Permissions for Users and Groups

Understand how each permission affects access for users and groups.

Overview

Permissions allow users or group members to access features or perform certain actions in ProcessMaker Platform. For example, a user with appropriate permissions can:

Start or Cancel Cases
View and Edit Processes
View and Edit Screens
Create Decision Tables
View Task Assignments through the RESTful API, and more

Permissions are divided into two broad categories:

Process Permissions	Platform Permissions
Defined though the Designer tab	Defined through the Admin tab
Apply to each process individually	Apply to the overall features and assets
Configured by process designers	Configured by administrators
Can be assigned to users or groups	Can be assigned to users or groups

Process Permissions

Platform Permissions

Defined though the Designer tab

Defined through the Admin tab

Apply to each process individually

Apply to the overall features and assets

Configured by process designers

Configured by administrators

Can be assigned to users or groups

Permissions Override Rules

Super Admin: A Super Admin has full Process-level as well as Platform-level permissions.
Projects: There are no permissions defined on a Project-level, and User/Group permissions do not propagate within Projects. As a result, when users are added to a Project, they automatically gain unrestricted design access to edit all assets within that project only.

Process Permissions

Process permissions are configured by process designers through the options available from the Designer tab. Key Process permissions are as follows:

Start a Case
Cancel a Case
View and Complete Tasks
Reassign Tasks
Edit Data

Assigning Process Permissions

Process permissions are configured by a designer when creating a process as follows:

Start a Case

The permission to start a case of a process is granted through a Start Event when designing the process in the Modeler.

Cancel a Case

The permission to cancel a case is granted through process configuration settings.

View and Complete Tasks

The permission to view and complete tasks is granted through Assignment Rules in the properties of a task. These properties are configured while designing a process in the Modeler.

Reassign Tasks

The permission to reassign tasks is granted through the Allow Reassignment permission in the properties of a task. These properties are configured while designing a process in the Modeler.

Edit Data

The permission to Edit JSON Data of a Case is granted through process configuration settings.

Platform Permissions

Platform Permissions are configured by administrators using the options available through the Admin tab.

Assigning Platform Permissions

Platform Permissions can be granted at two levels:

User-level: From user-level permissions, you can assign some or all permissions to a specific user. Instead of assigning individual permissions to a user account, you can also use the following options:
- Super Admin: Select the Make this user a Super Admin option to grant unrestricted access to the entire ProcessMaker Platform instance. With this setting enabled, ProcessMaker Platform does not check permissions for the user account.
- All permissions: Select the Assign all permissions to this user option to assign all permissions to that user account. With this setting enabled, ProcessMaker Platform still checks for permissions and allows access to features as per the enabled permissions. See Edit a User Account.

Examples of Super Admin Access

Users whose accounts have the Super Admin permission, may do the following:

Start a Case for any Process regardless of whether that user has permission to do so.
View the Tasks as displayed in the Task column of Request summaries by clicking a link to that Task. Users that do not have the Make this user a Super Admin option do not have a hyperlink to Tasks from Request summaries.
Manage queues.
Make another user a Super Admin by assigning the Make this user a Super Admin permission.
Retry and update completed Processes.
Manually complete a Request.
Retry a Request with an error.
Customize the user interface.
See all comments in a Request and a Task summary.
Upload file in API - Settings.
Filter by any user in API - GroupMember.
Run Script Executor in APIs.
Link to edit any task in Request Detail.
Reassign any open or overdue Task.

Group-level: These permissions apply to all members of a group. This simplifies managing permissions for multiple user accounts with the same permission requirements. Use the Assign all permissions to this group to grant all permissions to members of the group. See Edit a Group.

User and Group Platform Permissions are Cumulative

A user account receives all the group-level permissions from its group memberships, as well as any specific permissions assigned directly to that user.

Use the Super Admin permission carefully, as this grants the user unrestricted access to all features and assets in ProcessMaker Platform.

