This section describes the permissions needed by each user to perform various actions on the Work Dashboard. Topics include:
The authenticated user can perform self-service actions for tasks on the Work Dashboard without any security permissions, as outlined in the table below.
Table 8-5 Task Notifications for User Self-Service
To perform this action... |
Authenticated user must be... |
And the user must have these permissions... |
---|---|---|
View task in list |
Addressee for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. NOTE:In self-service mode, the Domain Administrator or Domain Manager can also view tasks for which he/she is a recipient. |
None. |
View and work with task detail |
Addressee for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
View workflow comments |
Addressee for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
The authenticated user requires entry browse rights to assign or remove role and resource assignments, as outlined in the table below.
Table 8-6 Role and Resource Assignments for User Self-Service
To perform this action... |
Authenticated user must be... |
And the user must have these permissions... |
---|---|---|
View role or resource in list |
Recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
None. |
Assign or remove assignment for role or resource |
Recipient. Grant and Revoke operations apply to the authenticated user only |
Trustee (Entry Browse) |
The authenticated user requires entry browse rights for some request status actions, as outlined in the table below.
Table 8-7 Request Status for User Self-Service
To perform this action... |
Authenticated user must be... |
And the user must have these permissions... |
---|---|---|
View process requests in list |
Initiator or recipient |
None. |
View and work with process request detail |
Initiator or recipient (if the Restrict View option is set to false in Designer). If the Restrict View option is set to true, the display is restricted to tasks initiated by the user, even if the user has browse rights. |
Trustee (Entry Browse) |
Retract process requests |
Initiator and recipient The request must be in a retractable state, which means that it has not been approved, denied, canceled or provisioned. |
Trustee (Entry Browse) |
View workflow comments for process requests |
Initiator or recipient (if the Restrict View option is set to false in Designer). If the Restrict View option is set to true, the display is restricted to tasks initiated by the user, even if the user has browse rights. |
Trustee (Entry Browse) |
View role or resource requests in list |
Initiator or recipient |
None. |
View and work with role or resource request detail |
Initiator or recipient |
Trustee (Entry Browse) |
Retract role or resource requests |
Initiator and recipient. The request must be in a retractable state, which means that it has not been approved, denied, canceled or provisioned. |
Trustee (Entry Browse) |
View workflow comments for role or resource requests |
Initiator or recipient |
Role/Resource Trustee (Entry Browse) |
In manage mode, the Domain Administrator can perform actions for tasks on the Work Dashboard without any security permissions, as outlined in the table below.
Table 8-8 Task Notifications for Domain Administrator in Manage Mode
To perform this action... |
Managed User, Group, Container, or Role must be... |
And the Domain Administrator must have these permissions... |
---|---|---|
View task in list |
Addressee or recipient for task. NOTE:A role cannot be the recipient for a task. It can only be the addressee for a task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
View and work with task detail |
Addressee or recipient for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
View workflow comments |
Addressee or recipient for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
In manage mode, the Domain Administrator can perform all actions for role and resource assignments on the Work Dashboard without any security permissions, as outlined in the table below.
Table 8-9 Role and Resource Assignments for Domain Administrators in Manage Mode
To perform this action... |
Managed User, Group, or Container must be... |
And the Domain Administrator must have these permissions... |
---|---|---|
View role or resource in list |
Recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
None. |
Assign or remove assignment for role or resource |
Recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
None. On the Work Dashboard, the Domain Administrator can edit, assign, or remove all role assignments, except system role assignments that are not in the domain he is authorized to administer. This means that the Role Domain Administrator can remove Role Administrator and Role Manager assignments, but not Resource Administrator or Resource Manager assignments. Domain Administrator can view and edit any resource. |
In manage mode, the Domain Administrator can perform self-service actions for request status on the Work Dashboard without any security permissions, as outlined in the table below.
Table 8-10 Request Status for Domain Administrators in Manage Mode
To perform this action.... |
Managed User, Group, or Container must be... |
And the Domain Administrator must have these permissions.... |
---|---|---|
View process requests in list |
Initiator or recipient |
None. |
View and work with process request detail |
Initiator or recipient |
None. |
Retract process requests |
Initiator or recipient |
None. |
View workflow comments for process requests |
Initiator or recipient |
None. |
View role or resource requests in list |
Initiator or recipient |
None. |
View and work with role or resource request detail |
Initiator or recipient. The Domain Administrator cannot see requests for system roles. |
None. Domain Administrator can view all role requests, except for system role requests. Domain Administrator can view and edit any resource. |
Retract role or resource requests |
Initiator or recipient. The request must be in retractable state. The Domain Administrator cannot retract requests for system roles. |
None. Domain Administrator can retract all role requests, except for system role requests. Domain Administrator can view and edit any resource. |
View workflow comments for role or resource requests |
Initiator or recipient. The Domain Administrator cannot view workflow comments for system roles. |
None. Domain Administrator can view and edit all roles except system roles. Domain Administrator can view and edit any resource. |
In manage mode, the Domain Manager can view tasks without any security permissions, but must have permission to view task details and workflow comments, as outlined in the table below.
