Permissions and Actions
The following sections provide an overview of the permissions users may have for DigitalSuite resources and the actions they can perform. The permissions and actions depend on:
- The user's profile: Administrator or User
- The access rights assigned to the user's role in a project
- Whether the user is authenticated with the customer account the resources belong to
If not specified otherwise, the permissions described for the Live execution mode also apply to the Acceptance mode for the selected acceptance users.
Projects
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
CONFIGURATION | Read Write Delete |
Read Write Delete |
Read | None | Read | Read | None |
VERSION CONFIGURATION | Read Write Delete |
Read Write Delete |
Read | None | Read | Read | None |
VERSION EXECUTION MODE | Write | None | Write | None | None | None | None |
Project Vaults
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIVE EXECUTION | Read Write Create Delete |
None | Read Write Create Delete |
None | None | Read Create |
None |
ACCEPTANCE EXECUTION | Read Write Create Delete |
Read Write Create Delete |
Read Write Create Delete |
None | None | Read Create |
None |
TEST EXECUTION | Read Write Create Delete |
Read Write Create Delete |
None | None | None | None | None |
Web Interfaces
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIVE EXECUTION MODE / PRIVATE | None | None | Read Write |
Read | None | Read Write |
None |
LIVE EXECUTION MODE / PUBLIC | Read Write |
Read Write |
Read Write |
Read Write |
Read Write |
Read Write |
Read Write |
TEST EXECUTION MODE | Read Write Delete |
Read Write Delete |
Read | None | None | None | None |
DESIGN | Read Write Delete |
Read Write Delete |
Read | Read | Read | Read | None |
DICTIONARIES | Read Write Delete |
None | Read Write Delete |
None | Read Write Delete |
None | None |
Processes
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIVE EXECUTION MODE / PRIVATE | Execute | None | Execute | None | None | Execute | None |
LIVE EXECUTION MODE / PUBLIC | Execute | Execute | Execute | Execute | Execute | Execute | Execute |
TEST EXECUTION MODE | Execute | Execute | Execute | None | None | None | None |
DESIGN | Read Write Delete |
Read Write Delete |
Read | None | Read | None | None |
DICTIONARIES | Read Write Delete |
None | Read Write Delete |
None | Read Write Delete |
None | None |
Collections
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIVE EXECUTION MODE / PRIVATE / READ-WRITE | Read Write Delete |
None | Read Write Delete |
Read | None | Read Write Delete |
None |
LIVE EXECUTION MODE / PRIVATE / READ-ONLY | Read Write Delete |
None | Read Write Delete |
Read | None | Read | None |
LIVE EXECUTION MODE / PUBLIC / READ-WRITE | Read Write Delete |
None | Read Write Delete |
Read | Read Write Delete |
Read Write Delete |
Read Write Delete |
LIVE EXECUTION MODE / PUBLIC / READ-ONLY | Read Write Delete |
None | Read Write Delete |
Read | Read | None | Read |
TEST EXECUTION MODE / PRIVATE / READ-WRITE | Read Write Delete |
Read Write Delete |
None | None | None | None | None |
TEST EXECUTION MODE / PRIVATE / READ-ONLY | Read Write Delete |
Read Write Delete |
None | None | None | None | None |
TEST EXECUTION MODE / PUBLIC / READ-WRITE | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
TEST EXECUTION MODE / PUBLIC / READ-ONLY | Read Write Delete |
Read Write Delete |
Read | Read | Read | Read | Read |
CONFIGURATION | Read Write Delete |
Read Write Delete |
Read | Read | None | Read | None |
Process Reports
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIST TEST REQUESTS | Read | Read | Read | None | None | None | None |
LIST LIVE REQUESTS | Read | None | Read | None | None | None | None |
REPORT CONFIGURATION | Read Write |
Read Write |
Read Write |
None | None | None | None |
MODIFY EXECUTION / LIVE EXECUTION MODE | Write Resume |
None | None | None | None | None | None |
MODIFY EXECUTION / TEST EXECUTION MODE | Write Resume |
Write Resume |
None | None | None | None | None |
DELETE REQUEST | Delete | None | None | None | None | None | None |
Web Interface Reports
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
LIST LIVE INSTANCES | Read | None | Read | Read | None | Read | None |
LIST TEST INSTANCES | Read | Read | Read | None | None | None | None |
REPORT CONFIGURATION | Read Write Delete |
Read Write Delete |
Read Write Delete |
None | None | Read | None |
DELETE INSTANCE / LIVE EXECUTION MODE | Delete | None | None | None | None | None | None |
DELETE INSTANCE / TEST EXECUTION MODE | Delete | Delete | None | None | None | None | None |
Custom Lists
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
CONFIGURATION AND DATA / PRIVATE | Read Write Delete |
Read Write Delete |
Read | Read | None | Read | None |
CONFIGURATION AND DATA / PUBLIC | Read Write Delete |
Read Write Delete |
Read | Read | Read | Read | Read |
Non-Versioned Files
Non-versioned files are files that are uploaded to or created in a project in DigitalSuite at runtime, for example, by uploads at a web interface, downloads from a web service, or exports of a report or a collection.