Best Practices

Create groups based on user roles in your organization, then assign permissions to these groups so all members share the same permission set. For example, participants, designers, or administrators, are role-based groups.
Combine role-based groups into larger groups for overlapping permissions. For example, executive leadership, department managers, etc.

Sample Permissions Model for Role-Based Groups

Participants	Designers	Administrators
Process Catalog	Data Connectors	Auth Clients
Saved Search	Decision Tables	Collections
	Environment Variables	Groups
	Files (API)	Requests
	Notifications (API)	Security Logs
	PM Blocks	Settings
	Process Catalog	Translations
	Process Templates	Users
	Process Translations
	Processes
	Projects
	Screens
	Scripts
	Signals
	Task Assignments (API)
	Version History

Participants

Designers

Administrators

Environment Variables

Task Assignments (API)

Version History

Description of Platform Permissions

Permissions are organized into categories. Permissions are described below by category and how each permission affects ProcessMaker Platform functionality. These permissions function identically in user accounts and groups.

Auth Clients

The Auth Clients category contains the following permissions:

Create Auth Clients: Create a client authentication key on the Auth Clients page. Selecting this permission also selects the Edit Auth Clients permission. See Create a New Client Authentication Key.
Delete Auth Clients: Delete a client authentication key from the Auth Clients page. See Delete a Client Authentication Key.
Edit Auth Clients: Edit a client authentication key from the Auth Clients page. See Edit a Client Authentication Key.
View Auth Clients: View all client authentication keys on the Auth Clients page. See View All Client Authentication Keys.

Note: Select the View Auth Clients permission to use any of the other permissions in this category.

Collections

The Collections category contains the following permissions:

Create Collections: Create a Collection from the Collections page. Selecting this permission also selects the Edit Collections permission. See Create a New Collection.
Delete Collections: Delete a Collection from the Collections page. See Delete a Collection.
Edit Collections: Edit a Collection from the Collections page. See Configure a Collection.
Export Collections: Export a Collections from the Collections page. See Export a Collection.
Import Collections: Import a Collection from the Collections page. See Import a Collection.
List Collections: List all Collections from the Collections page. See View Collections.
Truncate Collections: Delete all records in a Collection using theTruncateCollection Data Connector Resource for that Collection. See Resources for Collections.
View Collections: View the Collections page. See View Collections.

Note: Select the View Collections permission to use any of the other permissions in this category.

Data Connector

The Data Connectors category contains the following permissions:

Create Data Connector Categories: Create a Data Connector Category from the Categories tab in the Data Connectors page. Selecting this permission also selects the Edit Data Connector Categories permission. See Create a New Data Connector Category.
Create Data Connectors: Create a Data Connector from the Data Connectors page. Selecting this permission also selects the Edit Data Connectors permission. See Create a New Data Connector.
Delete Data Connector Categories: Delete a Data Connector Category from the Categories tab in the Data Connectors page. See Delete a Data Connector Category.
Delete Data Connectors: Delete a Data Connector from the Data Connectors page. See Delete a Data Connector.
Edit Data Connector Categories: Edit a Data Connector Category from the Categories tab in the Data Connectors page. See Edit a Data Connector Category.
Edit Data Connectors: Edit a Data Connector from the Data Connectors page. See Edit a Data Connector.
View Data Connector Categories: View the table of Data Connector Categories on the Categories tab in the Data Connectors page. See View Data Connector Categories.
View Data Connectors: View the table of Data Connectors on the Data Connectors page. See View Data Connectors.

Note: Select the View Data Connector Categories permission to use any of the other permissions related to Data Connector Categories.

Select the View Data Connectors permission to use any of the other permissions in the Data Connectors category.

