> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Limits roles

> Reference for the predefined roles in Atoti Limits, covering general roles for business functions, permission roles for UI action control, workflow action roles, and default users with their assigned roles

Depending on what role a user is assigned in Atoti Limits, they have different permissions and can carry out different tasks.
This page outlines the pre-defined roles in the module, split into two categories: [general roles](#general-roles) and [permission roles](#permission-roles).
A list of [default users](#default-users) and their roles is also provided.

### Required roles

There is no specific role in Atoti Limits that is strictly required for all users to have. However,
Atoti Limits creates the Key Performance Indicator (KPI) in the business cube after the limit is approved
with a list of roles that are eligible to view the KPI.

The list of roles comes from the value of the `limits.autoconfiguration.content-service.limits-created-measures-owner`
property, if it is set. If the property is not set it defaults to the roles assigned as the owners of the `pivot/entitlements/kpi`
folder in the content server.

Additionally, if any [data access permission roles](./data-access-permissions) are configured then those
roles will also be added to the list of roles eligible to view the KPI.

As long as a user has one of the eligible roles then they will be able to view the KPI.

## General roles

These roles are used in the module to define a user’s business function, such as admin, manager, or user, and control access to key components of the module like the REST endpoints and Activiti.

<table><thead><tr><th>Role</th><th>Description</th></tr></thead><tbody><tr><td>ROLE\_USER</td><td>Standard user role.</td></tr><tr><td>ROLE\_LIMITS</td><td>This role is not required, but does serve a special purpose: Atoti Limits creates the KPI (Key Performance Indicator) in the business cube after the limit is in the <code>Approved</code> status. ROLE\_LIMITS is the default KPI owners and readers. KPIs are tagged with owner ROLE\_LIMITS, so they can be distinguished from other KPIs created by other applications. The module deletes the KPIs by ROLE\_LIMITS in the content server during startup, before consuming the initial load limit files.<br /><br />This role also serves as the <a href="#role_limits-full-access">full-access role</a> in the permission roles, which means that users with this role have all actions enabled in the UI.</td></tr><tr><td>ROLE\_USERS</td><td>Group of ROLE\_USER. This role is used by BPMN in Activiti.<br /><br />In the reference workflow implementation, ROLE\_USERS can initiate the <a href="../limit-workflow/default-workflows/legacy-workflows">Straight-through</a> and <a href="../limit-workflow/default-workflows/legacy-workflows">4-eyes</a> workflows.<br /><br />The value in the <code>activiti:candidateStarterGroups</code> tag is parsed in the module to map to ROLE\_USERS.<br /><br />For example, in the 4-eye BPMN file, USERS can start the workflow process. Atoti Limits checks if the current user is ROLE\_USERS: <code>\<activiti:candidateStarterGroups="USERS"></code></td></tr><tr><td>ROLE\_MANAGERS</td><td>Group of ROLE\_MANAGER. ROLE\_MANAGER is not used explicitly in the module, but it’s used by BPMN in Activiti.<br /><br />The Activiti security user “MANAGERS” is parsed in the module to map to ROLE\_MANAGERS: <code>\<activiti:candidateStarterGroups="MANAGERS"></code></td></tr><tr><td>ROLE\_ADMIN</td><td>Can access the RESTful endpoints and issue the web service against the Atoti Server instances.<br /><br />In the reference workflow implementation, ROLE\_ADMIN can trigger the limit evaluation RESTful endpoint.</td></tr><tr><td>ROLE\_ACTIVITI\_USER</td><td>Can access the Activiti queries.</td></tr><tr><td>ROLE\_ACTIVITI\_ADMIN</td><td>Can update the process definition in Activiti at runtime. Currently, the reference workflow implementation doesn’t provide this functionality.</td></tr></tbody></table>

### APPROVERS and EXAMINERS

Depending on the type of workflow defined on the [Limit Structure](../../user-ref/input-files/limit_structures), the following types of users can approve/reject a limit:

* Four-eyes workflow: The `APPROVER` user can approve or reject the limit.
* Six-eyes workflow: The `EXAMINER` user can make the first approval/rejection of the limit. The `APPROVER` user can make the second and final approval/rejection of the limit.

## Permission roles

These roles are used to control access to user actions in the UI for Atoti Limits. The roles are defined as enums of type `LimitsActionPermissionRole`.

