Comparing Role Privileges and User/Group Privileges

Roles let a designer (working in SBM Composer) work with privileges abstractly—that is, in relation to a function (such as QA Manager) rather than actual people. In contrast, an administrator (working in SBM Application Administrator) assigns privileges to actual users and groups of users. The administrator can assign privileges directly to users or groups or by associating a user or group with one or more of the roles created in SBM Composer.

The privileges available to the designer when creating or editing roles are all available to the administrator as user and group privileges, and the names are all close to identical (for example, the "View Fields in the 'User' Section" role privilege maps to the "View User Fields" user/group privilege). However, not all privileges available in SBM Application Administrator are available as role privileges. For example, administrative privileges for modifying a user profile and various system privileges are user/group privileges and are available only in Application Administrator.

Generally, role privileges alone are not enough for complex process app implementation, and you will likely want to combine roles with additional user/group privileges applied in Application Administrator.

Privileges are additive and can be indifferent to the role-based transition restrictions specified on the Restrict By Role Tab of the Transition Property Editor. This means that all privileges granted to all roles are initially put into a pool, and after that, role-based transition restrictions are considered. For example, suppose the Manager role is not restricted from the Escalate transition, and has the "Transition Item if Owner" privilege. Laura is associated with the Manager role, but she is not the owner of the source state. Therefore, she should not be able to access the Escalate transition.

However, Laura is associated with another role, the Engineer role. The Engineer role is restricted from the Escalate transition, but has the "Transition All Items" privilege. The Engineer role privileges are added to the pool of privileges granted to Laura. Therefore, Laura can access this transition, even though she is not the owner of the source state.

Role privileges for primary tables are based on projects. The privileges can be categorized as follows:

• Advanced - View
• All - Submit, Own, Delete, View
• Archived Items - View, Restore
• Attachments - View, Add, Edit, Set, Delete
• Change History - View
• Hidden - View
• Item - View, Update, Transition, Mass Update
• Manager - View
• Notes - View, Add, Edit, Set, Delete
• Principal - Link/Unlink
• Principal and Subtasks - View
• Reports - Manage, Create, Modify, Run, Delete, Create/Modify Advanced SQL Queries
• Section - View, Edit
• State Change - View
• Subtasks - Link
• System - View
• User - View
• Version Control History - Manage
• Workflow - View

Role privileges for auxiliary tables are not based on projects. The privileges can be categorized as follows:

• Advanced - View
• All - Submit, Update, Delete, View
• Attachments - View, Add, Edit, Set, Delete
• Change History - View
• Hidden - View
• Item - Mass Update
• Manager - View
• Notes - View, Add, Edit, Set, Delete
• Reports - Manage, Create, Modify, Run, Delete, Access, Create/Modify Advanced SQL Queries.
• Section - View, Edit
• User - View