Permissions
A permission is a string of characters structured as follows: feature=action.
It allows the user to perform an action on a feature.
This section explains which user permissions are required to be allowed to perform specific actions on the various P6 services.
The permissions are cumulative.
For example, to edit service items related to a specific service via P6 Portal, you need to:
- have access to the service UI via the Portal,
- be allowed to list and read the service items,
- have the permission to edit service items.
Except if you have an admin permission on this service (service_name=*), if it exists.
A user with a *=* permission can perform any action on the instance. No other permissions are needed.
Accounts (P6 Console)¶
Note
Permission account=read is required everywhere on P6 Console
| Feature | Permission |
|---|---|
| See the ‘Account’ menu entry in P6 Console | account=view |
| Read account information | account=read |
| Edit account information | account=edit |
| Do everything on the service | account=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=viewandaccount=read - edit rights:
account=viewandaccount=readandaccount=edit - full rights:
account=*
Applications¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Applications’ menu entry in P6 Portal | applications=view |
| List and read applications | applications=read |
| Edit applications | applications=edit |
| Delete applications | applications=delete |
| Do everything on the service | applications=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
applications=viewandapplications=read - edit rights:
applications=viewandapplications=readandapplications=edit - delete rights:
applications=viewandapplications=readandapplications=delete - full rights:
applications=*
Application Configurations¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Configuration’ menu entry in P6 Portal | appconfig=view |
| List and read app configurations | appconfig=read |
| Edit app configurations | appconfig=edit |
| Delete app configurations | appconfig=delete |
| Do everything on the service | appconfig=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
appconfig=viewandappconfig=read - edit rights:
appconfig=viewandappconfig=readandappconfig=edit - delete rights:
appconfig=viewandappconfig=readandappconfig=delete - full rights:
appconfig=*
Application Profiles (P6 Console)¶
Note
- The
editaction includes: create, update, assign and unassign to instance.
| Feature | Permission |
|---|---|
| See the ‘Application Profiles’ menu entry in P6 Console | application-profiles=view |
| List and read application profiles | application-profiles=read |
| Edit application profiles | application-profiles=edit |
| Delete application profiles | application-profiles=delete |
| Do everything on the service | application-profiles=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=readandapplication-profiles=viewandapplication-profiles=read - edit rights:
account=readandapplication-profiles=viewandapplication-profiles=readandapplication-profiles=edit(on account) - assign / unassign rights:
account=readandapplication-profiles=viewandapplication-profiles=readandapplication-profiles=edit(on account and instance) - delete rights:
account=readandapplication-profiles=viewandapplication-profiles=readandapplication-profiles=delete - full rights:
account=readandapplication-profiles=*
Bundled Resources¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Bundled Resources’ menu entry in P6 Portal | bundledresources=view |
| List and read bundled resources | bundledresources=read |
| Edit bundled resources | bundledresources=edit |
| Delete bundled resources | bundledresources=delete |
| Do everything on the service | bundledresources=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
bundledresources=viewandbundledresources=read - edit rights:
bundledresources=viewandbundledresources=readandbundledresources=edit - delete rights:
bundledresources=viewandbundledresources=readandbundledresources=delete - full rights:
bundledresources=*
Counters¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Counters’ menu entry in P6 Portal | counters=view |
| List and read counters | counters=read |
| Edit counters | counters=edit |
| Delete counters | counters=delete |
| Do everything on the service | counters=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
counters=viewandcounters=read - edit rights:
counters=viewandcounters=readandcounters=edit - delete rights:
counters=viewandcounters=readandcounters=delete - full rights:
counters=*
Dashboard (P6 Console)¶
Note
The P6 Console dashboard contains information that comes from various services.
Therefore, to view that information, in addition to dashboard=view the following permissions should
be applied: account=read, instances=read (both account and instances) and application-profiles=read.
Otherwise, the dashboard would be available but empty.
| Feature | Permission |
|---|---|
| See the ‘Dashboard’ menu entry and view the dashboard in P6 Console | dashboard=view |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=read,dashboard=view,instances=read(both account and instances) andapplication-profiles=read.
