Overview

In ProcessMaker Platform, a permission allows a user or group member to view a type of information or perform an action. Below are some examples of permissions:

• Start Requests

• View the list of Processes

• Edit Processes

• Edit Screens

• Create Environment Variables

• View Task Assignments through the ProcessMaker Platform RESTful API

Permissions are organized into categories, such as for Processes, Requests, and Screens.

Assign Permissions to Users and Groups

While permissions apply to users, those permissions can be assigned from a user account or a group:

• User-level permissions: Permissions can be assigned to a user account. These permission assignments only apply to that user account. From user-level permissions, you can assign Administrator-level permissions or all permissions to a user account. Instead of assigning individual permissions to a user account, the following options are also available:

  • Super Admin: Assign the Make this user a Super Admin option to grant unrestricted access to the entire ProcessMaker Platform instance. In doing so, ProcessMaker Platform does not check permissions for user accounts with this setting selected, allowing such users to administer and install packages which might otherwise require permissions be granted to a user account to perform. Users whose account have this setting may do the following:

    • Start a Request for any Process regardless of whether that user has permission to do so.

    • View the Tasks as displayed in the Task column of Request summaries by clicking a link to that Task. Users that do not have the Make this user a Super Admin option do not have a hyperlink to Tasks from Request summaries.

    • Manage queues.

    • Make another user a Super Admin by assigning the Make this user a Super Admin permission.

    • Retry and update completed Processes.

    • Manually complete a Request.

    • Retry a Request with an error.

    • Customize the user interface.

    • See all comments in a Request and a Task summary.

    • Upload file in API - Settings.

    • Filter by any user in API - GroupMember.

    • Run Script Executor in APIs.

    • Link to edit any task in Request Detail.

    • Reassign any open or overdue Task.

  • All permissions: Assign the Assign all permissions to this user option to assign all permissions to that user account.

  See Edit a User Account.

• Group-level permissions: Permissions can be assigned to a group. A group assigns the same permissions to all user account members. Using groups makes it easy to manage permissions for multiple user accounts with identical permission assignments. From group-level permissions, you can assign all permissions to a group. See Edit a Group.

User and Group Permissions are Cumulative

User-level and group-level permission assignments are cumulative. This means that a user account has all the group-level permission assignments from all its group memberships, but also has the flexibility of permission assignments that apply only to that user account. For example, a user account might be a member of a group whereby its members can view the list of all Processes. However, an Administrator can assign the permission to edit Processes to only the one user account.

Best Practices to Assign Permissions

See the following best practices when organizing group members:

• Organize groups based on user roles

• Organize small groups into larger groups to inherit permissions

Organize Groups Based on User Roles

Create groups based on how you define usage roles in your organization. Based on usage roles you define, assign permissions to groups so that all group members have the same permission set. Below is an example how you might create groups to assign permissions:

• User: Most users start or participate in Requests and perform Tasks. Their permission assignments may be limited to Requests. Note that if you want specific users and/or groups to start and/or cancel Requests, those must be set from the following functional areas and are outside the scope of the permission settings discussed in this topic:

  • Cancel Requests: Process Configuration

  • Start Requests: Start Event element configuration

• Process designer: Process designers create Process models. Their permission assignments may be limited to Environment Variables, Processes, Requests, Screens, and Vocabularies categories.

• Developers: Developers often create Scripts. Their permission assignments may be limited to Collections, Data Connectors, Files (API), Notifications (API), Requests, Scripts, and Task Assignments (API) categories.

• Administrator: Administrators administer the ProcessMaker Platform environment and its users. Their permission assignments may be limited to Auth Clients, Collections, Comments, Groups, Requests, Translations, and Users categories. Assign specific Administrators in their user accounts the Make this user a Super Admin option.

Organize Small Groups into Larger Groups to Inherit Permissions

Organize the role-based groups into larger groups so that permissions overlap amongst group members. Consider the following example.

Suppose that a group named "Process Modelers" with a set of permission categories to design Process models. This group has assigned to it the following permission categories:

• Processes

• Screens

A second group named "Process Architects" has a different set of permission categories from which to maintain Process architecture consistency across their organization:

• Version History

• Vocabularies

Senior managers within the organization that must have all these sets of permission categories. Instead of a third group that contains all four sets of permission categories, create a third group called "Senior Managers" that includes the "Process Modelers" and "Process Architect" groups. The "Senior Managers" group inherits the permission categories of the groups within it.

