You can dynamically restrict access to specific cases or assign privileged users through Bizagi expressions (business rules executed during the process).
This section describes how to grant or revoke access to specific users by relying on the Case security feature.
Bizagi provides a set of functions to add or remove users from the Privileged users list of open cases using an Expression.
These functions allow you to:
•Add a User
•Add a user list
•Remove a user
•Remove a user list
Expressions to allow or restrict access
The following API is available from rules, in order to allow or restrict access:
•CHelper.GrantCaseAccess (int idCase, int idUser): adds the user to the list of privileged users.
•CHelper.GrantCaseAccessToUsers (int idCase, Array Users): adds multiple users to the list of privileged users.
•CHelper.RevokeCaseAccess (int idCase, int idUser): Removes a user from the list of privileged users.
•CHelper.RevokeCaseAccessToUsers (int idCase, Array Users): Removes multiple users from the list of privileged users.
Note that these functions expects two parameters: the unique case identifier and users identifier. When the function receives only one user, the user’s identifier must be entered. When it receives multiple users an array of user identifiers is required. The identifiers are integers that are automatically created in Bizagi and are unique for each record. Therefore, each case has its unique identifier, as each user does. NEVER AND UNDER NO CIRCUMSTANCES type the integer or the identifier number in the expression as a fixed value. Bizagi provides a number of methods to obtain the IDs. For example, the method CHelper.getUsersForRole returns an array of user IDs belonging to a particular role.
To get cases identifiers we recommend these functions:
•Me.Case.Id, returns the case ID for the current case.
•CHelper.getSiblingProcessesId (Me, iWfClassId): returns an array of Sub-Processes case IDs, that are all created from the current Sub-Process’ parent Process.
•CHelper.getSubProcessesId (Me): returns an array of case’s IDs, that are all Sub-Processes of the current parent Process.
Example of Case security using expressions
In a Purchase Request Process the information needs to be restricted so that only the creator and the supervisor can access the information. According to what was explained above, all users who are assigned during the case will have access.
The user creator, by definition, will automatically be added to the list of privileged users. However, the user’s supervisor must be added through an expression, so he/she can have access to the case from the beginning. To achieve this, you must set the process to have Private case security. Then add an expression to include the user´s supervisor as a privileged user.
1. From the Expert View access the Process properties by right-clicking the current version.
2. Select Private at the case security to restrict the access to the cases information for all users except those regarded as privileged users. Then click OK.
3. In step 4 of the Process Wizard, go to Activity Actions to create an expression. Select the action to be On enter. The rule should add the creator's supervisor to the list of privileged users.
//Obtain the direct supervisor
//Grant Access to the supervisor
Now let us test if the expression works. Suppose we have three users:
•CreatorUser: It will be the user who created the case.
•Boss: The supervisor of the CreatorUser.
•RestrictedUser: The user that must be disallowed access.
Login with the CreatorUser and create a new Purchase Request case.
The CreatorUser is automatically included as a privileged user and so he/she can consult the cases at any time. Enter the case number in the search field. For this example it will be 1905.
If you click Case Number you will be able to see the case information.
Similarly the Boss user, who previously was granted access as the Creator's supervisor, will have access rights.
If logged in as a RestrictedUSer user, you will not be able to access the case. It would appear as if the case didn't exist.
Expression to add a Privileged user
In a Purchase Request Process we need to restrict the information to only allow privileged users to access the case (creator and assignees). Additionally we wish to include the Commercial Vice President, who has no assignment in such cases, as a privileged user. Therefore the user must be added using an expression. To do this, we store the Commercial Vice President user in a parametric table to easily access and administer the user's ID when call for. This parameter table is associated with the Purchase Request Process.
In step 4 of the Process Wizard, select the Activity Actions to create an expression On Enter of the Activity.
The expression adds the Vice President to the list of privileged users. The Vice president's ID is located in the parametric table previously created and assigned to a variable. This variable, in turn, is passed to the function call that grants the access.
//Obtain VicePresident User
var ViceId=CHelper.getEntityAttrib("Userwithaccess","Usertograntaccess","Code ='CVP'","");
//Grant access to VicePresident
Expression to add multiple Privileged users
In a Purchase Request Process we need to restrict the information to only allow privileged users to access the case (creator and assignees). Additionally we wish to include the Commercial Vice President and the President, who both has no assignment in such case, as privileged users. Therefore the users must be added using an expression. To do this, we store both users, Commercial Vice President and President, in a parametric table to easily access and administer the user's ID when call for. This parameter table is associated with the Purchase Request Process.
In step 4 of the Process Wizard, select Activity Actions to create an expression On Enter of the activity.
The following expression adds all users found in the parametric table, that is the President and Vice President. The user ID of each record found in the parametric table is stored in an array. This array is passed to the function call to add the privileged users.
//Obtain list of all users in the 'Users with access' table
//Go through the list
for (Counter=0; UserstoAdd.Lenght>Counter;Counter++)
//Validate there are no duplicities
//Grant Access to users