Authorization algorithms

Authorization algorithms are available within the process module to assure a task can only be performed by users with the right role.

A  represents the element Authorization algorithm which is used to create dynamic authorization for tasks. The element offers three possibilities to create the algorithm, using an external source, selecting roles, or using the 2-man rule.

 External Source

When an external source is used, a technical engineer needs to create the algorithm and make it available at runtime. The external algorithm can result in one or more roles.

Selecting Roles

Roles can be connected directly by selecting them in the extenders at the right side of the page.

At runtime the authorization algorithm will be evaluated after starting a task using the service AQ_ExecuteTask. The algorithm will result in one or more roles, the user must have at least one of them to execute the task.

When there is no Routing algorithm connected to a task, the result of the Authorization algorithm will be stored in the process database under roles. This way users with insufficient rights will not see the tasks in their worklist.

Example

A user has the role: senior sales

A user has the roles: senior sales, salesmanager

 

Algorithm result	may execute task
senior sales	TRUE
junior sales, senior sales	TRUE
junior sales	FALSE
junior sales, salesmanager	TRUE

2-man rule

 

This expression box lets you provide a set of user ids that are not allowed to execute this task. Even if the user has the appropriate roles (see above), if its id provided here the user is not authorized to execute the task.

The most common scenario is that you store one or more ids of users that executed some earlier tasks in the profile of the process, and then provide these ids to the authorization algorithm for a specific task. This task is likely a review task.

See How to implement a 2-man-rule on how to use the 2-man-rule.