User Permissions
Permissions are authorizations to allow access to each application component. You must have required permissions to perform a specific action or a series of actions associated with a task.
Example Use case
For a business flow, some non-admin users in your organization only need to submit documents or trace items ingested in to the application. As an administrator, you assign permissions to users only to submit documents or to trace items.
Permission Types
Permissions define the level of access rights available to you. These
are:
- Administrative permissions: Administrative permissions are mapped to administrator functions. For example, an admin user may have full configuration access or limited configuration access within Intelligent Track and Trace application.
- Non-Administrative permissions: Non-Administrative permissions can be function specific as per business requirement. For example, a non-admin user may have read-only permissions to selective functions.
Transitive permissions
Some permissions depend on other permissions to also be granted. As a user, instead of selecting all the dependent permissions manually, the application determines the dependencies and automatically grants these permissions. This piggy-backing approach further enhances the fine-grained access control capabilities with additional permissions assigned implicitly along-with main permissions.
For example, for a user to invite new trading partners via configurations
page, the user must have the trading partner read permission. Here, TRADING
PARTNER READ permission is a transitive (add-on) permission with
TRADING PARTNER WRITE permission.
Permission Definitions
To control access to various functions, you create permission groups and then assign users to the groups. The permissions that you assign vary depending on the type of function you need to access.
The following table shows the permission mapping to ADMIN, APP_USER, and USER groups: For more information on user groups, see Permission Groups.
| UI Function | Permission | Administrative | Admin | User | App_User | Transitive Permissions | Description |
|---|---|---|---|---|---|---|---|
| Configuration | TRADING_PARTNER_READ | No | Yes | Yes | No | USER_READ, GLOBAL_APP_ SETTINGS_RE AD | Read-only access to Trading Partners Configuration page |
| TRADING_PARTNER_WRITE | Yes | Yes | No | No | TRADING_PAR TNER_READ | Read-write access to Trading Partners Configuration page | |
| DOCUMENT_TYPE_READ | No | Yes | Yes | No | Read-only access to Document Types Configuration page | ||
| DOCUMENT_TYPE_WRITE | Yes | Yes | No | No | DOCUMENT_T YPE_READ | Read-write access to Document Types Configuration page | |
| FLOW_DEFINITION_READ | No | Yes | Yes | No | DOCUMENT_T YPE_READ, TRADING_PAR TNER_READ | Read-only access to Business Flow Templates and Business Flows Configuration pages | |
| FLOW_DEFINITION_WRITE | Yes | Yes | No | No | FLOW_DEFINIT ION_READ | Read-write access to Business Flow Templates and Business Flows Configuration pages | |
| SMART_CONTRACT_READ | Yes | Yes | Yes | No | FLOW_DEFINIT ION_READ, EVENT_ACTIO N_READ, UOM_READ | Read-only access to Smart Contracts Configuration page | |
| SMART_CONTRACT_WRI TE | Yes | Yes | No | No | SMART_CONT RACT_READ | Read-write access to Smart Contracts Configuration page | |
| DOCUMENT_INTEGRATI ON_ENDPOINT_READ | Yes | Yes | Yes | No | FLOW_DEFINIT ION_READ | Read-only access to Document Integration Endpoints page | |
| DOCUMENT_INTEGRATI ON_ENDPOINT_WRITE | Yes | Yes | No | No | DOCUMENT_IN TEGRATION_E NDPOINT_READ | Read-write access to Document Integration Endpoints page | |
