You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.

Authorization algorithms are available within the process module to assure a task can only be performed by users with the right role.

represents the element Authorization algorithm which is used to create dynamic authorization for tasks. The element offers three possibilities to create the algorithm, using an external source, selecting roles, or using the 2-man rule.

 External Source

 


When an external source is used, a technical engineer needs to create the algorithm and make it available at runtime. The external algorithm can result in one or more roles.

Selecting Roles

Roles can be connected directly by selecting them in the extenders at the right side of the page.

Authorization algorithms can be connected to a task.

At runtime the authorization algorithm will be evaluated after starting a task using the service AQ_ExecuteTask. The algorithm will result in one or more roles, the user must have at least one of them to execute the task.

When there is no Routing algorithm connected to a task, the result of the Authorization algorithm will be stored in the process database under roles. This way users with insufficient rights will not see the tasks in their worklist.

Example

A user has the role: senior sales

 

Algorithm result
may execute task
senior salesTRUE
junior sales, senior salesTRUE
junior salesFALSE

 

A user has the roles: senior sales, salesmanager

 

Algorithm result
may execute task
senior salesTRUE
junior sales, senior salesTRUE
junior salesFALSE
junior sales, salesmanagerTRUE

2-man rule

 

This expression box lets you provide a set of user ids that are not allowed to execute this task. Even if the user has the appropriate roles (see above), if its id provided here the user is not authorized to execute the task.

The most common scenario is that you store one or more ids of users that executed some earlier tasks in the profile of the process, and then provide these ids to the authorization algorithm for a specific task. This task is likely a review task.

See How to implement a 2-man-rule on how to use the 2-man-rule.