Decision Tables

The Decision Tables category contains the following permissions:

Create Decision Table Categories: Create a Decision Table Category from the Categories tab in the Decision Tables page. Selecting this permission also selects the Edit Decision Table Categories permission. See View Decision Table Categories.
Create Decision Tables: Create a Decision Table from the Decision Tables page. Selecting this permission also selects the Edit Decision Tables permission. See Create a New Decision Table.
Delete Decision Table Categories: Delete a Decision Table Category from the Categories tab in the Decision Tables page. See Delete a Decision Table Category.
Delete Decision Tables: Delete a Decision Table from the Decision Tables page. See Delete a Decision Table.
Edit Decision Table Categories: Edit a Decision Table Category from the Categories tab in the Decision Tables page. See Edit a Decision Table Category.
Edit Decision Tables: Edit a Decision Table from the Decision Tables page. See Edit a Decision Table.
View Decision Table Categories: View the table of Decision Table Categories on the Categories tab in the Decision Tables page. See View Decision Table Categories.
View Decision Tables: View the table of Decision Tables on the Decision Tables page. See View Decision Tables.

Note: Select the View Decision Tables Categories permission to use any of the other permissions related to Decision Table Categories.

Select the View Decision Tables permission to use any of the other permissions in the Decision Tables category.

Environment Variables

The Environment Variables category contains the following permissions:

Create Environment Variables: Create an Environment Variable from the Environment Variables page. Selecting this permission also selects the Edit Environment Variables permission. See Create a New Environment Variable.
Delete Environment Variables: Delete an Environment Variable from the Environment Variables page. See Delete an Environment Variable.
Edit Environment Variables: Edit an Environment Variable from the Environment Variables page. See Edit an Environmental Variable.
View Environment Variables: View the table of Environment Variables on the Environment Variables page. See View All Environment Variables.

Note: Select the View Environment Variables permission to use any of the other permissions in this category.

Files (API)

The Files (API) category contains the following permissions:

Create Files: Saves a new file specified in an API request. Selecting this permission also selects the Edit Files permission. See "Files > Post" endpoint in the ProcessMaker Platform RESTful API.
Delete Files: Deletes a specified file in an API request. See "Files > Delete" endpoint in the ProcessMaker Platform RESTful API.
Edit Files: Update a file specified in an API request. See "Files > Update" endpoint in the ProcessMaker Platform RESTful API.
View Files: Returns the list of files associated to an API request. See "Files > Get" endpoint in the ProcessMaker Platform RESTful API.

Note: For more information about the ProcessMaker Platform RESTful API, see .

Groups

The Groups category contains the following permissions:

Create Groups: View a group from the Groups page. Selecting this permission also selects the Edit Groups permission. See Create a New Group.
Delete Groups: Delete a group from the Groups page. See Delete a Group.
Edit Groups: Edit a group from the Groups page. See Edit a Group.
View Groups: View groups from the following locations:
- View the table of groups on the Groups page. See View All Groups.
- View groups to which to reassign a Task. See Reassign a Task.

Note: Select the View Groups permission to use any of the other permissions in this category.

Notifications (API)

The Notifications (API) category contains the following permissions:

Create Notifications: Save a new notification through an API request. Selecting this permission also selects the Edit Notifications permission. See "Notifications > Post" endpoint in the ProcessMaker Platform RESTful API.
Delete Notifications: Deletes a specified notification through an API request. See "Notifications > Delete" endpoint in the ProcessMaker Platform RESTful API.
Edit Notifications: Updates a notification through an API request. See "Notifications > Update" endpoint in the ProcessMaker Platform RESTful API.
View Notifications: Returns all notifications to which the user has access. See "Notifications > Get" endpoint in the ProcessMaker Platform RESTful API.

Note: For more information about the ProcessMaker Platform RESTful API, see .