Table 8-11 Task Notifications for Domain Managers in Managed Mode
To perform this action... |
Managed User, Group, Container, or Role must be... |
And the Domain Manager must have these permissions... |
---|---|---|
View task in list |
Addressee or recipient for task. NOTE:A role cannot be the recipient for a task. It can only be the addressee for a task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
View task detail |
Addressee or recipient for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
Manage Addressee Task |
View workflow comments |
Addressee or recipient for task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
Manage Addressee Task |
In manage mode, the Domain Manager can view role and resource assignments without any security permissions, but must have permission to assign roles and resources or to remove existing assignments, as outlined in the table below.
Table 8-12 Role and Resource Assignments for Domain Managers in Manage Mode
To perform this action... |
Managed User, Group, or Container must be... |
And the Domain Manager must have these permissions... |
---|---|---|
View role or resource in list |
Recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
None. |
Assign or remove assignment for role or resource |
Recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
One or more of the following trustee permissions for a role:
One or more of the following trustee permissions for a resource:
|
In manage mode, the Domain Manager can view process, role, and resource requests without any security permissions, but must have permission to view request details and workflow comments, as well as to retract requests, as outlined in the table below.
Table 8-13 Request Status for Domain Managers in Manage Mode
To perform this action... |
Managed User, Group, or Container must be... |
And the Domain Manager must have these permissions... |
---|---|---|
View process requests in list |
Initiator or recipient |
None. |
View and work with process request detail |
Initiator or recipient |
View Running PRD |
Retract process requests |
Initiator or recipient |
Retract PRD |
View workflow comments for process requests |
Initiator or recipient |
View Running PRD |
View role or resource requests in list |
Initiator or recipient |
None. |
View and work with role or resource request detail |
Initiator or recipient |
View Role or View Resource The View Role permission controls whether you can see details for role requests in the Request Status section of the Work Dashboard. The View Resource permissions controls whether you can see details for resource requests. |
Retract role or resource requests |
Initiator or recipient. The request must be in a retractable state |
One or more of the following trustee permissions for a role:
The following trustee permission for a resource:
|
View workflow comments for role or resource requests |
Initiator or recipient |
View Role or View Resource |
In manage mode, the Team Manager can view tasks without any security permissions, but must have permission to view task details and workflow comments, as outlined in the table below.
Table 8-14 Task Notifications for Team Managers in Manage Mode
To perform this action... |
Managed User must be... |
And the Team Manager must have these permissions... |
---|---|---|
View task in list |
A member of the team and also the addressee for the task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
None. |
View task detail |
A member of the team and also the addressee for the task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
Manage Addressee Task |
View workflow comments |
A member of the team and also the addressee for the task. Alternatively the task may be delegated to this user by the addressee, or be claimed by this user for a group. |
Manage Addressee Task |
In manage mode, the Team Manager can view role and resource assignments without any security permissions, but must have permission to assign roles and resources or to remove existing assignments, as outlined in the table below.
Table 8-15 Role and Resource Assignments for Team Managers in Manage Mode
To perform this action... |
Managed user must be... |
And the Team Manager must have these permissions... |
---|---|---|
View role or resource in list |
A member of the selected team. The user must also be the recipient. The list of role assignments includes assignments for groups and containers to which the user belongs. The list of resource assignments includes assignments for the managed user only. |
None. |
Assign or remove assignment for role or resource |
A member of the selected team. The user must also be the recipient. The list of assignments includes assignments for groups and containers to which the user belongs. |
One or more of the following trustee permissions for a role:
One or more of the following trustee permissions for a resource:
|
In manage mode, the Team Manager can view process, role, and resource requests without any security permissions, but must have permission to view request details and workflow comments, as well as to retract requests, as outlined in the table below.
Table 8-16 Request Status for Team Managers in Manage Mode
To perform this action... |
Managed user must be... |
And the Team Manager must have these permissions... |
---|---|---|
View process requests in list |
Initiator or recipient |
None. |
View and work with process request detail |
Initiator or recipient |
View Running PRD |
Retract process requests |
Initiator or recipient |
Retract PRD |
View workflow comments for process requests |
Initiator or recipient |
View Running PRD |
View role or resource requests in list |
Initiator or recipient |
None. |
View and work with role or resource request detail |
Initiator or recipient |
View Role or View Resource The View Role permission controls whether you can see details for role requests in the Request Status section of the Work Dashboard. The View Resource permissions controls whether you can see details for resource requests. |
Retract role or resource requests |
Initiator or recipient. The request must be in a retractable state. |
One or more of the following trustee permissions for a role:
The following trustee permission for a resource:
|
View workflow comments for role or resource requests |
Initiator or recipient |
View Role or View Resource |