Users, Groups, External Applications and Permissions

Users and Groups

Users and groups for your Process Automation instance are created in Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (IAM). Note that to create users and groups in IDCS or IAM, you have to be assigned the identity domain administrator or user administrator role.

See Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups in Administering Oracle Identity Cloud Service.

See Managing Users and Managing Groups in Oracle Cloud Infrastructure documentation.

Once created, users and groups will be available to be assigned to application and global roles by Process Automation Designers during design and testing. If required, Process Automation Administrators can later update them for production in Workspace.

External applications

You can also authenticate and authorize an external application in a flow. In a business scenario that uses machine to machine flows, the process instance and decision services can handle requests that contain bearer tokens generated through the OAuth client credential flow. To use an external application in a flow, as a prerequiste, you must have an Oracle Cloud Infrastructure Identity and Access Management (IAM) application configured to authenticate a client using the client credentials grant. This results in a scoped bearer token that can access the Process Automation instance.

You can either use the default Oracle Cloud Infrastructure Identity and Access Management (IAM) application created for your Process Automation instance or create a new integrated application and configure it appropriately.

To initiate a Process Automation instance using the client credentials flow, add the external application to a role with Use permission.

Note:

You can perform GET and POST operations at all instances level, while you can perform only the GET operation on a specific instance.

Permissions

Users, groups, and/or external applications added to a process application role have to be assigned one of four permissions, listed in the table below from least amount of access to the most. For example, Inspect grants the least control and Manage grants the most. Behind the scenes, permissions use a data access control (DAC) model.

Permission	Description	Target Users
Inspect	Allows users to list tasks and processes, but not view their details. For example, users assigned the Inspect permission can review a list of pending tasks without going into individual tasks and seeing their details.	Viewers Users who want to get an overview of pending tasks in a process application.
Read	Allows users to Inspect plus the ability to perform the following: View details of processes and their activities, including attachments and comments. View process's task audits.	Reviewers Users who want to view details and review tasks and processes in a process application.
Use	Allows users to Read plus the ability to perform the following: Start an application. Work on processes. Work on tasks, such as add comments and attachments.	Users/Process Users Users who want to review as well as work on tasks and processes in a process application.
Manage	Allows users to Use plus the ability to perform the following: Withdraw and reassign tasks. Terminate processes and their activities. Alter the flow of a process. View and work on analytics in Workspace.	Power Users and Process Application Administrators Users who want to have maximum permission for a process application. Any user who is assigned the Manage permission automatically becomes a Power User as such a user have the maximum level of permission for a process application. The Process Application Administrator role by default has Manage permission on all process applications of a Process Automation instance. To assign users to the Process Application Administrator role, see Assign the Process Application Administrator Role.