How Data-Level Security Works with Functional Privileges
Functional privileges are global across all of the data to which a user has been granted access. For example, assume the following two conditions:
The role
HR is granted the functional privileges to start and stop process instances and is granted data-level security access to the
newHire process. As a result, users assigned to the
HR role can view, start, and stop instances of the
newHire process.
The role
Interns is granted data-level security access to the
ProblemReporting process. As a result, users assigned to the
Interns role can view instances of the
ProblemReporting process.
If a user is assigned to both the HR and the Interns roles, because functional privileges are global and the HR role has the privilege to start and stop processes, the user assigned to both roles are able to start and stop not only instances of the newHire process, but also instances of the ProblemReporting process.
If you want to limit privileges, one straight-forward way to do so is to set up two user accounts. For example, assume that you want to give a user the ability to start and stop instances of the newHire process, but you also want that user to be able to only view instances of the ProblemReporting process. For this scenario, you could set up user account joeHR and assign the user account joeHR to the HR role, and then set up user account joeIntern and assign the user account joeIntern to the Interns role. When logged in as joeHR, the user can view, start, and stop newHire process instances. When logged in as joeIntern, the user can only view ProblemReporting instances.
Note:
Data-level security is currently only supported in a single server environment.