Limits roles
Depending on what role a user is assigned in Atoti Limits, they have different permissions and can carry out different tasks. This page outlines the pre-defined roles in the module, split into two categories: general roles and permission roles. A list of default users and their roles is also provided.
General roles
These roles are used in the module to define a user’s business function, such as admin, manager, or user, and control access to key components of the module like the REST endpoints and Activiti. An asterisk (*) indicates that the role is required for all users in Atoti Limits.
| Role | Description |
|---|---|
| ROLE_USER* | This role is required. Atoti Limits creates the KPI (Key Performance Indicator) in the business cube after the limit definition is in the Approved status. ROLE_USER is the default KPI owners and readers.Any user who has access to Atoti Limits needs to be set up as ROLE_USER, otherwise they can’t see the KPIs in the business cubes created by the module. |
| ROLE_LIMITS | This role is not required, but does serve a special purpose: Atoti Limits creates the KPI (Key Performance Indicator) in the business cube after the limit definition is in the Approved status. ROLE_LIMITS is the default KPI owners and readers. KPIs are tagged with owner ROLE_LIMITS, so they can be distinguished from other KPIs created by other applications. The module deletes the KPIs by ROLE_LIMITS in the content server during startup, before consuming the initial load limit files.This role also serves as the full-access role in the permission roles, which means that users with this role have all actions enabled in the UI. |
| ROLE_USERS | Group of ROLE_USER. This role is used by BPMN in Activiti. In the reference workflow implementation, ROLE_USERS can initiate the Straight-through and 4-eyes workflows. The value in the activiti:candidateStarterGroups tag is parsed in the module to map to ROLE_USERS.For example, in the 4-eye BPMN file, USERS can start the workflow process. Atoti Limits checks if the current user is ROLE_USERS: <activiti:candidateStarterGroups="USERS"> |
| ROLE_MANAGERS | Group of ROLE_MANAGER. ROLE_MANAGER is not used explicitly in the module, but it’s used by BPMN in Activiti. The Activiti security user “MANAGERS” is parsed in the module to map to ROLE_MANAGERS: <activiti:candidateStarterGroups="MANAGERS"> |
| ROLE_ADMIN | Can access the RESTful endpoints and issue the web service against the Atoti Server instances. In the reference workflow implementation, ROLE_ADMIN can trigger the limit evaluation RESTful endpoint and the DLC. |
| ROLE_ACTIVITI_USER | Can access the Activiti queries. |
| ROLE_ACTIVITI_ADMIN | Can update the process definition in Activiti at runtime. Currently, the reference workflow implementation doesn’t provide this functionality. |
APPROVERS and EXAMINERS
Depending on the type of workflow defined on the Limit Structure, the following types of users can approve/reject a limit:
- Four-eyes workflow: The
APPROVERuser can approve or reject the limit. - Six-eyes workflow: The
EXAMINERuser can make the first approval/rejection of the limit. TheAPPROVERuser can make the second and final approval/rejection of the limit.
Permission roles
These roles are used to control access to user actions in the UI for Atoti Limits. The roles are defined as enums of type LimitsActionPermissionRole.
| Role | Description |
|---|---|
| ROLE_READ_ONLY | Read-only access to the limits in the UI. A user with this role will have all actions disabled. note This role takes precedence over all other permission roles, so all actions are disabled even if the user has other permission roles. |
| ROLE_LIMITS (full access) | Full access to all actions in the UI. A user with this role is equivalent to a user with all individual permissions roles below. note The read-only role |
| ROLE_CREATE_STRUCTURE | Can create a limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Create Limit Structure and Upload limit structures buttons disabled in the Inventory. |
| ROLE_UPDATE_STRUCTURE | Can update an existing limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Limit Structure form elements in the Limits viewer disabled. |
| ROLE_DELETE_STRUCTURE | Can delete an existing limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Delete button disabled in the Limit Structure panel of the Limits viewer. |
| ROLE_EVALUATE_STRUCTURE | Can evaluate a limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Evaluate button disabled in the Inventory. |
| ROLE_CREATE_STRUCTURE_LIMIT | Can create a new limit on the limit structures that are viewable. Users that don’t have this role, ROLE_CREATE_ANY_LIMIT, or ROLE_LIMITS will have the Add Limit button disabled in the Limits viewer. |
| ROLE_CREATE_ANY_LIMIT | Can create a new limit on any limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Upload limits button disabled in the Inventory. |
| ROLE_UPDATE_LIMIT | Can update an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Edit limit icon disabled for each limit in the Limits viewer. |
| ROLE_DELETE_LIMIT | Can delete an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Delete limit icon disabled for each limit in the Limits viewer, as well as the Delete button above the Limits table. |
| ROLE_CREATE_TEMP_LIMIT | Can create a temporary limit. Users that don’t have this role, or ROLE_LIMITS, will have the Create temporary limit button disabled for each limit in the Limits viewer. |
| ROLE_COPY_LIMIT | Can copy an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Copy limit icon disabled for each limit in the Limits viewer. |
| ROLE_DOWNLOAD_LIMIT | Can download limits and structures as CSV files. Users that don’t have this role, or ROLE_LIMITS, will have the Download icon disabled in the Inventory. |
| ROLE_APPROVE_REJECT_LIMIT* | Can approve or reject a limit. Users that don’t have this role, or ROLE_LIMITS, will have the Approve and Reject buttons hidden in the Limit Structure panel of the Limits viewer. |
| ROLE_PROCESS_INCIDENT* | Can review breaches and comment on warnings. Users that don’t have this role, or ROLE_LIMITS, will have the Review and Comment buttons hidden, as well as the Process icon disabled for each incident in the Status. |
Workflow action roles
Roles marked with an asterisk in the table above are permissions for workflow actions. These permissions are enforced by Limits, not Activiti. It is possible to configure the workflow to control access via Activiti, but this is not the default behavior.
For customizing access to the Limits default workflow actions, we recommend using the permissions above. If you have a custom workflow, you can control access to it via the enabled flag in WorkflowTaskActionDTO. Please refer to the documentation on defining task Spring beans for more information on custom workflow actions in Limits.
Default users
| Default user | Role | Create/update/delete | Upload file | Approve limit change/deletion |
|---|---|---|---|---|
| user1/user1 | ROLE_USER ROLE_USERS ROLE_ACTIVITI_USER ROLE_CS_ROOT ROLE_LIMITS |
|||
| user2/user2 | ROLE_USER ROLE_USERS ROLE_ACTIVITI_USER ROLE_CS_ROOT ROLE_LIMITS |
|||
| manager1/manager1 | ROLE_USER ROLE_MANAGERS ROLE_ACTIVITI_USER ROLE_CS_ROOT ROLE_EVALUATE_STRUCTURE |
|||
| manager2/manager2 | ROLE_USER ROLE_MANAGERS ROLE_ACTIVITI_USER ROLE_EVALUATE_STRUCTURE |
|||
| admin/admin | ROLE_ADMIN ROLE_CS_ROOT ROLE_USERS ROLE_MANAGERS ROLE_USER ROLE_ACTIVITI_USER ROLE_ACTIVITI_ADMIN ROLE_LIMITS |
|||
| restrictedUser/restrictedUser | ROLE_USER ROLE_USERS ROLE_ACTIVITI_USER ROLE_CS_ROOT ROLE_READ_ONLY |