Skip to main content

Business units security roles

warning

The business unit administration is only available to persons with the role business unit admin.

Persons are assigned security roles within a business unit to control which actions they are authorised to perform in the business unit. This allows you to control very granularly which persons should carry out which activities. The administration of security roles can be found in business unit management.

When you open the security role administration, a list of the currently existing security roles including the number of assignments opens. This allows you to easily recognise whether a security role is no longer in use.

The following functions are available at the top of the table

  • Display usages (): This button shows you in which business units which persons use the currently selected security role.
  • Edit role (): This button allows you to edit the currently selected security role.
  • Delete role (): This button allows you to move the currently selected security role to the recycle bin. The persons retain authorisation until the role is deleted from the recycle bin.
  • Create role (): This button allows you to create a new security role and then assign it to people.

When you create or edit a role, a panel opens in which you can assign the name, description and authorisations. The name and description are displayed when you assign the role to the business unit.

Available rights

The following rights can be associated with the security roles:
Process Execution

  • Start process: People need this right to be able to start a new process or to access dashboards and thus list running processes. This right is therefore important for all persons who are to execute processes.
  • Process lists Excel export: With this right, people can export the lists on the dashboards to Excel. If an Excel export is deactivated in a table, people with this right cannot perform an export.
  • Process PDF export: This right allows people to export a running process to PDF.
  • Delete running processes: If a person has this right, they can delete a running process in the log.
  • Read process log: With this right, people in the process can read the log in order to understand which steps and actions have been carried out in a process.
  • Read all processes: This right allows a person to read every running process in the business unit, regardless of whether this person has been assigned an access right to the process via a corresponding role. This can be very useful to help people to support other people or to provide a better overview of the running processes in the organisation.

Process design

  • Read executable process design: People need this right to open the process designer read-only. This allows people to read the executable version of a process without changing it.
  • Writing an executable process design: People need this right to open the process designer in write mode.
  • Publish executable process design: If a person has this right, they can publish the executable version of a process and thus make it live. If a person also has the right to publish the BPMN 2.0 version, both versions can be published in one.
  • Read BPMN 2.0 process design: With this right, people can read the BPMN 2.0 representation of a process without #changing it.
  • Writing BPMN 2.0 process design: This right allows people to edit the BPMN 2.0 representation of a process.
  • Publish BPMN 2.0 process design: People need this right to publish the BPMN 2.0 version of a process, and thus communicate the new representation to employees. If a person also has the right to publish the executable version, both versions can be published at the same time.
  • Withdraw publication: With this right, people can withdraw the publication of a process. This means that people can no longer start this process or read the BPMN 2.0 representation.
  • Delete process: People need this right to move a process definition to the recycle bin.
  • Analyze ongoing processes: This right allows a person to analyse the course of a process and thus understand why a process has run the way it has.
  • Export process details: This right allows people to export form values etc. of a process from the process list in order to carry out analyses with external tools, for example
  • Display process statistics: If a person has this right, they can display various statistics such as run times etc. This can be very helpful to optimise a process.
  • Export / Import: Persons need this right to export or import a process. In addition, people need read or write access to the corresponding version.
  • Answer feedback: This right is required so that people can answer feedback on processes.
  • Assign process folder authorizations: Persons with this right can determine which persons have access to a folder in the process list.

Dashboard design

  • Read dashboard: This permission allows a person to open a dashboard in the designer in read-only mode.
  • Write dashboard: This right allows a person to open a dashboard in the Designer in write mode.
  • Delete dashboard: This permission allows a person to move a dashboard to the recycle bin.
  • Assign dashboard folder permissions: People with this right can determine which people have access to a folder in the dashboard list.

Master data

  • Read master data: This right allows a person to read the master data in a business unit.
  • Write master data: This right allows a person to change or create the master data in a business unit.
  • Delete master data: This right allows a person to move a master data entry to the recycle bin.
  • Master data Assign folder authorizations: Persons with this right can determine which persons have access to a folder in the master data list.
  • Read lookup list entries: If a person has this right, the person can read the entries in a lookup list without changing them.
  • Write lookup list entries: If a person has this right, the person can change the entries in a lookup list.

Connections

  • Read connections: This permission allows a person to read the connections in a business unit.
  • Write connections: This right allows a person to change or create the connections in a business unit.
  • Delete connections: This permission allows a person to move a connection to the recycle bin.
  • Connections Assign folder authorizations: People with this right can determine which people have access to a folder in the connections list.

Client setting

  • Process settings: Persons with this right can change the business unit settings for processes. For example, people can define internal processes and set business unit metadata.
  • BPMN 2.0 settings: This right allows people to change the business unit settings for BPMN 2.0 processes.
  • Protocol settings: This right is required to view the logs, such as the deletion log, in the business unit settings.

Standard roles

The following roles exist in a business unit by default:

  • Process editors: Here you can specify persons and groups who can design processes, dashboards etc. for this business unit. In the case of the HR department, for example, it would make sense to enter the people in this department as process editors. This way, the people who know the department's processes best can digitise them themselves.
  • Members of the business unit: Here you can specify persons and groups who can execute processes from this business unit. In the case of the HR department, for example, you could specify a group here that includes all employees of the company. This would allow all persons to start the processes provided by the HR department (e.g. a holiday request).
  • Access to all processes: This special role allows the selected persons or groups to open all processes in the business unit on a read-only basis. This can be useful to help with queries or, for example, to allow the management to view all processes.
  • Business unit management: Persons with this role can change advanced settings for the business unit.