| DOCUMENT_INTEGRATI ON_DEFINITION_READ | Yes | Yes | No | No | FLOW_DEFINIT ION_READ | Read-only access to Document Integrations and Activity Log page | |
| DOCUMENT_INTEGRATI ON_DEFINITION_WRITE | Yes | Yes | No | No | DOCUMENT_IN TEGRATION_D EFINITION_READ DOCUMENT_IN TEGRATION_E NDPOINT_WRI TE |
Read-write access to Document Integrations and Activity Log page | |
| OUTBOUND_CONNECTIO N_READ | Yes | Yes | Yes | No | Read-only access to Connections page | ||
| OUTBOUND_CONNECTIO N_WRITE | Yes | Yes | No | No | OUTBOUND_C ONNECTION_R EAD | Read-write access to Connections page | |
| EVENT_ACTION_READ | Yes | Yes | Yes | No | DOCUMENT_T YPE_READ, OUTBOUND_C ONNECTION_R EAD | Read-only access to Event Actions page | |
| EVENT_ACTION_WRITE | Yes | Yes | No | No | EVENT_ACTIO N_READ | Read-write access to Event Actions page | |
| ITEM_TYPE_READ | Yes | Yes | No | No | UOM_READ | Read-only access to Item Types page | |
| ITEM_TYPE_WRITE | Yes | Yes | No | No | ITEM_TYPE_C ODE_WRITE | Read-write access to Item Types page | |
| PACKAGE_TYPE_READ | Yes | Yes | No | No | Read-only access to Package Types page | ||
| PACKAGE_TYPE_WRITE | Yes | Yes | No | No | PACKAGE_TYP E_READ | Read-write access to Package Types page | |
| UOM_READ | No | Yes | Yes | Yes | Read-only access to Units Of Measure page | ||
| UOM_WRITE | Yes | Yes | No | No | UOM_READ | Read-write access to Units Of Measure page | |
| Monitoring | REPORT_TEMPLATES_D EFINITION_READ | Yes | Yes | No | No | Read-only access to Report Templates page | |
| REPORT_TEMPLATES_D EFINITION_WRITE | Yes | Yes | No | No | REPORT_TEMP LATES_DEFINI TION_READ | Read-write access to Report Templates page | |
| USER_READ | No | Yes | Yes | No | Read-only access to Users page / tab | ||
| USER_WRITE | Yes | Yes | No | No | USER_READ | Read-write access to Users page / tab | |
| USER_GROUP_READ | Yes | Yes | No | No | Read-only access to Groups page / tab | ||
| USER_GROUP_WRITE | Yes | Yes | No | No | USER_GROUP_ READ | Read-write access to Groups page / tab | |
| GLOBAL_APP_SETTINGS _READ | No | Yes | Yes | No | Read-only access to Settings page | ||
| GLOBAL_APP_SETTINGS _WRITE | Yes | Yes | No | No | GLOBAL_APP_ SETTINGS_RE AD | Read-write access to Settings page | |
| DOCUMENT_DIAGNOSTI CS | Yes | Yes | No | No | UOM_READ | Access to Document Processing Diagnostics page | |
| NOTIFICATION_READ | No | Yes | Yes | No | UOM_READ | Access to Notifications page | |
| SMART_CONTRACT_PRO POSAL_READ | Yes | Yes | Yes | No | UOM_READ | Access to Smart Contract Proposal page | |
| SIMULATION | Yes | Yes | No | No | FLOW_DEFINIT ION_READ, UOM_READ | Covers simulation definition and running of simulations | |
| Operations | DASHBOARD_READ | No | Yes | Yes | No | FLOW_DEFINIT ION_READ, UOM_READ | Read-only access to Dashboards and Trading Partner operations pages |
| DASHBOARD_WRITE | Yes | Yes | No | No | DASHBOARD_ READ | Read-write access to Dashboards and Trading Partner operations pages | |
| ITEM_TRACE | No | Yes | Yes | No | UOM_READ | Access to Product Tracking operations pages (Packages and Items) | |
| DOCUMENT_TRACE | No | Yes | Yes | No | DOCUMENT_T YPE_READ, UOM_READ | Access to operations pages Business Flows and Documents | |
| DOCUMENT_SUBMIT | No | Yes | Yes | Yes | UOM_READ | Access to Document Receiver REST API and Document Endpoints page |
All permissions are constrained by trading partner type. For example,
FLOW_DEFINITION_WRITE grants founder users full access to flow
configuration screens, whereas endorser users can access and modify only certain
entities. For example, modify viewers of a flow/step where the trading partner is a
submitter.
