×

Please give details of the problem

Skip to content

Permissions and Actions

The following sections provide an overview of the permissions users may have for DigitalSuite resources and the actions they can perform. The permissions and actions depend on:

  • The user's profile: Administrator or User
  • The access rights assigned to the user's role in a project
  • Whether the user is authenticated with the customer account the resources belong to

If not specified otherwise, the permissions described for the Live execution mode also apply to the Acceptance mode for the selected acceptance users.

Projects

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
CONFIGURATION Read
Write
Delete		 Read
Write
Delete		 Read None Read Read None
VERSION CONFIGURATION Read
Write
Delete		 Read
Write
Delete		 Read None Read Read None
VERSION EXECUTION MODE Write None Write None None None None

Project Vaults

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIVE EXECUTION Read
Write
Create
Delete		 None Read
Write
Create
Delete		 None None Read
Create		 None
ACCEPTANCE EXECUTION Read
Write
Create
Delete		 Read
Write
Create
Delete		 Read
Write
Create
Delete		 None None Read
Create		 None
TEST EXECUTION Read
Write
Create
Delete		 Read
Write
Create
Delete		 None None None None None

Web Interfaces

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIVE EXECUTION MODE / PRIVATE None None Read
Write		 Read None Read
Write		 None
LIVE EXECUTION MODE / PUBLIC Read
Write		 Read
Write		 Read
Write		 Read
Write		 Read
Write		 Read
Write		 Read
Write
TEST EXECUTION MODE Read
Write
Delete		 Read
Write
Delete		 Read None None None None
DESIGN Read
Write
Delete		 Read
Write
Delete		 Read Read Read Read None
DICTIONARIES Read
Write
Delete		 None Read
Write
Delete		 None Read
Write
Delete		 None None

Processes

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIVE EXECUTION MODE / PRIVATE Execute None Execute None None Execute None
LIVE EXECUTION MODE / PUBLIC Execute Execute Execute Execute Execute Execute Execute
TEST EXECUTION MODE Execute Execute Execute None None None None
DESIGN Read
Write
Delete		 Read
Write
Delete		 Read None Read None None
DICTIONARIES Read
Write
Delete		 None Read
Write
Delete		 None Read
Write
Delete		 None None

Collections

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIVE EXECUTION MODE / PRIVATE / READ-WRITE Read
Write
Delete		 None Read
Write
Delete		 Read None Read
Write
Delete		 None
LIVE EXECUTION MODE / PRIVATE / READ-ONLY Read
Write
Delete		 None Read
Write
Delete		 Read None Read None
LIVE EXECUTION MODE / PUBLIC / READ-WRITE Read
Write
Delete		 None Read
Write
Delete		 Read Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete
LIVE EXECUTION MODE / PUBLIC / READ-ONLY Read
Write
Delete		 None Read
Write
Delete		 Read Read None Read
TEST EXECUTION MODE / PRIVATE / READ-WRITE Read
Write
Delete		 Read
Write
Delete		 None None None None None
TEST EXECUTION MODE / PRIVATE / READ-ONLY Read
Write
Delete		 Read
Write
Delete		 None None None None None
TEST EXECUTION MODE / PUBLIC / READ-WRITE Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete
TEST EXECUTION MODE / PUBLIC / READ-ONLY Read
Write
Delete		 Read
Write
Delete		 Read Read Read Read Read
CONFIGURATION Read
Write
Delete		 Read
Write
Delete		 Read Read None Read None

Process Reports

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIST TEST REQUESTS Read Read Read None None None None
LIST LIVE REQUESTS Read None Read None None None None
REPORT CONFIGURATION Read
Write		 Read
Write		 Read
Write		 None None None None
MODIFY EXECUTION / LIVE EXECUTION MODE Write
Resume		 None None None None None None
MODIFY EXECUTION / TEST EXECUTION MODE Write
Resume		 Write
Resume		 None None None None None
DELETE REQUEST Delete None None None None None None

Web Interface Reports

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
LIST LIVE INSTANCES Read None Read Read None Read None
LIST TEST INSTANCES Read Read Read None None None None
REPORT CONFIGURATION Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 None None Read None
DELETE INSTANCE / LIVE EXECUTION MODE Delete None None None None None None
DELETE INSTANCE / TEST EXECUTION MODE Delete Delete None None None None None

Custom Lists

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
CONFIGURATION AND DATA / PRIVATE Read
Write
Delete		 Read
Write
Delete		 Read Read None Read None
CONFIGURATION AND DATA / PUBLIC Read
Write
Delete		 Read
Write
Delete		 Read Read Read Read Read

Non-Versioned Files

Non-versioned files are files that are uploaded to or created in a project in DigitalSuite at runtime, for example, by uploads at a web interface, downloads from a web service, or exports of a report or a collection.

