All P6 Permissions
This section explains which user permissions are required to be allowed to perform specific actions on the various P6 services.
The permissions are cumulative.
For example, to edit a service you need to:
- have access to the service,
- be able to read the data,
- have the permission to edit service items.
Except if you have an admin permission on this service (service_name=*), if it exists.
Administration¶
| Feature | Permission |
|---|---|
| Access to the Administration meny entry and the Administration service configuration | admin=view |
| Read users | users=read('./*') |
| Edit users (cannot delete users) | users=edit |
| Do everything on users | users=* |
| Read permission sets | permsets=read('*') |
| Edit permission sets | permsets=edit |
| Do everything on permission sets | permsets=* |
Permissions required to…
- Read only users:
admin=viewandusers=read('./*') - Edit users:
admin=viewandusers=read('./*')andusers=edit - Administrate users:
admin=viewandusers=read('./*')andusers=* - Read only permissions:
admin=viewandpermsets=read('*') - Edit permissions:
admin=viewandpermsets=read('*')andpermsets=edit - Administrate permissions:
admin=viewandpermsets=* - Administrate users and be allowed to assign them a limited list of Permission sets:
admin=viewanduser=read('./*')andusers=editandpermsets=read('PermSet1','PermSet2')
Applications¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Applications menu entry and the Applications service configuration | applications=view |
| Read applications | applications=read |
| Edit applications | applications=edit |
| Do everything on the service | applications=* |
Permissions required to…
- Read only:
applications=viewandapplications=read - Edit:
applications=viewandapplications=readandapplications=edit - Administrate:
applications=*
Charges¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Charges menu entry and the Charges service configuration | charges=view |
| Read charges | charges=read |
| Edit charges | charges=edit |
| Do everything on the service | charges=* |
Permissions required to…
- Read only:
charges=viewandcharges=read - Edit:
charges=viewandcharges=readandcharges=edit - Administrate:
charges=*
Bundled Resources¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Bundle Resources menu entry and the Bundled Resources service configuration | bundledresources=view |
| Read bundled resources | bundledresources=read |
| Edit bundled resources | bundledresources=edit |
| Do everything on the service | bundledresources=* |
Permissions required to…
- Read only:
bundledresources=viewandbundledresources=read - Edit:
bundledresources=viewandbundledresources=readandbundledresources=edit - Administrate:
bundledresources=*
Counters¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Counters menu entry and the Counters service configuration | counters=view |
| Read counters | counters=read |
| Edit counters | counters=edit |
| Do everything on the service | counters=* |
Permissions required to…
- Read only:
counters=viewandcounters=read - Edit:
counters=viewandcounters=readandcounters=edit - Administrate:
counters=*
Data Models¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Data Model menu entry and the Data Model service configuration | datamodels=view |
| Read data models | datamodels=read |
| Edit data models | datamodels=edit |
| Do everything on the service | datamodels=* |
Permissions required to…
- Read only:
datamodels=viewanddatamodels=read - Edit:
datamodels=viewanddatamodels=readanddatamodels=edit - Administrate:
datamodels=*
Email Profiles¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Email Profiles menu entry and the Email Profiles service configuration | email=view |
| Read email profiles | email=read |
| Edit email profiles | email=edit |
| Do everything on the service | email=* |
Permissions required to…
- Read only:
email=viewandemail=read - Edit:
email=viewandemail=readandemail=edit - Administrate:
email=*
Frames¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Frames menu entry and the Frames service configuration | frames=view |
| Read frames | frames=read |
| Edit frames | frames=edit |
| Do everything on the service | frames=* |
Permissions required to…
- Read only:
frames=viewandframes=read - Edit:
frames=viewandframes=readandframes=edit - Administrate:
email=*
Home Pages¶
Note
The edit action includes: customize, create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Home menu entry and the Home Pages service configuration | homepages=view |
| Read home pages | homepages=read |
| Edit home pages | homepages=edit |
| Customize home pages | homepages=customize-own |
| Access to counters when editing home pages | homepages=counters |
| Access to frames when editing home pages | homepages=frames |
| Access to reports when editing home pages | homepages=reports |
| Do everything on the service | homepages=* |
Permissions required to…
- Read only all Home Pages:
homepages=viewandhomepages=read - Read only a specific Home Page:
homepages=viewandhomepages=read('HomePageName') - Customize* Home Pages:
homepages=viewandhomepages=readandhomepages=customize-own - Edit/configure Home Pages with Counters, Frames and Reports:
homepages=viewandhomepages=readandhomepages=editandhomepages=countersandhomepages=framesand `homepages=reports - Administrate Home Pages:
homepages=*
* Customizing a Home Page allows a user to apply and save personal changes - like resizing modules, moving them, hiding some, etc.