<table><thead><tr><th>Role</th><th>Description</th></tr></thead><tbody><tr><td>ROLE\_READ\_ONLY</td><td>Read-only access to the limits in the UI. A user with this role will have all actions disabled.<br /><note><p>This role takes precedence over all other permission roles, so all actions are disabled even if the user has other permission roles.</p></note></td></tr><tr><td>ROLE\_LIMITS (full access)</td><td>Full access to all actions in the UI. A user with this role is equivalent to a user with all individual permissions roles below.<br /><note><p>The read-only role <code>ROLE\_READ\_ONLY</code> is the only permission role that takes precedence over <code>ROLE\_LIMITS</code>.</p></note></td></tr><tr><td>ROLE\_CREATE\_STRUCTURE</td><td>Can create a limit structure. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Create Limit Structure</code> and <code>Upload limit structures</code> buttons disabled in the <strong>Inventory</strong>.</td></tr><tr><td>ROLE\_UPDATE\_STRUCTURE</td><td>Can update an existing limit structure. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <strong>Limit Structure</strong> form elements in the Limits viewer disabled.</td></tr><tr><td>ROLE\_DELETE\_STRUCTURE</td><td>Can delete an existing limit structure. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Delete</code> button disabled in the <strong>Limit Structure</strong> panel of the Limits viewer.</td></tr><tr><td>ROLE\_EVALUATE\_STRUCTURE</td><td>Can evaluate a limit structure. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Evaluate</code> button disabled in the <strong>Inventory</strong>.</td></tr><tr><td>ROLE\_CREATE\_STRUCTURE\_LIMIT</td><td>Can create a new limit on the limit structures that are viewable. Users that don’t have this role, <code>ROLE\_CREATE\_ANY\_LIMIT</code>, or <code>ROLE\_LIMITS</code> will have the <code>Add Limit</code> button disabled in the Limits viewer.</td></tr><tr><td>ROLE\_CREATE\_ANY\_LIMIT</td><td>Can create a new limit on any limit structure. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Upload limits</code> button disabled in the <strong>Inventory</strong>.</td></tr><tr><td>ROLE\_UPDATE\_LIMIT</td><td>Can update an existing limit. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Edit limit</code> icon disabled for each limit in the Limits viewer.</td></tr><tr><td>ROLE\_DELETE\_LIMIT</td><td>Can delete an existing limit. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Delete limit</code> icon disabled for each limit in the Limits viewer, as well as the <code>Delete</code> button above the Limits table.</td></tr><tr><td>ROLE\_CREATE\_TEMP\_LIMIT</td><td>Can create a temporary limit. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Create temporary limit</code> button disabled for each limit in the Limits viewer.</td></tr><tr><td>ROLE\_COPY\_LIMIT</td><td>Can copy an existing limit. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Copy limit</code> icon disabled for each limit in the Limits viewer.</td></tr><tr><td>ROLE\_DOWNLOAD\_LIMIT</td><td>Can download limits and structures as CSV files. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Download</code> icon disabled in the <strong>Inventory</strong>.</td></tr><tr><td>ROLE\_APPROVE\_REJECT\_LIMIT\*</td><td>Can approve or reject a limit. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Approve</code> and <code>Reject</code> buttons hidden in the <strong>Limit Structure</strong> panel of the Limits viewer.</td></tr><tr><td>ROLE\_PROCESS\_INCIDENT\*</td><td>Can review breaches and comment on warnings. Users that don’t have this role, or <code>ROLE\_LIMITS</code>, will have the <code>Review</code> and <code>Comment</code> buttons hidden, as well as the <code>Process</code> icon disabled for each incident in the <strong>Status</strong>.</td></tr></tbody></table>

### Workflow action roles

Roles marked with an asterisk in the table above are permissions for workflow actions. These permissions are enforced by Limits, not Activiti. It is possible to configure the workflow to control access via Activiti, but this is not the default behavior.

For customizing access to the Limits default workflow actions, we recommend using the permissions above. If you have a custom workflow, you can control access to it via the `enabled` flag in `WorkflowTaskActionDTO`. Please refer to the documentation on [defining task Spring beans](../dev-extensions/custom-legacy-workflow/custom-workflow-tasks/custom-workflow-action-spring-bean) for more information on custom workflow actions in Limits.

### Default users

<table><thead><tr><th>Default user</th><th>Role</th><th>Create/update/delete</th><th>Upload file</th><th>Approve limit change/deletion</th></tr></thead><tbody><tr><td>user1/user1</td><td>ROLE\_USER<br />ROLE\_USERS<br />ROLE\_ACTIVITI\_USER<br />ROLE\_CS\_ROOT<br />ROLE\_LIMITS</td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td></tr><tr><td>user2/user2</td><td>ROLE\_USER<br />ROLE\_USERS<br />ROLE\_ACTIVITI\_USER<br />ROLE\_CS\_ROOT<br />ROLE\_LIMITS</td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td></tr><tr><td>manager1/manager1</td><td>ROLE\_USER<br />ROLE\_MANAGERS<br />ROLE\_ACTIVITI\_USER<br />ROLE\_CS\_ROOT<br />ROLE\_EVALUATE\_STRUCTURE<br />ROLE\_APPROVE\_REJECT\_LIMIT<br />ROLE\_PROCESS\_INCIDENT</td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td></tr><tr><td>manager2/manager2</td><td>ROLE\_USER<br />ROLE\_MANAGERS<br />ROLE\_ACTIVITI\_USER<br />ROLE\_EVALUATE\_STRUCTURE<br />ROLE\_APPROVE\_REJECT\_LIMIT<br />ROLE\_PROCESS\_INCIDENT</td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td></tr><tr><td>admin/admin</td><td>ROLE\_ADMIN<br />ROLE\_CS\_ROOT<br />ROLE\_USERS<br />ROLE\_MANAGERS<br />ROLE\_USER<br />ROLE\_ACTIVITI\_USER<br />ROLE\_ACTIVITI\_ADMIN<br />ROLE\_LIMITS</td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td></tr><tr><td>restrictedUser/restrictedUser</td><td>ROLE\_USERS<br />ROLE\_ACTIVITI\_USER<br />ROLE\_CS\_ROOT<br />ROLE\_READ\_ONLY</td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-ok" /></td><td><span aria-hidden="true" class="glyphicon glyphicon-minus" /></td></tr></tbody></table>
