Limits roles

Depending on what role a user is assigned in Atoti Limits, they have different permissions and can carry out different tasks. This page outlines the pre-defined roles in the module, split into two categories: general roles and permission roles. A list of default users and their roles is also provided.

General roles

These roles are used in the module to define a user’s business function, such as admin, manager, or user, and control access to key components of the module like the REST endpoints and Activiti. An asterisk (*) indicates that the role is required for all users in Atoti Limits.

Role Description
ROLE_USER* This role is required. Atoti Limits creates the KPI (Key Performance Indicator) in the business cube after the limit definition is in the Approved status. ROLE_USER is the default KPI owners and readers.

Any user who has access to Atoti Limits needs to be set up as ROLE_USER, otherwise they can’t see the KPIs in the business cubes created by the module.
ROLE_LIMITS This role is not required, but does serve a special purpose: Atoti Limits creates the KPI (Key Performance Indicator) in the business cube after the limit definition is in the Approved status. ROLE_LIMITS is the default KPI owners and readers. KPIs are tagged with owner ROLE_LIMITS, so they can be distinguished from other KPIs created by other applications. The module deletes the KPIs by ROLE_LIMITS in the content server during startup, before consuming the initial load limit files.

This role also serves as the full-access role in the permission roles, which means that users with this role have all actions enabled in the UI.
ROLE_USERS Group of ROLE_USER. This role is used by BPMN in Activiti.

In the reference workflow implementation, ROLE_USERS can initiate the Straight-through and 4-eyes workflows.

The value in the activiti:candidateStarterGroups tag is parsed in the module to map to ROLE_USERS.

For example, in the 4-eye BPMN file, USERS can start the workflow process. Atoti Limits checks if the current user is ROLE_USERS: <activiti:candidateStarterGroups="USERS">
ROLE_MANAGERS Group of ROLE_MANAGER. ROLE_MANAGER is not used explicitly in the module, but it’s used by BPMN in Activiti.

The Activiti security user “MANAGERS” is parsed in the module to map to ROLE_MANAGERS: <activiti:candidateStarterGroups="MANAGERS">
ROLE_ADMIN Can access the RESTful endpoints and issue the web service against the Atoti Server instances.

In the reference workflow implementation, ROLE_ADMIN can trigger the limit evaluation RESTful endpoint and the DLC.
ROLE_ACTIVITI_USER Can access the Activiti queries.
ROLE_ACTIVITI_ADMIN Can update the process definition in Activiti at runtime. Currently, the reference workflow implementation doesn’t provide this functionality.

APPROVERS and EXAMINERS

Depending on the type of workflow defined on the Limit Structure, the following types of users can approve/reject a limit:

  • Four-eyes workflow: The APPROVER user can approve or reject the limit.
  • Six-eyes workflow: The EXAMINER user can make the first approval/rejection of the limit. The APPROVER user can make the second and final approval/rejection of the limit.

Permission roles

These roles are used to control access to user actions in the UI for Atoti Limits. The roles are defined as enums of type LimitsActionPermissionRole.

Role Description
ROLE_READ_ONLY Read-only access to the limits in the UI. A user with this role will have all actions disabled.

note

This role takes precedence over all other permission roles, so all actions are disabled even if the user has other permission roles.

ROLE_LIMITS (full access) Full access to all actions in the UI. A user with this role is equivalent to a user with all individual permissions roles below.

note

The read-only role ROLE_READ_ONLY is the only permission role that takes precedence over ROLE_LIMITS.

ROLE_CREATE_STRUCTURE Can create a limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Create Limit Structure and Upload limit structures buttons disabled in the Inventory.
ROLE_UPDATE_STRUCTURE Can update an existing limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Limit Structure form elements in the Limits viewer disabled.
ROLE_DELETE_STRUCTURE Can delete an existing limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Delete button disabled in the Limit Structure panel of the Limits viewer.
ROLE_EVALUATE_STRUCTURE Can evaluate a limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Evaluate button disabled in the Inventory.
ROLE_CREATE_STRUCTURE_LIMIT Can create a new limit on the limit structures that are viewable. Users that don’t have this role, ROLE_CREATE_ANY_LIMIT, or ROLE_LIMITS will have the Add Limit button disabled in the Limits viewer.
ROLE_CREATE_ANY_LIMIT Can create a new limit on any limit structure. Users that don’t have this role, or ROLE_LIMITS, will have the Upload limits button disabled in the Inventory.
ROLE_UPDATE_LIMIT Can update an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Edit limit icon disabled for each limit in the Limits viewer.
ROLE_DELETE_LIMIT Can delete an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Delete limit icon disabled for each limit in the Limits viewer, as well as the Delete button above the Limits table.
ROLE_CREATE_TEMP_LIMIT Can create a temporary limit. Users that don’t have this role, or ROLE_LIMITS, will have the Create temporary limit button disabled for each limit in the Limits viewer.
ROLE_COPY_LIMIT Can copy an existing limit. Users that don’t have this role, or ROLE_LIMITS, will have the Copy limit icon disabled for each limit in the Limits viewer.
ROLE_DOWNLOAD_LIMIT Can download limits and structures as CSV files. Users that don’t have this role, or ROLE_LIMITS, will have the Download icon disabled in the Inventory.
ROLE_APPROVE_REJECT_LIMIT* Can approve or reject a limit. Users that don’t have this role, or ROLE_LIMITS, will have the Approve and Reject buttons hidden in the Limit Structure panel of the Limits viewer.
ROLE_PROCESS_INCIDENT* Can review breaches and comment on warnings. Users that don’t have this role, or ROLE_LIMITS, will have the Review and Comment buttons hidden, as well as the Process icon disabled for each incident in the Status.

Workflow action roles

Roles marked with an asterisk in the table above are permissions for workflow actions. These permissions are enforced by Limits, not Activiti. It is possible to configure the workflow to control access via Activiti, but this is not the default behavior.

For customizing access to the Limits default workflow actions, we recommend using the permissions above. If you have a custom workflow, you can control access to it via the enabled flag in WorkflowTaskActionDTO. Please refer to the documentation on defining task Spring beans for more information on custom workflow actions in Limits.

Default users

Default user Role Create/update/delete Upload file Approve limit change/deletion
user1/user1 ROLE_USER
ROLE_USERS
ROLE_ACTIVITI_USER
ROLE_CS_ROOT
ROLE_LIMITS
user2/user2 ROLE_USER
ROLE_USERS
ROLE_ACTIVITI_USER
ROLE_CS_ROOT
ROLE_LIMITS
manager1/manager1 ROLE_USER
ROLE_MANAGERS
ROLE_ACTIVITI_USER
ROLE_CS_ROOT
ROLE_EVALUATE_STRUCTURE
manager2/manager2 ROLE_USER
ROLE_MANAGERS
ROLE_ACTIVITI_USER
ROLE_EVALUATE_STRUCTURE
admin/admin ROLE_ADMIN
ROLE_CS_ROOT
ROLE_USERS
ROLE_MANAGERS
ROLE_USER
ROLE_ACTIVITI_USER
ROLE_ACTIVITI_ADMIN
ROLE_LIMITS
restrictedUser/restrictedUser ROLE_USER
ROLE_USERS
ROLE_ACTIVITI_USER
ROLE_CS_ROOT
ROLE_READ_ONLY