PM Blocks

The PM Blocks category contains the following permissions:

Archive PM Blocks: Archive a PM Block from the PM Blocks page. See Archive a PM Block.
Create PM Block Categories: Create a PM Block Category from the Categories tab in the PM Blocks page. Selecting this permission also selects the Edit PM Block Categories permission. See Create a New PM Block Category.
Create PM Blocks: Create a PM Block from the PM Blocks page. Selecting this permission also selects the Edit PM Blocks permission. See Create a New PM Block.
Delete PM Block Categories: Delete a PM Block Category from the Categories tab in the PM Blocks page. See Delete a PM Block Category.
Edit PM Block Categories: Edit a PM Block Category from the Categories tab in the PM Blocks page. See Edit a PM Block Category.
Edit PM Blocks: Edit a PM Block and/or its configuration from the PM Blocks page. See Edit a PM Block and Configure a PM Block.
Export PM Blocks: Export a PM Block from the PM Blocks page. See Export a PM Block.
Import PM Blocks: Import a PM Block from the PM Blocks page. See Import a PM Block.
View PM Block Categories: View the table of PM Block Categories on the Categories tab in the PM Blocks page. See View PM Block Categories.
View PM Blocks: View the table of PM Blocks on the PM Blocks page. See View PM Blocks.

Note: Select the View PM Block Categories permission to use any of the other permissions related to PM Block Categories.

Select the View PM Blocks permission to use any of the other permissions in the PM Blocks category.

Process Catalog

The Process Catalog category contains the following permission:

View Process Catalog: View all processes on the Processes page. See Process Launchpad.

Process Templates

The Process Templates category contains the following permissions:

Create Process Templates: Create a Process Template from an existing Process. See Create a Template from a Process.
Delete Process Templates: Delete a Process Template from the Templates page. See Delete a Template.
Edit Process Templates: Edit a Process Template and/or its configuration from the Templates page. See Edit a Process Template and Configure a Process Template.
Export Process Templates: Export a Process Template from the Templates page. See Export a Process Template.
Import Process Templates: Import a Process Template from the Templates page. See Import a Process Template.
View Process Templates: View a list of Process Templates on the Templates page. See View Process Templates.

Note: Select the View Process Templates permission to use any of the other permissions in the Process Templates category.

Process Translations

The Process Translations category contains the following permissions:

Cancel Process Translations: Cancel a Screen translation that has started. See Translate Screens for a Process.
Create Process Translations: Translate Screens for a Process to a selected natural language. See Translate Screens for a Process.
Delete Process Translations: Delete a selected language translation of a Process's Screens. See Delete Language Translations for Screens Used in a Process.
Edit Process Translations: Edit the Screens for a selected language translation. See Edit Screen Translations for a Process.
Export Process Translations: Export the translated Screens for a selected language. See Export Language Translations for Screens Used in a Process.
Import Process Translations: Import the translated Screens to a Process. See Import Language Translations for Screens Used in a Process.
View Process Translations: View the Screen translations for a selected Process. See View Screen Translations for a Process.

Processes

The Processes category contains the following permissions:

Archive Processes: Archive a Process from the Processes page. See Archive a Process.
Create Process Categories: Create a Process Category from the Categories tab in the Processes page. Selecting this permission also selects the Edit Process Categories permission. See Create a New Process Category.
Create Processes: Create a Process from the Processes page. Selecting this permission also selects the Edit Processes permission. See Create a New Process.
Delete Process Categories: Delete a Process Category from the Categories tab in the Processes page. See Delete a Process Category.
Edit Process Categories: Edit a Process Category from the Categories tab in the Processes page. See Edit a Process Category.
Edit Processes: Edit a Process model and/or its configuration from the Processes page. See Edit the Process Model Information and Edit Process Configuration.
Export Processes: Export a Process from the Processes page. See Export a BPMN-Compliant Process.
Import Processes: Import a Process from the Processes page. See Import a BPMN-Compliant Process.
View Process Categories: View the table of Process Categories on the Categories tab in the Processes page. See View Process Categories.
View Processes: View the table of Processes on the Processes page. See View All Processes.

Note: Select the View Process Categories permission to use any of the other permissions related to Process Categories.

Select the View Processes permission to use any of the other permissions in the Processes category.