Data Models¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Data Model’ menu entry in P6 Portal | datamodels=view |
| List and read data models | datamodels=read |
| Edit data models | datamodels=edit |
| Delete data models | datamodels=delete |
| Do everything on the service | datamodels=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
datamodels=viewanddatamodels=read - edit rights:
datamodels=viewanddatamodels=readanddatamodels=edit - delete rights:
datamodels=viewanddatamodels=readanddatamodels=delete - full rights:
datamodels=*
Documents¶
Permissions related to documents go with the feature documents or transactions.
| Permission scope | Description |
|---|---|
transactions=view OR transactions=edit-form OR transactions=edit-all OR documents=view |
The user can view the content of a document. |
documents=edit-form |
The user can edit the document, only if a form is provided (formjs for the moment) and only via the form display (no access to source / raw content). |
documents=edit-all |
The user can edit a document via a form if one is provided or its raw content directly. |
documents=* |
The user can view and edit a document. |
Email Profiles¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Email Profiles’ menu entry in P6 Portal | email=view |
| List and read email profiles | email=read |
| Edit email profiles | email=edit |
| Delete email profiles | email=delete |
| Do everything on the service | email=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
email=viewandemail=read - edit rights:
email=viewandemail=readandemail=edit - delete rights:
email=viewandemail=readandemail=delete - full rights:
email=*
Frames¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Frames’ menu entry in P6 Portal | frames=view |
| Read frames | frames=read |
| Edit frames | frames=edit |
| Delete frames | frames=delete |
| Do everything on the service | frames=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
frames=viewandframes=read - edit rights:
frames=viewandframes=readandframes=edit - delete rights:
frames=viewandframes=readandframes=delete - full rights:
email=*
Instances (P6 Console)¶
Note
- The
editaction includes: create and update. - The
readaction includes: download.envfile.
| Feature | Permission |
|---|---|
| See the ‘Instances’ menu entry in P6 Console | instances=view |
| List and view instances | instances=read |
| Edit instance configurations | instances=edit |
| Delete instances | instancess=delete |
| Do everything on the service | instances=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=readandinstances=viewandinstances=read - edit rights:
account=readandinstances=viewandinstances=readandinstances=edit - delete rights:
account=readandinstances=viewandinstances=readandinstances=delete - full rights:
account=readandinstances=*
Home Pages¶
Note
- The
editaction includes: customize, create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Home’ menu entry in P6 Portal | homepages=view |
| List and read home pages | homepages=read |
| Edit home pages | homepages=edit |
| Delete home pages | homepages=delete |
| Customize home pages | homepages=customize-own |
| Access to counters when editing home pages | homepages=counters |
| Access to frames when editing home pages | homepages=frames |
| Access to reports when editing home pages | homepages=reports |
| Do everything on the service | homepages=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Home Pages:
homepages=viewandhomepages=read - read-only rights on a specific Home Page:
homepages=viewandhomepages=read('HomePageName') - rights to customize Home Pages:
homepages=viewandhomepages=readandhomepages=customize-own - rights to edit/configure Home Pages with Counters, Frames and Reports:
homepages=viewandhomepages=readandhomepages=editandhomepages=countersandhomepages=framesand `homepages=reports - delete rights on Home Pages:
homepages=viewandhomepages=readandhomepages=delete - full rights on Home Pages:
homepages=*
Customizing a Home Page allows a user to apply and save personal changes - like resizing modules, moving them, hiding some, etc.
Local UI Test¶
To be completed
Organizations¶
Note
- The
editaction includes: create, update. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Organizations’ menu entry in P6 Portal | orgs=view |
| Read nodes in the organizational tree | orgs=read |
| Edit nodes in the organizational tree | orgs=edit |
| Delete Nodes in the Organization | orgs=delete |
| Do everything on the service | orgs=* |
Permissions required to access the service via P6 Portal with…
- rights to get node(s) from the organizational tree:
orgs=viewandorgs=read - rights to edit the organizational tree:
orgs=viewandorgs=readandorgs=edit - rights to delete an organization:
orgs=viewandorgs=readandorgs=delete - full rights:
orgs=*
Warning
- When a node is deleted, all child nodes are also removed.
