Configuring access roles
After setting up your preferred identity provider solution, you will need to add the desired access roles in the application configuration for the FlowX Engine.

Access to REST API

To restrict API calls by user role, you will need to add the user roles in the application config:
1
security:
2
pathAuthorizations:
3
-
4
path: "/api/**"
5
rolesAllowed: "ANY_AUTHENTICATED_USER" or "USER_ROLE_FROM_IDENTITY_PROVIDER"
Copied!

Access to a process definition

You can restrict access to process definitions by user roles. This can be done by setting the desired operation permissions on a process definition.
Start by adding the needed roles in the database. These need to match the roles configured in the identity provider solution. Each role can have one or more permissions defined on it. Permissions can be applied to all users or only to the owner of the specific resource (for example the person that started the process instance).
After saving a new process definition, you can also save specific user roles for it to restrict user access.
Access rights can be defined on the following operations that can be performed on a process definition:
  • starting a new instance of the process definition
  • viewing the instance of that process definition
Here's an example of setting operation permissions for a process definition:
1
{
2
"START": ["PROCESS_START"],
3
"VIEW": ["PROCESS_VIEW", "PROCESS_VIEW_ALL"]
4
}
Copied!
where START and VIEW are the possible operations to be performed on the definitions and PROCESS_START, PROCESS_VIEW, PROCESS_VIEW_ALL are permissions stored in the database.

Access to actions from process definitions

Operation permissions can also be set on specific nodes in order to restrict the access to the actions defined on that node. This can be done in a similar way to setting operation permissions on process definitions. The operation name to be used for nodes is NODE_RUN.
As nodes also hold the definitions for the user interface, deciding which user role can see a certain UI template can also be done by using node permissions. The templates linked to a node can only be viewed by a user that has the NODE_RUN permission on that node, if the access on that node is restricted.

Restrict permissions to process instance owner

Access to certain actions on a process instance can be restricted to the process instance owner (the user that started the process instance). To add this restriction, the only_by_owner value must be set to true for each permission. Also, an attribute named username must be defined in the identity provider configuration for each platform user. This attribute will be used for checking the process instance owner.

Viewing processes instances

Active process instances and their related data can be viewed from the FlowX Designer. A user needs to be assigned to a specific role in the identity provider solution to be able to view this information.
By default, this role is named FLOWX_ADMIN, but its name can be changed from the application configuration of the Engine:
1
application:
2
flowXAdminRoleName: ${FLOWX_ADMIN_ROLE_NAME:FLOWX_ADMIN}
Copied!
Last modified 5mo ago