Projects

The Projects category contains the following permissions:

Create Project Categories: Create a Project Category from the Categories tab in the Projects page. Selecting this permission also selects the Edit Project Categories permission. See Create a New Project Category.
Create Projects: Create a Project from the Projects page. See Create a New Project.
Delete Project Categories: Delete a Project Category from the Categories tab in the Projects page. See Delete a Project Category.
Delete Projects: Delete a Project of which your user account is a member. See Delete a Project.
Edit Project Categories: Edit a Project Category from the Categories tab in the Projects page. See Edit a Project Category.
Export Projects: Export a Project from the Projects page. See Export a Project.
Import Projects: Import a Project from the Projects page. See Import a Project.
View Project Categories: View the table of Project Categories on the Categories tab in the Projects page. See View Project Categories.
View Projects: View the table of Projects on the Projects page. See View Your Projects.

Note: Select the View Project Categories permission to use any of the other permissions related to Project Categories.

Select the View Processes permission to use any of the other permissions in the Projects category.

Requests

The Requests category contains the following permissions:

Edit Request Data: View the Data tab for a completed Request and edit the completed Request data that is in JSON format. See Editable Request Data.
Edit Task Data: View the Data tab for an assigned Task and edit the Task data that is in JSON format. See Editable Task Data.
View All Requests: View the All Requests page and Request information accessible from that page. See View All Requests.

Saved Search

The Saved Search category contains the following permission:

Toggle Notifications: Receive Saved Search notifications for your own Saved Searches. Notifications must already be enabled for your own Saved Searches. See Enable Notification of Saved Search Result Changes.

Screens

The Screens category contains the following permissions:

Create Screen Categories: Create a Screen Category from the Categories tab in the Screens page. Selecting this permission also selects the Edit Screen Categories permission. See Create a New Screen Category.
Create Screens: Create a Screen from the Screens page. Selecting this permission also selects the Edit Screens permission. See Create a New Screen.
Delete Screen Categories: Delete a Screen Category from the Categories tab in the Screens page. See Delete a Screen Category.
Delete Screens: Delete a Screen from the Screens page. See Delete a Screen.
Edit Screen Categories: Edit a Screen Category from the Categories tab in the Screens page. See Edit a Screen Category.
Edit Screens: Edit a Screen and/or its configuration from the Screens page. See Edit a Screen and Edit Screen Configuration.
Export Screens: Export a Screen from the Screens page. See Export a Screen.
Import Screens: Import a Screen from the Screens page. See Import a Screen.
View Screen Categories: View the table of Screen Categories on the Categories tab in the Screens page. See View Screen Categories.
View Screens: View the table of Screens on the Screens page. See View All Screens.

Note: Select the View Screen Categories permission to use any of the other permissions related to Screen Categories.

Select the View Screens permission to use any of the other permissions in the Screens category.

Scripts

The Scripts category contains the following permissions:

Create Script Categories: Create a Script Category from the Categories tab in the Scripts page. Selecting this permission also selects the Edit Script Categories permission. See Create a New Script Category.
Create Scripts: Create a Script from the Scripts page. Selecting this permission also selects the Edit Scripts permission. See Create a New Script.
Delete Script Categories: Delete a Script Category from the Categories tab in the Scripts page. See Delete a Script Category.
Delete Scripts: Delete a Script from the Scripts page. See Delete a Script.
Edit Script Categories: Edit a Script Category from the Categories tab in the Scripts page. See Edit a Script Category.
Edit Scripts: Edit a Script and/or its configuration from the Scripts page. See Edit a Script and Edit Script Configuration.
View Script Categories: View the table of Script Categories on the Categories tab in the Scripts page. See View Script Categories.
View Scripts: View the table of Scripts on the Scripts page. See View All Scripts.

Note: Select the View Script Categories permission to use any of the other permissions related to Script Categories.

Select the View Scripts permission to use any of the other permissions in the Scripts category.

Security Logs

The Security Logs category contains the following permission:

Create Security Logs (API): Creates a security log entry for a specified user via an API request. See "Security Logs > Post" endpoint in the ProcessMaker Platform RESTful API.
View Security Logs: View security logs for a user from the Users page. See View Security Logs for a User.