The following table shows the permission mapping based on current trading partner type:
| UI Component | Permission | Trading Partner Type | Description |
|---|---|---|---|
| Configuration | TRADING_PARTNER_RE AD | Founder | Provides read-only access to Trading Partners Configuration page |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| TRADING_PARTNER_W RITE | Founder | Provides read-write access to Trading Partners Configuration page | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| DOCUMENT_TYPE_READ | Founder | Provides read-only access to Document Types Configuration page | |
| Endorser | Provides read-only access to Document Types Configuration page | ||
| Participant | Provides read-only access to Document Types Configuration page | ||
| DOCUMENT_TYPE_WRI TE | Founder | Provides read-write access to Document Types Configuration page | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| FLOW_DEFINITION_READ | Founder | Provides read-only access to Business Flow Templates and Business Flows Configuration pages | |
| Endorser | Provides read-only access to Business Flows Configuration page. | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| FLOW_DEFINITION_WRI TE | Founder | Provides read-write access to Business Flow Templates and Business Flows Configuration pages | |
| Endorser | Provides read-write access to Business Flows Configuration page. Can edit only the steps where the ENDORSER is a submitter and can edit viewers only if it's allowed on a Trading Partner level. | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| SMART_CONTRACT_RE AD | Founder | Provides read-only access to Smart Contracts Configuration page | |
| Endorser | Provides read-only access to Smart Contracts Configuration page. | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| SMART_CONTRACT_W RITE | Founder | Provides read-write access to Smart Contracts Configuration page. (Founder can update contracts only when it's an author.) | |
| Endorser | Provides read-write access to Smart Contracts Configuration page. (Endorser can update contracts only when it's an author.) | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| DOCUMENT_INTEGRATI ON_ENDPOINT_READ | Founder | Provides read-only access to Document Integration Endpoints Configuration page. | |
| Endorser | Provides read-only access to Document Integration Endpoints Configuration page. | ||
| Participant | Provides read-only access to Document Integration Endpoints Configuration page. | ||
| DOCUMENT_INTEGRATI ON_ENDPOINT_WRITE | Founder | Provides read-write access to Document Integration Endpoints Configuration page. | |
| Endorser | Provides read-write access to Document Integration Endpoints Configuration page. | ||
| Participant | Provides read-write access to Document Integration Endpoints Configuration page. | ||
| DOCUMENT_INTEGRATI ON_DEFINITION_READ | Founder | Provides read-only access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | |
| Endorser | Provides read-only access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | ||
| Participant | Provides read-only access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | ||
| DOCUMENT_INTEGRATI ON_DEFINITION_WRITE | Founder | Provides read-write access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | |
| Endorser | Provides read-write access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | ||
| Participant | Provides read-write access to Document Integrations Configuration page and Integrations tab on Activity Log Monitoring page. | ||
| OUTBOUND_CONNECTI ON_READ | Founder | Provides read-only access to Connections Configuration page | |
| Endorser | Provides read-only access to Connections Configuration page | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| OUTBOUND_CONNECTI ON_WRITE | Founder | Provides read-write access to Connections Configuration page | |
| Endorser | Provides read-write access to Connections Configuration page | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| EVENT_ACTION_READ | Founder | Provides read-only access to Event Action Configuration page | |
| Endorser | Provides read-only access to Event Action Configuration page | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| EVENT_ACTION_WRITE | Founder | Provides read-write access to Event Action Configuration page | |
| Endorser | Provides read-write access to Event Action Configuration page | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| ITEM_TYPE_READ | Founder | Provides read-only access to Item Types Configuration page and Uploads tab on Activity Log Monitoring page. | |
| Endorser | Provides read-only access to Item Types Configuration page. | ||
| Participant | Provides read-only access to Item Types Configuration page. | ||
| ITEM_TYPE_WRITE | Founder | Provides read-write access to Item Types Configuration page and Uploads tab on Activity Log Monitoring page. | |
| Endorser | Provides read access to Item Types Configuration page and write access to Trading Partner specific item Type code on this page | ||
| Participant | Provides read access to Item Types Configuration page and write access to Trading Partner specific item Type code on this page | ||
| PACKAGE_TYPE_READ | Founder | Provides read-only access to Package Types Configuration page. | |
