Manage privileges through expressions

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > Security definition > Case Security >

Manage privileges through expressions

Overview

You can dynamically restrict access to specific cases or assign privileged users through Bizagi expressions (business rules executed during the process).

This section describes how to grant or revoke access to specific users by relying on the Case security feature.

Bizagi provides a set of functions to add or remove users from the Privileged users list of open cases using an Expression.

These functions allow you to:

Add a User

Add a user list

Remove a user

Remove a user list

 

Expressions to allow or restrict access

The following API is available from rules, in order to allow or restrict access:

 

CHelper.GrantCaseAccess (int idCase, int idUser): adds the user to the list of privileged users.

CHelper.GrantCaseAccessToUsers (int idCase, Array Users): adds multiple users to the list of privileged users.

CHelper.RevokeCaseAccess (int idCase, int idUser): Removes a user from the list of privileged users.

CHelper.RevokeCaseAccessToUsers (int idCase, Array Users): Removes multiple users from the list of privileged users.

 

Note that these functions expects two parameters: the unique case identifier and users identifier. When the function receives only one user, the user’s identifier must be entered. When it receives multiple users an array of user identifiers is required. The identifiers are integers that are automatically created in Bizagi and are unique for each record. Therefore, each case has its unique identifier, as each user does. NEVER AND UNDER NO CIRCUMSTANCES type the integer or the identifier number in the expression as a fixed value.  Bizagi provides a number of methods to obtain the IDs. For example, the method CHelper.getUsersForRole  returns an array of user IDs belonging to a particular role.

 

To get cases identifiers we recommend these functions:

 

Me.Case.Id, returns the case ID for the current case.

CHelper.getSiblingProcessesId (Me, iWfClassId): returns an array of Sub-Processes case IDs, that are all created from the current Sub-Process’ parent Process.

CHelper.getSubProcessesId (Me): returns an array of case’s IDs, that are all Sub-Processes of the current parent Process.

 

 

Example of Case security using expressions

In a Purchase Request Process the information needs to be restricted so that only the creator and the supervisor can access the information. According to what was explained above, all users who are assigned during the case will have access.

 

The user creator, by definition, will automatically be added to the list of privileged users. However, the user’s supervisor must be added through an expression, so he/she can have access to the case from the beginning. To achieve this, you must set the process to have Private case security. Then add an expression to include the user´s supervisor as a privileged user.

 

1. From the Expert View access the Process properties by right-clicking the current version.

 

CaseSecurity4

 

2. Select Private at the case security to restrict the access to the cases information for all users except those regarded as privileged users. Then click OK.

 

CaseSecurity8

 

3. In step 4 of the Process Wizard, go to Activity Actions to create an expression. Select the action to be On enter. The rule should add the creator's supervisor to the list of privileged users.

 

CaseSecurity9

 

CaseSecurity10

 

//Obtain the direct supervisor

Boss=Me.Case.WorkingCredential.UserProperties['idbossuser'];

//Grant Access to the supervisor

CHelper.GrantCaseAccess(Me.Case.Id,Boss);

 

Now let us test if the expression works. Suppose we have three users:

 

CreatorUser: It will be the user who created the case.

Boss: The supervisor of the CreatorUser.

RestrictedUser: The user that must be disallowed access.

 

CaseSecurity11

 

Login with the CreatorUser and create a new Purchase Request case.

 

CaseSecurity12

 

The CreatorUser is automatically included as a privileged user and so he/she can consult the cases at any time. Enter the case number in the search field. For this example it will be 1905.

 

 

CaseSecurity13

 

If you click Case Number you will be able to see the case information.

 

 

CaseSecurity27

 

Similarly the Boss user, who previously was granted access as the Creator's supervisor, will have access rights.

 

CaseSecurity14

 

If logged in as a RestrictedUSer user, you will not be able to access the case. It would appear as if the case didn't exist.

 

CaseSecurity28

 

Expression to add a Privileged user

In a Purchase Request Process we need to restrict the information to only allow privileged users to access the case (creator and assignees). Additionally we wish to include the Commercial Vice President, who has no assignment in such cases, as a privileged user. Therefore the user must be added using an expression. To do this, we store the Commercial Vice President user in a parametric table to easily access and administer the user's ID when call for.  This parameter table is associated with the Purchase Request Process.

 

CaseSecurity18

 
In step 4 of the Process Wizard, select the Activity Actions to create an expression On Enter of the Activity.

 

CaseSecurity19

 

 
The expression adds the Vice President to the list of privileged users. The Vice president's ID is located in the parametric table previously created and assigned to a variable. This variable,  in turn, is passed to the function call that grants the access.

 

CaseSecurity20

 

//Obtain VicePresident User

var ViceId=CHelper.getEntityAttrib("Userwithaccess","Usertograntaccess","Code ='CVP'","");

//Grant access to VicePresident

CHelper.GrantCaseAccess(Me.Case.Id,ViceId);

 

Expression to add multiple Privileged users

In a Purchase Request Process we need to restrict the information to only allow privileged users to access the case (creator and assignees). Additionally we wish to include the Commercial Vice President and the President, who both has no assignment in such case, as privileged users. Therefore the users must be added using an expression.  To do this, we store both users, Commercial Vice President and President, in a parametric table to easily access and administer the user's ID when call for. This parameter table is associated with the Purchase Request Process.

 

 

CaseSecurity21

 

In step 4 of the Process Wizard, select Activity Actions to create an expression On Enter of the activity.

 

CaseSecurity19

 

 
The following expression adds all users found in the parametric table, that is the President and Vice President. The user ID of each record found in the parametric table is stored in an array. This array is passed to the function call to add the privileged users.

 

 

CaseSecurity22

 

 

//Obtain list of all users in the 'Users with access' table

UserstoAdd=CHelper.CEntityManager.GetEntity("Userswithaccess").GetEntityList("","","","");

 

//Go through the list

for (Counter=0; UserstoAdd.Lenght>Counter;Counter++)

{

 

 IdUser=UserstoAdd[Counter].Attributes["Usertograntaccess"].Value;

 

 //Validate there are no duplicities

 if(!MyArray.Contains(IdUser))

 {

     //Store users

         MyArray.Add(IdUser);

 }

//Grant Access to users

CHelper.GrantCaseAccessToUsers(Me.Case.Id,MyArray);

}