Non-versioned files can be created by any user who has access to the corresponding environment. For example, authenticated users with an Administrator profile or a Designer role can directly create a non-versioned file for a project. Anonymous users who have access to a public web interface with an editable Upload widget can upload files to the web interface's project.
The permissions for existing files are described below. They depend on the engine version used to store the files in DigitalSuite. A file's engine version can be found in the settings of the file in DigitalSuite Studio or retrieved with the file_desc
FreeMarker method.
Engine Version Prior to v5_23_5
Uploaded files with no engine version or with an engine version prior to v5_23_5
were uploaded before the October 28, 2019. These files have the following permissions:
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
INSIDE A PROJECT FROM PROCESS / PRIVATE | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read | None | Read Write Delete |
None |
INSIDE A PROJECT OUTSIDE PROCESS / PRIVATE | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read | None | Read | None |
UPLOADED FROM AN INSTANCE READABLE* BY THE USER IN LIVE / PRIVATE | Read Write Delete |
None | Read Write Delete |
Read | None | Read Write Delete |
None |
UPLOADED FROM AN INSTANCE NOT READABLE* BY THE USER IN LIVE / PRIVATE | Read Write Delete |
None | Read Write Delete |
None | None | None | None |
UPLOADED FROM AN INSTANCE IN TEST / PRIVATE | Read Write Delete |
Read Write Delete |
Read Write Delete |
None | None | None | None |
OUTSIDE A PROJECT / PRIVATE | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
None |
PUBLIC | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read |
* See READ right for web interface |
Engine Version v5_23_5 or Higher
Uploaded files with engine version v5_23_5 or higher have been uploaded since October 28, 2019. These files have a more differentiated access policy which is detailed below.
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
PRIVATE | Full access in all execution modes. | Full access in TEST mode. | Full access in LIVE and ACCEPTANCE mode. | Read in LIVE and ACCEPTANCE mode if the file was uploaded from a web interface instance; None otherwise. | None | See access policy below. | None |
PUBLIC | Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read Write Delete |
Read |
Access Policy for USER
The access permissions a user with a USER profile and a USER role has for a file depend on how the file is uploaded.
1. Files created via an upload/attachment widget on a web interface
Access | Rule |
---|---|
Read (+ Detach) | Any user who can open a web interface instance (draft or manual task), either as a task assignee or read-only, can read the uploaded files attached to it. |
Read Write Delete (+ Detach) |
A user has Write and Delete access only on the web interface instance where the file was uploaded, and only while the instance is pending. |
The user keeps the permissions described above in the output variables of the manual task or the start event (draft).
2. Files created in a process request
In process requests, files can be created in a variety of ways, for example, with the create_file method, by a PDF generation step, or by a file download through a connector.
Access | Rule |
---|---|
Read Write Delete (+ Detach) |
The current user (P_user ) at the time the file is created has Read/Write/Delete/Detach access to it within the current process request (and in child process requests).By default, no other user has any access to the file. |
3. Files exported from a report widget
Access | Rule |
---|---|
Read | The connected user who launched the export has Read access to the generated file. By default, no other user has any access to the file. |
4. Files uploaded manually in DigitalSuite Studio
Access | Rule |
---|---|
None | There are no USER rights for these files. |
5. Files exported from a collection
Access | Rule |
---|---|
None | There are no USER rights for these files. |
Sharing access permissions for files
It is possible to add or remove access permissions for a file by using the following FreeMarker methods at a user and/or lane level:
R_read_file_add_lane
R_read_file_add_user
R_read_file_remove_lane
R_read_file_remove_user
R_update_file_add_lane
R_update_file_add_user
R_update_file_remove_lane
R_update_file_remove_user
When using these methods in a process instance, the current user (P_user
) is considered: If the current user has read access to a file, the user can share this right. Similarly, a user can share write access to a file.
Versioned Files
ADMIN | USER | ANONYMOUS OR AUTHENTICATED TO ANOTHER ACCOUNT | |||||
---|---|---|---|---|---|---|---|
DESIGNER | SUPERVISOR | OBSERVER | TRANSLATOR | USER | |||
PRIVATE | Create Read Write Delete |
Create Read Write Delete |
None | None | None | Read | None |
PUBLIC | Create Read Write Delete |
Create Read Write Delete |
Read | Read | Read | Read | Read |
Users
ADMIN | USER (without restriction) |
USER (with METADATA restriction) |
|||
---|---|---|---|---|---|
ANYONE | SELF | ANYONE | SELF | ||
CONFIGURATION | Create Read Inactivate Delete |
None | Read | None | Read |
NAME | Write | None | Write | None | Write |
LANGUAGES | Write | None | Write | None | Write |
PASSWORD | Write | None | Write | None | Write |
PROFILE | Write | None | None | None | None |
PREFERENCES | Read | Read | Read Write |
Read | Read Write |
METADATA | Read Write |
Read | Read | None | None |
OTHERS | Impersonate LogAs |
None | None | None | None |
The LogAs
right can only be granted by a user to an administrator.
Please give details of the problem