Permission Descriptions

Permissions are organized into categories. Permissions are described below by category and how each permission affects ProcessMaker Platform functionality. These permissions function identically in user accounts and groups.

Auth Clients

The Auth Clients category contains the following permissions:

• Create Auth Clients: Create a client authentication key on the Auth Clients page. Selecting this permission also selects the Edit Auth Clients permission. See Create a New Client Authentication Key.

• Delete Auth Clients: Delete a client authentication key from the Auth Clients page. See Delete a Client Authentication Key.

• Edit Auth Clients: Edit a client authentication key from the Auth Clients page. See Edit a Client Authentication Key.

• View Auth Clients: View all client authentication keys on the Auth Clients page. See View All Client Authentication Keys.

Collections

The Collections category contains the following permissions:

• Create Collections: Create a Collection from the Collections page. Selecting this permission also selects the Edit Collections permission. See Create a New Collection.

• Delete Collections: Delete a Collection from the Collections page. See Delete a Collection.

• Edit Collections: Edit a Collection from the Collections page. See Configure a Collection.

• Export Collections: Export a Collections from the Collections page. See Export a Collection.

• Import Collections: Import a Collection from the Collections page. See Import a Collection.

• List Collections: List all Collections from the Collections page. See View Collections.

• Truncate Collections: Delete all records in a Collection using theTruncateCollection Data Connector Resource for that Collection. See Resources for Collections.

• View Collections: View the Collections page. See View Collections.

Comments

The Comments category applies to Requests and Tasks and contains the following permissions:

• Create Comments: Post or reply to a Request or a Task comment. Selecting this permission also selects the Edit Comments permission. See the following sections:

  • Post or reply to a Request comment

  • Post or reply to a Task comment

• Delete Comments: Delete one of your Request or Task comments. You may only delete comments that you created. See the following sections:

  • Delete a Request comment

  • Delete a Task comment

• Edit Comments: Edit one your Request or Task comments. You may only edit comments that you created. See the following sections:

  • Edit a Request comment

  • Edit a Task comment

• View Comments: View Request or Task comments posted in the Request/Task summary. See the following sections:

  • View comments In a Request summary

  • View comments in a Task summary

Data Connectors

The Data Connectors category contains the following permissions:

• Create Data Connector Categories: Create a Data Connector Category from the Categories page. Selecting this permission also selects the Edit Data Connector Categories permission. See Create a New Data Connector Category.

• Create Data Connectors: Create a Data Connector from the Data Connectors page. Selecting this permission also selects the Edit Data Connectors permission. See Create a New Data Connector.

• Delete Data Connector Categories: Delete a Data Connector Category from the Categories page. See Delete a Data Connector Category.

• Delete Data Connectors: Delete a Data Connector from the Data Connectors page. See Delete a Data Connector.

• Edit Data Connector Categories: Edit a Data Connector Category from the Categories page. See Edit a Data Connector Category.

• Edit Data Connectors: Edit a Data Connector from the Data Connectors page. See Edit a Data Connector.

• View Data Connector Categories: View the table of Data Connector Categories on the Categories page. See View Data Connector Categories.

• View Data Connectors: View the table of Data Connectors on the Data Connectors page. See View Data Connectors.

Environment Variables

The Environment Variables category contains the following permissions:

• Create Environment Variables: Create an Environment Variable from the Environment Variables page. Selecting this permission also selects the Edit Environment Variables permission. See Create a New Environment Variable.

• Delete Environment Variables: Delete an Environment Variable from the Environment Variables page. See Delete an Environment Variable.

• Edit Environment Variables: Edit an Environment Variable from the Environment Variables page. See Edit an Environmental Variable.

• View Environment Variables: View the table of Environment Variables on the Environment Variables page. See View All Environment Variables.

Files (API)

The Files (API) category contains the following permissions:

• Create Files: Saves a new file specified in an API request. Selecting this permission also selects the Edit Files permission. See "Files > Post" endpoint in the ProcessMaker Platform RESTful API.

• Delete Files: Deletes a specified file in an API request. See "Files > Delete" endpoint in the ProcessMaker Platform RESTful API.

• Edit Files: Update a file specified in an API request. See "Files > Update" endpoint in the ProcessMaker Platform RESTful API.