Non-versioned files can be created by any user who has access to the corresponding environment. For example, authenticated users with an Administrator profile or a Designer role can directly create a non-versioned file for a project. Anonymous users who have access to a public web interface with an editable Upload widget can upload files to the web interface's project.

The permissions for existing files are described below. They depend on the engine version used to store the files in DigitalSuite. A file's engine version can be found in the settings of the file in DigitalSuite Studio or retrieved with the file_desc FreeMarker method.

Engine Version Prior to v5_23_5

Uploaded files with no engine version or with an engine version prior to v5_23_5 were uploaded before the October 28, 2019. These files have the following permissions:

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
INSIDE A PROJECT FROM PROCESS / PRIVATE Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read None Read
Write
Delete		 None
INSIDE A PROJECT OUTSIDE PROCESS / PRIVATE Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read None Read None
UPLOADED FROM AN INSTANCE READABLE* BY THE USER IN LIVE / PRIVATE Read
Write
Delete		 None Read
Write
Delete		 Read None Read
Write
Delete		 None
UPLOADED FROM AN INSTANCE NOT READABLE* BY THE USER IN LIVE / PRIVATE Read
Write
Delete		 None Read
Write
Delete		 None None None None
UPLOADED FROM AN INSTANCE IN TEST / PRIVATE Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 None None None None
OUTSIDE A PROJECT / PRIVATE Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 None
PUBLIC Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
* See READ right for web interface

Engine Version v5_23_5 or Higher

Uploaded files with engine version v5_23_5 or higher have been uploaded since October 28, 2019. These files have a more differentiated access policy which is detailed below.

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
PRIVATE Full access in all execution modes. Full access in TEST mode. Full access in LIVE and ACCEPTANCE mode. Read in LIVE and ACCEPTANCE mode if the file was uploaded from a web interface instance; None otherwise. None See access policy below. None
PUBLIC Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read
Write
Delete		 Read

Access Policy for USER

The access permissions a user with a USER profile and a USER role has for a file depend on how the file is uploaded.

1. Files created via an upload/attachment widget on a web interface

Access Rule
Read (+ Detach) Any user who can open a web interface instance (draft or manual task), either as a task assignee or read-only, can read the uploaded files attached to it.
Read
Write
Delete (+ Detach)		 A user has Write and Delete access only on the web interface instance where the file was uploaded, and only while the instance is pending.

The user keeps the permissions described above in the output variables of the manual task or the start event (draft).

2. Files created in a process request

In process requests, files can be created in a variety of ways, for example, with the create_file method, by a PDF generation step, or by a file download through a connector.

Access Rule
Read
Write
Delete (+ Detach)		 The current user (P_user) at the time the file is created has Read/Write/Delete/Detach access to it within the current process request (and in child process requests).
By default, no other user has any access to the file.

3. Files exported from a report widget

Access Rule
Read The connected user who launched the export has Read access to the generated file.
By default, no other user has any access to the file.

4. Files uploaded manually in DigitalSuite Studio

Access Rule
None There are no USER rights for these files.

5. Files exported from a collection

Access Rule
None There are no USER rights for these files.

Sharing access permissions for files

It is possible to add or remove access permissions for a file by using the following FreeMarker methods at a user and/or lane level:

R_read_file_add_lane
R_read_file_add_user
R_read_file_remove_lane
R_read_file_remove_user
R_update_file_add_lane
R_update_file_add_user
R_update_file_remove_lane
R_update_file_remove_user

When using these methods in a process instance, the current user (P_user) is considered: If the current user has read access to a file, the user can share this right. Similarly, a user can share write access to a file.

Versioned Files

ADMIN USER ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT
DESIGNER SUPERVISOR OBSERVER TRANSLATOR USER
PRIVATE Create
Read
Write
Delete		 Create
Read
Write
Delete		 None None None Read None
PUBLIC Create
Read
Write
Delete		 Create
Read
Write
Delete		 Read Read Read Read Read

Users

ADMIN USER
(without restriction)		 USER
(with METADATA restriction)
ANYONE SELF ANYONE SELF
CONFIGURATION Create
Read
Inactivate
Delete		 None Read None Read
NAME Write None Write None Write
LANGUAGES Write None Write None Write
PASSWORD Write None Write None Write
PROFILE Write None None None None
PREFERENCES Read Read Read
Write		 Read Read
Write
METADATA Read
Write		 Read Read None None
OTHERS Impersonate
LogAs		 None None None None

The LogAs right can only be granted by a user to an administrator.