Limit access to Views and actions - Activity
The activity-based configuration is based on a two-part configuration scheme where individual activities are defined by the controller and action names. A Controller essentially represents a menu item on the Control Panel, and an action is functionality available for user to perform. The following activities are available for configuration.
*.*
All permissions*.Admin
Admin permissions*.Edit
Edit permissions*.View
View permissionsApiManagement.*
APIs All permissionsApiManagement.View
APIs View permissionsApiManagement.Edit
APIs Edit permissionsProcess.*
Process All permissionsProcess.View
Process View permissionsProcess.Edit
Process Edit permissionsProcess.Deploy
Process DeployProcess.Start
Process Run onceProcessinstance.*
Process Instance All permissionsProcessinstance.View
Process Instance View permissionsProcessinstance.Edit
Process Instance Edit (terminating and deleting instances, acknowledging errors) permissionsEnvironment.*
Environment All permissionsEnvironment.Edit
Environment Edit permissionsEnvironment.Admin
Environment Admin permissionsTask.*
Task All permissionsTask.View
Task View permissionsTask.Edit
Task Edit permissionsMonitoringRules.*
Monitoring rules All permissionsMonitoringRules.View
Monitoring rules View permissionsMonitoringRules.Edit
Monitoring rules Edit permissionsEnvironmentVariables.Edit
Environment Variables Edit permissionsUserManagement.Admin
User management Admin permissionsApiKeyManagement.Admin
API Keys Admin permissionsCommon.View
Common View permissions
Following wildcards are supported for activities
*.* - match all activities
*.{action} - match all actions with given name in every controller
{controller}.* - match all actions for given controller
Order of the activities being authorized
Explicitly allowed activity (e.g. Process.Start)
Explicitly denied activity (e.g. Process.Deploy)
Wildcard allowed activity (e.g. Process.*)
Wildcard denied activity (e.g. *.Edit)
Full allow wildcards (*.*)
Full deny wildcards (*.*)
This means that if activity has been configured with explicit allow option, then it cannot be overridden by any following value.
When creating a new role, you should always add the "Common.View" rule, as it is required when, for example, seeing the navigation menu as well as other common views.
Example
Developer that can view everything and edit Processes and start Processes. But the users of this role can not e.g. acknowledge errors due lack of Processinstance.Edit
rule.
The next article is Introduction to Limit access to only specific Processes - Tag