Security for Requests
Permissions and Data Access
The following table describes the permissions and data access that are required for request workflow actions.
Table 24-3 Request Actions and Permissions
To perform this request workflow action: | You need this permission: |
---|---|
Assign a request |
You must have at least one of these roles or permissions:
|
Be assigned a request |
Participant (Write) access on at least one data chain object in every viewpoint in a request, as follows:
|
Be added as a collaborator on a request | Participant (Write) on at least one data chain object in
at least one viewpoint in the request.
The request actions and property access for request items in a request are determined by the data access permissions on both the request assignee and the collaborator, as follows:
|
Make changes to a request using a request load file |
|
Create a subscription |
You must have all of these permissions:
|
Be eligible to be assigned as a default or alternate assignee of a subscription |
|
Approve a request | None, initially.
When you add user or group to a policy for a data object, that user or group is granted implicit Participant (Read) permission on that data object. See Configuring Policies |
Enrich a request during approval stage | Because enrichers are approvers, they are automatically granted implicit Participant (Read) permission on the data objects in the approval policy. In order to make changes during enrichment, enrichers must also have Participant (Write) on the data chain objects in the request that they want to change. Enrichers can edit request items according to their data access and permissions. |
Users
This section describes actions users and Service Administrators can perform on completed and draft requests.
Draft Requests
- Current assignees:
- Perform request actions according to their permissions and data access
- Load request items
- Delete request items
- Submit the request
- Download the request items to a file
- Add, edit, or delete comments and attachments
- Previous participants:
- View request items, comments, and attachments
- Add request comments and attachments
- Inspect the request
- Validate the request
- Inspect, validate, and compare viewpoints in the request
- Download the request items to a file
The creator of a request comment or attachment can edit the comment or attachment while the request is in Draft status.
Completed Requests
Users can see completed requests if they have Participant (Read) access to the view in which the request was made.
Note:
Completed requests cannot be modified, as they provide a historical audit trail.Service Administrators
Service Administrators can view all requests.
Service Administrators can modify or delete a draft request if they are the current assignee.
Note:
A Service Administrator can be designated as the assignee for a request if they have Participant (Write) permission on the data for which the request was made.Service Administrators can not modify or submit requests that they are not assigned to, nor can they approve, reject, or push back requests that they are not approvers on.