• View Files: Returns the list of files associated to an API request. See "Files > Get" endpoint in the ProcessMaker Platform RESTful API.

For more information about the ProcessMaker Platform RESTful API, see Access ProcessMaker Platform RESTful API Documentation.

Groups

The Groups category contains the following permissions:

• Create Groups: View a group from the Groups page. Selecting this permission also selects the Edit Groups permission. See Create a New Group.

• Delete Groups: Delete a group from the Groups page. See Delete a Group.

• Edit Groups: Edit a group from the Groups page. See Edit a Group.

• View Groups: View groups from the following locations:

  • View the table of groups on the Groups page. See View All Groups.

  • View groups to which to reassign a Task. See Reassign a Task.

Notifications (API)

The Notifications (API) category contains the following permissions:

• Create Notifications: Save a new notification through an API request. Selecting this permission also selects the Edit Notifications permission. See "Notifications > Post" endpoint in the ProcessMaker Platform RESTful API.

• Delete Notifications: Deletes a specified notification through an API request. See "Notifications > Delete" endpoint in the ProcessMaker Platform RESTful API.

• Edit Notifications: Updates a notification through an API request. See "Notifications > Update" endpoint in the ProcessMaker Platform RESTful API.

• View Notifications: Returns all notifications to which the user has access. See "Notifications > Get" endpoint in the ProcessMaker Platform RESTful API.

For more information about the ProcessMaker Platform RESTful API, see Access ProcessMaker Platform API Documentation.

Processes

The Processes category contains the following permissions:

• Archive Processes: Archive a Process from the Processes page. See Archive a Process.

• Create Process Categories: Create a Process Category from the Categories page. Selecting this permission also selects the Edit Process Categories permission. See Create a New Process Category.

• Create Processes: Create a Process from the Processes page. Selecting this permission also selects the Edit Processes permission. See Create a New Process.

• Delete Process Categories: Delete a Process Category from the Categories page. See Delete a Process Category.

• Edit Process Categories: Edit a Process Category from the Categories page. See Edit a Process Category.

• Edit Processes: Edit a Process model and/or its configuration from the Processes page. See Edit the Process Model Information and Edit Process Configuration.

• Export Processes: Export a Process from the Processes page. See Export a BPMN-Compliant Process.

• Import Processes: Import a Process from the Processes page. See Import a BPMN-Compliant Process.

• View Process Categories: View the table of Process Categories on the Categories page. See View Process Categories.

• View Processes: View the table of Processes on the Processes page. See View All Processes.

Requests

The Requests category contains the following permissions:

• Edit Request Data: View the Data tab for a completed Request and edit the completed Request data that is in JSON format. See Editable Request Data.

• Edit Task Data: View the Data tab for an assigned Task and edit the Task data that is in JSON format. See Editable Task Data.

• View All Requests: View the All Requests page and Request information accessible from that page. See View All Requests.

Saved Search

The Saved Search category contains the following permission:

• Toggle Notifications: Receive Saved Search notifications for your own Saved Searches. Notifications must already be enabled for your own Saved Searches. See Enable Notification of Saved Search Result Changes.

Screens

The Screens category contains the following permissions:

• Create Screen Categories: Create a Screen Category from the Categories page. Selecting this permission also selects the Edit Screen Categories permission. See Create a New Screen Category.

• Create Screens: Create a Screen from the Screens page. Selecting this permission also selects the Edit Screens permission. See Create a New Screen.

• Delete Screen Categories: Delete a Screen Category from the Categories page. See Delete a Screen Category.

• Delete Screens: Delete a Screen from the Screens page. See Delete a Screen.

• Edit Screen Categories: Edit a Screen Category from the Categories page. See Edit a Screen Category.

• Edit Screens: Edit a Screen and/or its configuration from the Screens page. See Edit a Screen and Edit Screen Configuration.

• Export Screens: Export a Screen from the Screens page. See Export a Screen.

• Import Screens: Import a Screen from the Screens page. See Import a Screen.

• View Screen Categories: View the table of Screen Categories on the Categories page. See View Screen Categories.

• View Screens: View the table of Screens on the Screens page. See View All Screens.

Scripts

The Scripts category contains the following permissions:

• Create Script Categories: Create a Script Category from the Categories page. Selecting this permission also selects the Edit Script Categories permission. See Create a New Script Category.