- A user with the
orgs=deletepermission can only delete a node below it’s current assigned node.
Reports¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Reports’ menu entry in P6 Portal | reports=view |
| List and read reports | reports=read |
| Edit reports | reports=edit |
| Delete reports | reports=delete |
| Do everything on the service | reports=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Reports:
reports=viewandreports=read - read-only rights on specific Reports:
reports=viewand `reports=read(‘Report1’,’Report2’) - edit rights on Reports:
reports=viewandreports=readandreports=edit - delete rights on Reports:
reports=viewandreports=readandreports=delete - all rights:
reports=*
Routes¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Routes’ menu entry in P6 Portal | routes=view |
| List and read the routes | routes=read |
| Edit and execute the routes | routes=edit |
| Delete routes | routes=delete |
| Do everything on the service | routes=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
routes=viewandroutes=read - edit and execute rights:
routes=viewandroutes=readandroutes=edit - Delete Routes:
routes=viewandroutes=readandroutes=delete - all rights:
routes=*
Routing Orders¶
Note
- The
editaction includes: update. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Routing Orders’ menu entry in P6 Portal | routingorders=view |
| List and read routing orders | routingorders=read |
| Edit and reprocess routing orders | routingorders=edit |
| Delete Routing Orders | routingorders=delete |
| Do everything on the service | routingorders=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
routingorders=viewandroutingorders=read - edit and reprocess rights:
routingorders=viewandroutingorders=readandroutingorders=edit - delete rights:
routingorders=viewandroutingorders=readandroutingorders=delete - all rights:
routingorders=*
Scripts¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Scripts’ menu entry in P6 Portal | scripts=view |
| List and read scripts | scripts=read |
| Execute scripts | scripts=run |
| Edit scripts | scripts=edit |
| Delete Scripts | scripts=delete |
| Do everything on the service | scripts=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
scripts=viewandscripts=read - execute rights:
scripts=viewandscripts=readandscripts=run - edit rights:
scripts=viewandscripts=readandscripts=edit - delete rights:
scripts=viewandscripts=readandscripts=delete - full rights:
scripts=*
Stored Procedures¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Stored Procedures’ menu entry in P6 Portal | storedprocedures=view |
| List and read stored procedures | storedprocedures=read |
| Edit stored procedures | storedprocedures=edit |
| Delete stored procedures | storedprocedures=delete |
| Do everything on the service | storedprocedures=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
storedprocedures=viewandstoredprocedures=read - edit rights:
storedprocedures=viewandstoredprocedures=readandstoredprocedures=edit - full rights:
storedprocedures=*
Stripe Payments¶
| Feature | Permission |
|---|---|
| See the ‘Stripe Payment’ menu entry in P6 Portal | stripe=view |
| Read the data | stripe=read |
| Be assigned to a payment task | workflow=role('Invoice Payers') |
| Pay | stripe=pay |
| Do everything on the Stripe Payment service | stripe=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
stripe=viewandstripe=read - edit rights:
scripts=* - pay rights:
workflow=role('Invoice Payers')andstripe=pay
Tables¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
allowaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Tables’ menu entry in P6 Portal | tables=view |
| Allow access to all Tables and their records (read-only) | tables=allow(*) |
| Allow access to Table1 and Table 2 (read-only) | tables=allow('Table1'(*), 'Table2'(*)) |
| Allow access to the records in Table1 where column1 has the value1 | tables=allow('Table1'('column1'='value1')) |
| Edit the structure of allowed Tables | tables=edit-table |
| Delete the structure of allowed Tables | tables=delete-table |
| Edit records of allowed Tables | tables=edit-data |
| Delete the records on allowed Tables | tables=delete-data |
| Do anything on the Tables service | tables=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Tables:
tables=viewandtables=allow(*) - read-only rights on specific Tables:
tables=viewandtables=allow('Table1(*)','Table2(*)') - edit rights on Tables structure:
tables=viewandtables=allow(*)andtables=edit-table - edit rights on Tables structure and data:
tables=viewandtables=allow(*)andtables=edit-tableandtables=edit-data - delete rights on Tables structure and records:
tables=viewandtables=allow(*)andtables=delete-tableandtables=delete-data - full rights:
tables=allow(*)andtables=*
Transactions¶
A user with transactions=* and transactions=allow(*) permissions will have access to all “Transactions” and “Workflow Tasks”.
