST API toactivate/deactivate users by synchronizing users between the IBM BPM database and the user registry. For more information, see Synchronizing internal and external user data. | tw_admins |
Modifying the action policies contained in the BPMActionPolicy configuration object
The following
examples are shown using Jython scripts.
- Start the wsadmin scripting tool.
deployment_manager_profile\bin>wsadmin -lang jython -conntype none WASX7357I: By request, this scripting client is not connected to any server proc ess. Certain configuration and application operations will be available in local mode. WASX7031I: For help, enter: "print Help.help()" - Show defaults.
wsadmin>print AdminConfig.defaults('BPMPolicyAction') Attribute Type Default type String roles String - Show the BPMActionPolicy configuration ID.
wsadmin>print AdminConfig.list('BPMPolicyAction') (cells/Cell1/clusters/SingleCluster| cluster-bpm.xml#BPMPolicyAction_1365527262431) (cells/Cell1/clusters/SingleCluster| cluster-bpm.xml#BPMPolicyAction_1365527262432) (cells/Cell1/clusters/SingleCluster| cluster-bpm.xml#BPMPolicyAction_1365527262433) (cells/Cell1/clusters/SingleCluster| cluster-bpm.xml#BPMPolicyAction_1365527262434) (cells/Cell1/clusters/SingleCluster| . . - Determine the index for the attribute that you want to modify.
wsadmin>def getBPMPolicyAction(type): wsadmin> policyActions = AdminUtilities.convertToList(AdminConfig.list('BPMPolicyAction')) wsadmin> for policyAction in policyActions: wsadmin> if AdminConfig.showAttribute(policyAction, "type") == type: wsadmin> return policyAction wsadmin> wsadmin>print getBPMPolicyAction("ACTION_ABORT_INSTANCE") (cells/N1Cell/clusters/cluster1|cluster-bpm.xml#BPMPolicyAction_1363274323595) wsadmin>print AdminConfig.showAttribute(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), "roles") tw_admins wsadmin>AdminConfig.modify(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), [["roles", "newrole"]]) '' wsadmin>print AdminConfig.showAttribute(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), "roles") tw_admins;newrole wsadmin>AdminConfig.modify(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), [["roles", []]]) '' wsadmin>print AdminConfig.showAttribute(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), "roles") [] wsadmin>AdminConfig.modify(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), [["roles", "tw_admins"]]) '' wsadmin>print AdminConfig.showAttribute(getBPMPolicyAction("ACTION_ABORT_INSTANCE"), "roles") tw_admin
Attention: To save your changes, you must run the AdminConfig.save command
each time you modify a property.