Local UI Test¶
To be completed
Organizations¶
Note
The edit action includes: create, update, delete, export.
| Feature | Permission |
|---|---|
| Access to the Organization menu entry and Organization service configuration | orgs=view |
| Read Nodes in the Organization | orgs=read |
| Edit Nodes in the Organization | orgs=edit |
| Do everything on the service | orgs=* |
Permissions required to…
- Get Node(s) from the Organizational Tree:
orgs=viewandorgs=read - Edit Organization:
orgs=viewandorgs=readandorgs=edit - Administrate Organization:
orgs=*
Warning
- When a node is deleted, all child nodes are also removed.
- A user with the
orgs=editpermission can only delete a node below it’s current assigned node.
Reports¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Reports menu entry and Reports service configuration | reports=view |
| Read reports | reports=read |
| Edit reports | reports=edit |
| Do everything on the service | reports=* |
Permissions required to…
- Read only all Reports:
reports=viewandreports=read - Read only specific Reports:
reports=viewand `reports=read(‘Report1’,’Report2’) - Edit Reports:
reports=viewandreports=readandreports=edit - Administrate Reports:
reports=*
Routes¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Routes menu entry ans the Routes service configuration | routes=view |
| Read the routes | routes=read |
| Edit and execute the routes | routes=edit |
| Do everything on the service | routes=* |
Permissions required to…
- Read only Routes:
routes=viewandroutes=read - Edit and execute Routes:
routes=viewanroutes=readandroutes=edit - Administrate Routes:
routes=*
Routing Orders¶
Note
The edit action includes: update, delete and export.
| Feature | Permission |
|---|---|
| Access to the Routing Orders menu entry and the Routing Order service configuration | routingorders=view |
| Read Routing Orders | routingorders=read |
| Edit and reprocess Routing Orders | routingorders=edit |
| Do everything on the Routing Orders service | routingorders=* |
Permissions required to…
- Read only Routing Orders:
routingorders=viewandroutingorders=read - Edit and reprocess Routing Orders:
routingorders=viewandroutingorders=readandroutingorders=edit - Administrate Routing Orders:
routingorders=*
Scripts¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Scripts menu entry and the Scripts service configuration | scripts=view |
| Read Scripts | scripts=read |
| Execute Scripts | scripts=run |
| Edit Scripts | scripts=edit |
| Do everything on the service | scripts=* |
Permissions required to…
- Read only Scripts:
scripts=viewandscripts=read - Execute Scripts:
scripts=viewandscripts=readandscripts=run - Edit Scripts:
scripts=viewandscripts=readandscripts=edit - Administrate Scripts:
scripts=*
Stored Procedures¶
Note
The edit action includes: create, update, rename, duplicate, delete, export and import.
| Feature | Permission |
|---|---|
| Access to the Stored Procedures menu entry and the Stored Procedures service configuration | storedprocedures=view |
| Read stored procedures | storedprocedures=read |
| Edit stored procedures | storedprocedures=edit |
| Do everything on the service | storedprocedures=* |
Permissions required to…
- Read only Scripts:
storedprocedures=viewandstoredprocedures=read - Edit Scripts:
storedprocedures=viewandstoredprocedures=readandstoredprocedures=edit - Administrate Scripts:
storedprocedures=*
Stripe Payments¶
| Feature | Permission |
|---|---|
| Access to the Stripe Payment menu enty and service configuration | stripe=view |
| Read the data | stripe=read |
| Be assigned to a payment task | workflow=role('Invoice Payers') |
| Pay | stripe=pay |
| Do everything on the Stripe Payment service | stripe=* |
Permissions required to…
- Read only:
stripe=viewandstripe=read - Edit:
scripts=* - Pay:
workflow=role('Invoice Payers')andstripe=pay
Tables¶
Note
The edit action includes: create, update, rename, duplicate, export and import.
| Feature | Permission |
|---|---|
| Access to the Tables menu entry and Tables service configuration | tables=view |
| Allow access to all Tables and their records (read-only) | tables=allow(*) |
| Allow access to Table1 and Table 2 (read-only) | tables=allow('Table1'(*), 'Table2'(*)) |
| Allow access to the records in Table1 where column1 has the value1 | tables=allow('Table1'('column1'='value1')) |
| Edit the structure of allowed Tables | tables=edit-table |
| Delete the structure of allowed Tables | tables=delete-table |
| Edit records of allowed Tables | tables=edit-data |
| Delete the records on allowed Tables | tables=delete-data |
| Do anything on the Tables service | tables=* |
Permissions required to…
- Read only all Tables:
tables=viewandtables=allow(*) - Read only specific Tables:
tables=viewandtables=allow('Table1(*)','Table2(*)') - Edit Tables structure:
tables=viewandtables=allow(*)andtables=edit-table - Edit Tables structure and data:
tables=viewandtables=allow(*)andtables=edit-tableandtables=edit-data - Delete Tables structure and records:
tables=viewandtables=allow(*)andtables=delete-tableandtables=delete-data - Administrate Tables:
tables=allow(*)andtables=*
Transactions¶
A user with transactions=* and transactions=allow(*) permissions will have access to all “Transactions” and “Workflow Tasks”.
Note
The transactions permissions apply to both Transactions and Workflow Tasks.