Settings

The Settings category contains the following permissions:

Update Settings: Edit settings available from Settings. See Settings.
View Settings: View settings available from Settings. See Settings.

Note: Select the View Settings permission to use any of the other permissions in this category.

Signals

The Signals category contains the following permissions:

Create Signals: Create a new Signal in the Signals Manager. Selecting this permission also selects the Edit Signals permission. See Create a new Signal.
Delete Signals: Delete a Signal from the Signals Manager. See Delete a Signal.
Edit Signals: Edit a Signal from the Signals Manager. See Edit a Signal.
View Signals: View all Signals in the Signals Manager. See View Signals.

Note: Select the View Signals permission to use any of the other permissions in this category.

Task Assignments (API)

The Task Assignments (API) category contains the following permissions:

Create Task Assignments: Saves a new task assignment to a specified user in an API request. Selecting this permission also selects the Edit Task Assignments permission. See "Task Assignments > Post" endpoint in the ProcessMaker Platform RESTful API.
Delete Task Assignments: Deletes a specified task assignment through an API request.
Edit Task Assignments: Updates a task assignment through an API request. See "Task Assignments > Update" endpoint in the ProcessMaker Platform RESTful API.
View Task Assignments: Returns all assignments assigned to the user.

Note: For more information about the ProcessMaker Platform RESTful API, see .

Translations

The Translations category contains the following permissions:

Edit Translations: Edit a text label or message from the Translations page. See Edit Text that Displays in the User Interface.
Reset Translations: Reset all text labels and messages to default on the Translations page. See Reset All User Interface Labels and Messages to Their Defaults.
View Translations: View the table of text labels and messages on the Translations page. See View English-Language Labels and Messages from the User Interface.

Note: Select the View Translations permission to use any of the other permissions in this category.

Users

The Users category contains the following permissions:

Create Users: Create a user account from the Users page. Selecting this permission also selects the Edit Users permission. See Create a New User Account.
Delete Users: Delete a user account from the Users page. See Delete a User Account.
Edit Users: Edit a user account from the Users page. See Edit a User Account.
View Other Users Profiles: View another user's profile. If a user is not granted this new permission, then that user receives an Error 404 (not found) page when clicking on another user's avatar or manually adjusting the URL to view another user's profile page. See View Another User's Profile Information.
View Users: View users from the following locations:
- View the table of user accounts on the Users page. See View All Users Accounts.
- View users to whom to reassign a Task. See Reassign a Task.

Note: Select the View Users permission to use any of the other permissions in this category.

Version History

The Version History permissions category applies to Processes, Scripts and Screens and contains the following permissions:

Edit Version History: Edit versions within the version history for a ProcessMaker Platform asset.
View Version History: View the version history for a ProcessMaker Platform asset.

Note: Select the View Version History permission to use any of the other permissions in this category.

Vocabularies

The Vocabularies category contains the following permissions:

Create Vocabularies: Create a Vocabulary from the Vocabularies page. Selecting this permission also selects the Edit Vocabularies permission. See Create a New Vocabulary.
Delete Vocabularies: Delete a Vocabulary from the Vocabularies page. See Delete a Vocabulary.
Edit Vocabularies: Edit a Vocabulary from the Vocabularies page. See Edit a Vocabulary.
View Vocabularies: View the table of Vocabularies on the Vocabularies page. See View All Vocabularies.

Note: Select the View Vocabularies permission to use any of the other permissions in this category.

Webhooks

The Webhooks category contains the following permissions:

Disable Webhooks: Disable a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.
Enable Webhooks: Enable a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.
Read Webhooks: View the configuration of a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.
Update Webhooks: Edit the configuration of a Signal's webhook from the Signals Manager. See Configure a Signal's Webhook Access.

PreviousDelete a Group NextCustomize the User Interface

Last updated 1 month ago