Note
The transactions permissions apply to both Transactions and Workflow Tasks.
In order to search and display Transactions and Workflow Tasks, Views are required.
There are two types of Views, for Transactions and for Workflow Tasks.
Access to Transactions
In order to have access to Transactions, the transactions=view permissions and a variant of the allow permission are required:
| Feature | Permission |
|---|---|
| Allow access to all types of Transactions (Transactions and Workflow Tasks), across all Views | transactions=allow(*) |
Allow access to Transactions thanks to a transaction-typed View called TxView1 |
transactions=allow('TxView1'(*)) |
| Allow access to Transactions thanks to two transaction-typed Views | transactions=allow('TxView1'(*),'TxView2'(*)) |
Allow access to Transactions that are assigned to the user’s branch via View TxView1 |
transactions=allow('TxView1'(BRANCH)) and orgs=read |
Allow access to Transactions that are assigned to the user’s unit via View TxView1 |
transactions=allow('TxView1'(UNIT)) and orgs=read |
Allow access to Transactions that are assigned to the user via View TxView1 |
transactions=allow('TxView1'(USER)) and orgs=read |
Allow access to Transactions that are assigned to the user’s email address via View TxView1 |
transactions=allow('TxView1'('UserEmail'='%USER.EMAIL%')) |
| Allow access to Transactions matching a condition on a searchable field of a View | transactions=allow('TxView1'('Searchable_Name'='VALUE')) |
You can use multiple Searchable in the matching condition. All different Searchable will be see as an AND and same Searchable as an OR
Example
-
Searchable combination:
- Permission:
transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy')) - Result: (Searchable_Name=’VALUE’ AND Searchable_Surname=’dummy’)
- Permission:
-
Multiple Searchable:
- Permisson:
transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy', 'Searchable_Surname'='ipsum')) - Result: (Searchable_Name=’VALUE’ AND (Searchable_Surname=’dummy’ OR Searchable_Surname=’ipsum’))
- Permisson:
Other Permission sets
| Permission scope | Description |
|---|---|
transactions=view |
The user can search transactions (within the filters specified in allow) and view the content of the transactions. |
transactions=edit-form |
The user can edit and save a transaction, only if a form is provided (formjs for the moment) and only via the form display (no access to XML source). |
transactions=edit-all |
The user can view, edit and save a transaction. Changing the values of the element that constitutes the keys of the transaction will currently create a new transaction (it is an upsert). |
transactions=reprocess |
The user can trigger the reprocessing of a transaction. |
transactions=delete |
The user can delete a transaction. |
transactions=* |
The user can view, edit, reprocess and delete a transaction. |
Create a new Transaction
Note
The messages submit library has not been migrated yet, thus the permission’s feature is still messages.