| Endorser | Provides read-only access to Package Types Configuration page. | ||
| Participant | Provides read-only access to Package Types Configuration page. | ||
| PACKAGE_TYPE_WRITE | Founder | Provides read-write access to Package Types Configuration page. | |
| Endorser | Doesn't provide any functionality. Should be filtered out. | ||
| Participant | Doesn't provide any functionality. Should be filtered out. | ||
| UOM_READ | Founder | Provides read-only access to Units Of Measure Configuration page | |
| Endorser | Provides read-only access to Units Of Measure Configuration page | ||
| Participant | Provides read-only access to Units Of Measure Configuration page | ||
| UOM_WRITE | Founder | Provides read-write access to Units Of Measure Configuration page | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| REPORT_TEMPLATES_ DEFINITION_READ | Founder | Provides read-only access to Report Templates Configuration page. | |
| Endorser | Provides read-only access to Report Templates Configuration page. | ||
| Participant | Provides read-only access to Report Templates Configuration page. | ||
| REPORT_TEMPLATES_ DEFINITION_WRITE | Founder | Provides read-write access to Report Templates Configuration page. | |
| Endorser | Doesn't provide any functionality. Should be filtered out. | ||
| Participant | Doesn't provide any functionality. Should be filtered out. | ||
| USER_READ | Founder | Provides read-only access to Users tab on User Management Configuration page. | |
| Endorser | Provides read-only access to Users tab on User Management Configuration page. | ||
| Participant | Provides read-only access to Users tab on User Management Configuration page. | ||
| USER_WRITE | Founder | Provides read-write access to Users tab on User Management Configuration page. Founder can update users which are assigned to it and IDCS users. | |
| Endorser | Provides read-write access to Users tab on User Management Configuration page. | ||
| Participant | Provides read-write access to Users tab on User Management Configuration page. | ||
| USER_GROUP_READ | Founder | Provides read-only access to Groups tab on User Management Configuration page. | |
| Endorser | Provides read-only access to Groups tab on User Management Configuration page. | ||
| Participant | Provides read-only access to Groups tab on User Management Configuration page. | ||
| USER_GROUP_WRITE | Founder | Provides read-write access to Groups tab on User Management Configuration page. | |
| Endorser | Provides read access to Groups tab on User Management Configuration page and write access to manage users group membership.. | ||
| Participant | Provides read access to Groups tab on User Management Configuration page and write access to manage users group membership. | ||
| GLOBAL_APP_SETTING S_READ | Founder | Provides read-only access to Settings Configuration page. | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| GLOBAL_APP_SETTING S_WRITE | Founder | Provides read-write access to Settings Configuration page | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| Monitoring | DOCUMENT_DIAGNOST ICS | Founder | Provides access to Document Processing Diagnostics Monitoring page. |
| Endorser | Provides access to Document Processing Diagnostics Monitoring page. | ||
| Participant | Provides access to Document Processing Diagnostics Monitoring page. | ||
| NOTIFICATION_READ | Founder | Provides access to Notifications Monitoring page. | |
| Endorser | Provides access to Notifications Monitoring page. | ||
| Participant | Provides access to Notifications Monitoring page. | ||
| SMART_CONTRACT_PR OPOSAL_READ | Founder | Provides access to Smart Contract Proposal Monitoring page. | |
| Endorser | Provides access to Smart Contract Proposal Monitoring page. | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| SIMULATION | Founder | Provides read-write access to Simulations Monitoring page | |
| Endorser | Doesn't provide any functionality. Should be filtered out | ||
| Participant | Doesn't provide any functionality. Should be filtered out | ||
| Operations | DASHBOARD_READ | Founder | Provides access to Trading Partner Operation pages |
| Endorser | Provides access to Trading Partner Operation pages | ||
| Participant | Provides access to Trading Partner Operation pages | ||
| DASHBOARD_WRITE | Founder | Provides access to Trading Partner Operation pages | |
| Endorser | Provides access to Trading Partner Operation pages | ||
| Participant | Provides access to Trading Partner Operation pages | ||
| ITEM_TRACE | Founder | Provides access to Packages and Items Operation pages | |
| Endorser | Provides access to Packages and Items Operation pages | ||
| Participant | Provides access to Packages and Items Operation pages | ||
| DOCUMENT_TRACE | Founder | Provides access to Documents Operation page and pages related to Business Flows Operations | |
| Endorser | Provides access to Documents Operation page and pages related to Business Flows Operations | ||
| Participant | Provides access to Documents Operation page and pages related to Business Flows Operations | ||
| DOCUMENT_SUBMIT | Founder | Provides access to Document Submission Operation page | |
| Endorser | Provides access to Document Submission Operation page | ||
| Participant | Provides access to Document Submission Operation page |