In order to search and view Transactions and Workflow Tasks, Views are required.
There are two types of Views, for Transactions and for Workflow Tasks.
Access to Transactions
In order to have access to Transactions, the transactions=view permissions and a variant of the allow permission are required:
| Feature | Permission |
|---|---|
| Allow access to all types of Transactions (Transactions and Workflow Tasks), across all Views | transactions=allow(*) |
Allow access to Transactions thanks to a transaction-typed View called TxView1 |
transactions=allow('TxView1'(*)) |
| Allow access to Transactions thanks to two transaction-typed Views | transactions=allow('TxView1'(*),'TxView2'(*)) |
Allow access to Transactions that are assigned to the user’s branch via View TxView1 |
transactions=allow('TxView1'(BRANCH)) and orgs=read |
Allow access to Transactions that are assigned to the user’s unit via View TxView1 |
transactions=allow('TxView1'(UNIT)) and orgs=read |
Allow access to Transactions that are assigned to the user via View TxView1 |
transactions=allow('TxView1'(USER)) and orgs=read |
Allow access to Transactions that are assigned to the user’s email address via View TxView1 |
transactions=allow('TxView1'('UserEmail'='%USER.EMAIL%')) |
| Allow access to Transactions matching a condition on a searchable field of a View | transactions=allow('TxView1'('Searchable_Name'='VALUE')) |
Other Permission sets
| Permission scope | Description |
|---|---|
transactions=view |
The user can search transactions (within the filters specified in allow) and view the content of the transactions. |
transactions=edit-form |
The user can edit and save a transaction, only if a form is provided (formjs for the moment) and only via the form display (no access to XML source). |
transactions=edit-all |
|
transactions=reprocess |
The user can trigger the reprocessing of a transaction. |
transactions=delete |
The user can delete a transaction. |
transactions=* |
The user can view, edit, reprocess and delete a transaction. |
Create a new Transaction
Note
The messages submit library has not been migrated yet, thus the permission’s feature is still messages.
You have to enable a variant of the submit permission:
| Feature | Permission |
|---|---|
| Allow you to create a new transaction by uploading a single or a bulk of files | messages=submit(*) |
| Allow you to create a new transaction by uploading a file | messages=submit('single') |
| Allow you to create a new transaction by uploading a bulk of files | messages=submit('bulk') |
Views¶
Note
The edit action includes: create, update, rename, duplicate, export and import.
| Feature | Permission |
|---|---|
| Access to the Views menu entry and Views service service configuration | views=view |
| Read the Views | views=read |
| Edit the Views | views=edit |
| Do everything on the Views service | views=* |
Permissions required to…
- Read only Views:
views=viewandviews=read - Edit Views:
views=viewandviews=readandviews=edit - Administrate Views:
views=*
Web Resources¶
To be completed
Workflow Steps¶
Note
The edit action includes: create, update, rename, duplicate, export and import.
| Feature | Permission |
|---|---|
| Access to the Worflow Step menu entry and service configuration | workflowsteps=view |
| Read the Workflow Steps | workflowsteps=read |
| Edit the Workflow Steps | workflowsteps=edit |
| Do everything on the Workflow Steps service | workflowsteps=* |
Permissions required to…
- Read only Workflow Steps:
workflowsteps=viewandworkflowsteps=read - Edit Workflow Steps:
workflowsteps=viewandworkflowsteps=readandworkflowsteps=edit - Administrate Workflow Steps:
workflowsteps=*
Workflow Tasks¶
Access to Workflow Tasks
In order to have access to Workflow Tasks, the transactions=view permission and a variant of the allow permission are required:
| Feature | Permission |
|---|---|
| Allow access to all types of Transactions (Transactions and Workflow Tasks) across all Views | transactions=allow(*) |
Allow access to Workflow Tasks thanks to a workflow-typed View called WfView1 |
transactions=allow('WfView1'(*)) |
| Allow access to Workflow Tasks thanks to two workflow-typed Views | transactions=allow('WfView1'(*),'VfView2'(*)) |
Allow access to Workflow Tasks that are assigned to the user’s branch via View WfView1 |
transactions=allow('WfView1'(BRANCH)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s unit via View WfView1 |
transactions=allow('WfView1'(UNIT)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user via View WfView1 |
transactions=allow('WfView1'(USER)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s email address via View WfView1 |
transactions=allow('WfView1'('Assignee'='%USER.EMAIL%')) |
| Allow access to Workflow Tasks matching a condition on a searchable field of a View | transactions=allow('WfView1'('Searchable_Name'='Value')) |
Workflow Assignees
On each Workflow Step, there is an <Assignee> section that defines who the Workflow Tasks will be assigned to.
To be part of the Assignees, a user shall have a Permission set that contains the permission defined in the ‘scope’ attribute.
For example, if the Workflow Step contains the following configuration: <Assignee name="PO Approvers" path="/Acme_Prod/Customer_Service" type="UNIT" scope="workflow=role('PO review and approbation')"> then users shall have the workflow=role('PO review and approbation') permission to be part of the assignees.