You are viewing the documentation for Blueriq 16. Documentation for other versions is available in our documentation directory.

What is it for?

Authorization algorithms are available within the process module to assure a task can only be performed by users with the right role.

An authorization algorithm is used to create dynamic authorization for tasks. The element offers three possibilities to create the algorithm, using an external source, selecting roles, or using the 2-man rule.

External Source

When an external source is used, a technical engineer needs to create the algorithm and make it available at runtime. The external algorithm can result in one or more roles.

Selecting Roles

Roles can be connected directly by selecting them in the extenders in the properties panel at the right side of the page.

Authorization algorithms can be connected to a task.

At runtime the authorization algorithm will be evaluated after starting a task using the service AQ_ExecuteTask. The algorithm will result in one or more roles, the user must have at least one of them to execute the task.

When there is no Routing algorithm connected to a task, the result of the Authorization algorithm will be stored in the process database under roles. This way users with insufficient rights will not see the tasks in their worklist.

Example

A user has the role: senior sales

Algorithm result

may execute task

senior salesTRUE
junior sales, senior salesTRUE
junior salesFALSE


A user has the roles: senior sales, salesmanager

Algorithm result

may execute task

senior salesTRUE
junior sales, senior salesTRUE
junior salesFALSE
junior sales, salesmanagerTRUE

2-man rule

This expression box lets you provide a set of user ids that are not allowed to execute this task. Even if the user has the appropriate roles (see above), if its id provided here the user is not authorized to execute the task.

The most common scenario is that you store one or more ids of users that executed some earlier tasks in the profile of the process, and then provide these ids to the authorization algorithm for a specific task. This task is likely a review task.

See How to implement a 2-man-rule on how to use the 2-man-rule.

  • No labels