• Create Scripts: Create a Script from the Scripts page. Selecting this permission also selects the Edit Scripts permission. See Create a New Script.

• Delete Script Categories: Delete a Script Category from the Categories page. See Delete a Script Category.

• Delete Scripts: Delete a Script from the Scripts page. See Delete a Script.

• Edit Script Categories: Edit a Script Category from the Categories page. See Edit a Script Category.

• Edit Scripts: Edit a Script and/or its configuration from the Scripts page. See Edit a Script and Edit Script Configuration.

• View Script Categories: View the table of Script Categories on the Categories page. See View Script Categories.

• View Scripts: View the table of Scripts on the Scripts page. See View All Scripts.

Security Logs

The Security Logs category contains the following permission:

• View Security Logs: View security logs for a user from the Users page. See View Security Logs for a User.

Settings

The Settings category contains the following permissions:

• Update Settings: Edit settings available from Settings. See Settings.

• View Settings: View settings available from Settings. See Settings.

Signals

The Signals category contains the following permissions:

• Create Signals: Create a new Signal in the Signals Manager. Selecting this permission also selects the Edit Signals permission. See Create a new Signal.

• Delete Signals: Delete a Signal from the Signals Manager. See Delete a Signal.

• Edit Signals: Edit a Signal from the Signals Manager. See Edit a Signal.

• View Signals: View all Signals in the Signals Manager. See View Signals.

Task Assignments (API)

The Task Assignments (API) category contains the following permissions:

• Create Task Assignments: Saves a new task assignment to a specified user in an API request. Selecting this permission also selects the Edit Task Assignments permission. See "Task Assignments > Post" endpoint in the ProcessMaker Platform RESTful API.

• Delete Task Assignments: Deletes a specified task assignment through an API request.

• Edit Task Assignments: Updates a task assignment through an API request. See "Task Assignments > Update" endpoint in the ProcessMaker Platform RESTful API.

• View Task Assignments: Returns all assignments assigned to the user.

For more information about the ProcessMaker Platform RESTful API, see Access ProcessMaker Platform RESTful API Documentation.

Translations

The Translations category contains the following permissions:

• Edit Translations: Edit a text label or message from the Translations page. See Edit Text that Displays in the User Interface.

• Reset Translations: Reset all text labels and messages to default on the Translations page. See Reset All User Interface Labels and Messages to Their Defaults.

• View Translations: View the table of text labels and messages on the Translations page. See View English-Language Labels and Messages from the User Interface.

Users

The Users category contains the following permissions:

• Create Users: Create a user account from the Users page. Selecting this permission also selects the Edit Users permission. See Create a New User Account.

• Delete Users: Delete a user account from the Users page. See Delete a User Account.

• Edit Users: Edit a user account from the Users page. See Edit a User Account.

• View Other Users Profiles: View another user's profile. If a user is not granted this new permission, then that user receives an Error 404 (not found) page when clicking on another user's avatar or manually adjusting the URL to view another user's profile page. See View Another User's Profile Information.

• View Users: View users from the following locations:

  • View the table of user accounts on the Users page. See View All Users Accounts.

  • View users to whom to reassign a Task. See Reassign a Task.

Version History

The Version History permissions category applies to Processes, Scripts and Screens and contains the following permissions:

• Edit Version History: Edit versions within the version history for a ProcessMaker Platform asset.

  • Edit version history of a Process.

  • Edit version history of a Script.

  • Edit version history of a Screen.

• View Version History: View the version history for a ProcessMaker Platform asset.

  • View version history of a Process.

  • View version history of a Script.

  • View version history of a Screen.

Vocabularies

The Vocabularies category contains the following permissions:

• Create Vocabularies: Create a Vocabulary from the Vocabularies page. Selecting this permission also selects the Edit Vocabularies permission. See Create a New Vocabulary.

• Delete Vocabularies: Delete a Vocabulary from the Vocabularies page. See Delete a Vocabulary.

• Edit Vocabularies: Edit a Vocabulary from the Vocabularies page. See Edit a Vocabulary.

• View Vocabularies: View the table of Vocabularies on the Vocabularies page. See View All Vocabularies.

Webhooks

The Webhooks category contains the following permissions:

• Disable Webhooks: Disable a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.

• Enable Webhooks: Enable a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.

• Read Webhooks: View the configuration of a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.

• Update Webhooks: Edit the configuration of a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.

Related Topics