The operations you can perform, and the object classes you can perform them on, are determined by the privileges and/or role assignments that have been defined for your user.
The purpose of this chapter is to explain how privileges and roles work, the differences between them, and how you can use them to control which users can perform the various tasks in your applications and processes.
Managing privileges and roles using the Administration Console is described in Process Configuration Users and Roles.
A privilege is a function or action that a user or group can perform, such as editing the content of items or managing lifecycles. There are a set of privilege rules that you can specify in the Administration Console for each privilege that determines which users can perform that function, and under what conditions. For example, the ability to update a design part can be restricted to the user who originally created the design part or any member of the ADMIN group.
A role consists a collection of privileges that can be assigned to a user or group. For example, if you are assigned the role of PRODUCT-MANAGER you can perform all the functions permitted for that role, for example deleting or renaming a product.
The fundamental differences between roles and privileges are:
You can assign the same role to different users for different design parts or subordinate design parts.
You can assign different roles to different transitions in the lifecycle of an object type, thus allowing different people to be responsible for the various stages in the approval process within that lifecycle.
You can control who can perform a specific task more precisely using privileges. For example, you could explicitly allow only a particular user to edit lifecycle definitions.
Related Topics