You have to enable a variant of the submit permission:
| Feature | Permission |
|---|---|
| See the ‘Create transaction’ and ‘Upload files’ buttons and be allowed to submit files in order to create transactions | messages=submit(*) |
| See the ‘Create transaction’ button and be allowed to submit one or more files in order to create a single transaction | messages=submit('single') |
| See the ‘Upload files’ button and be allowed to submit one or more files in order to create one to multiple transactions | messages=submit('bulk') |
Transaction Events (P6 Console)¶
| Feature | Permission |
|---|---|
| View the ‘Transaction Events’ menu in P6 Console | transaction-events=view |
| Search and view transaction statistics and events | transaction-events=read |
| Do everything on the service | transaction-events=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=readandtransaction-events=viewandtransaction-events=read - full rights:
account=readandtransaction-events=*
User Administration¶
| Feature | Permission |
|---|---|
| See the ‘User Administration’ menu entry in P6 Portal | admin=view |
| List and read users | users=read('./*') |
| Create and Edit users (cannot delete users) | users=edit |
| Edit users (cannot delete users) | users=update |
| Allows SSO users ONLY to set a password, not required for non-SSO users | users=assign-password |
| Allows SSO users ONLY to delete their account, not required for non-SSO users | users=delete-account |
| Do everything on users | users=* |
| List and read permission sets | permsets=read('*') |
| Edit permission sets | permsets=edit |
| Do everything on permission sets | permsets=* |
| List and read integrations | integrations=read |
| Edit integrations | integrations=edit |
| List and read SSO connections | sso=read |
| Edit SSO connections | sso=edit |
| Delete SSO connections | sso=delete |
Permissions required to access the service via P6 Portal with…
- read-only rights on users:
admin=viewandusers=read('./*') - create rights on users:
admin=viewandusers=read('./*')andusers=edit - edit rights on users:
admin=viewandusers=read('./*')andusers=updateorusers=edit - full rights on users:
admin=viewandusers=read('./*')andusers=* - read-only rights on permissions:
admin=viewandpermsets=read('*') - edit rights on permissions:
admin=viewandpermsets=read('*')andpermsets=edit - full rights on permissions:
admin=viewandpermsets=* - rights to manage users and assign them a limited list of permission sets:
admin=viewanduser=read('./*')andusers=editandpermsets=read('PermSet1','PermSet2')
Views¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Views’ menu entry in P6 Portal | views=view |
| List and read the views | views=read |
| Edit the views | views=edit |
| Do everything on the service | views=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
views=viewandviews=read - edit rights:
views=viewandviews=readandviews=edit - full rights:
views=*
Workflow Steps¶
Note
- The
editaction includes: create, update, rename, duplicate and import. - The
readaction includes: export.
| Feature | Permission |
|---|---|
| See the ‘Workflow Steps’ menu entry in P6 Portal | workflowsteps=view |
| List and read the workflow steps | workflowsteps=read |
| Edit the workflow steps | workflowsteps=edit |
| Do everything on the service | workflowsteps=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
workflowsteps=viewandworkflowsteps=read - edit rights:
workflowsteps=viewandworkflowsteps=readandworkflowsteps=edit - full rights:
workflowsteps=*
Workflow Tasks¶
Access to Workflow Tasks
In order to have access to Workflow Tasks, the transactions=view permission and a variant of the allow permission are required:
| Feature | Permission |
|---|---|
| Allow access to all types of Transactions (Transactions and Workflow Tasks) across all Views | transactions=allow(*) |
Allow access to Workflow Tasks thanks to a workflow-typed View called WfView1 |
transactions=allow('WfView1'(*)) |
| Allow access to Workflow Tasks thanks to two workflow-typed Views | transactions=allow('WfView1'(*),'VfView2'(*)) |
Allow access to Workflow Tasks that are assigned to the user’s branch via View WfView1 |
transactions=allow('WfView1'(BRANCH)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s unit via View WfView1 |
transactions=allow('WfView1'(UNIT)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user via View WfView1 |
transactions=allow('WfView1'(USER)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s email address via View WfView1 |
transactions=allow('WfView1'('Assignee'='%USER.EMAIL%')) |
| Allow access to Workflow Tasks matching a condition on a searchable field of a View | transactions=allow('WfView1'('Searchable_Name'='Value')) |
Workflow Assignees
On each Workflow Step, there is an <Assignee> section that defines who the Workflow Tasks will be assigned to.
To be part of the Assignees, a user shall have a Permission set that contains the permission defined in the ‘scope’ attribute.
For example, if the Workflow Step contains the following configuration: <Assignee name="PO Approvers" path="/Acme_Prod/Customer_Service" type="UNIT" scope="workflow=role('PO review and approbation')"> then users shall have the workflow=role('PO review and approbation') permission to be part of the assignees.