Managing permissions in the DMN section
Citeck provides a flexible system for managing access permissions to DMN sections and decisions. Permissions are configured at the section level and are inherited by nested decisions, allowing you to differentiate access for different user groups — from system administrators to business process developers.
This article describes how to configure permissions for DMN sections, what permissions are available, and how permission inheritance works across the section tree.
Configuring permissions
Note
Only system administrators (users from the ECOS_ADMINISTRATORS group) can configure permissions for sections.
Permissions can be configured for each section separately. To do this, open the business process editor page:
https://{host}/admin?type=DMN
And next to the required section, click the actions button and select “Edit permissions”:
A settings window will appear:
In which you can configure permissions for groups and individuals, and enable or disable inheritance of the following permissions:
Type permissions
When creating and editing processes, it is often necessary to make changes to type configurations. To allow editing and creation for users without system administrator rights, you should configure permissions on the parent types as described in the article Configuring permissions for type descriptions
Example configuration options:
Configure permissions on the “base” type and give users access to create and edit any types.
Configure permissions on the “user-base” type and give users access to create and edit only business types.
Create a separate proxy type inherited from one of the standard types (case/data-list/document/doclib-file, etc.) and grant permissions only for it.
General rules for distributing permissions across sections
All sections belong to a tree with a single root — the root section. Permissions are inherited from the parent to child sections and from sections to nested processes.
If, when configuring permissions for a section, you remove the “Inherit permissions” flag, permissions will not be inherited.
Permissions on child entities are added to the permissions of the parent entities if permission inheritance is enabled.
Root section
The root section has the identifier ROOT and is used to configure default permissions for all other sections.
The root section is visible only to system administrators (users in the ECOS_ADMINISTRATORS group).
In the root section, you cannot create subsections via the actions next to this section. To create new sections in the root, use the “+” button above all sections:
Default permissions for the DMN root section
Group |
Permissions |
|---|---|
bp-administrator |
read
write
dmn-def-deploy
dmn-instance-edit
dmn-section-create-dmn-def
dmn-section-edit-dmn-def
|
bp-developer |
read
bpmn-process-def-deploy
|
Description of DMN permissions
Identifier |
Name |
Description |
|---|---|---|
read |
Read permission (read) |
Determines whether the section and all DMN decisions in it are visible to the user. |
write |
Write permission (write) |
Determines whether the section and all DMN decisions in it can be edited. |
dmn-def-deploy |
Deploy |
Determines whether a DMN definition can be published to the engine. |
dmn-instance-edit |
Instance editing |
Determines whether a DMN instance can be edited. |
dmn-section-create-dmn-def |
Creating DMN in the section |
Determines whether DMN can be created in the section. |
dmn-section-create-subsection |
Creating subsections |
Determines whether subsections can be created. |
dmn-section-edit-dmn-def |
Editing DMN in the section |
Determines whether DMN decisions in the section can be edited. |