Permissions
A permission is a string of characters structured as follows: feature=action
.
It allows the user to perform an action on a feature.
This section explains which user permissions are required to be allowed to perform specific actions on the various P6 services.
The permissions are cumulative.
For example, to edit service items related to a specific service via P6 Portal, you need to:
- have access to the service UI via the Portal,
- be allowed to list and read the service items,
- have the permission to edit service items.
Except if you have an admin permission on this service (service_name=*
), if it exists.
A user with a *=*
permission can perform any action on the instance. No other permissions are needed.
Accounts (P6 Console)¶
Note
Permission account=read
is required everywhere on P6 Console
Feature | Permission |
---|---|
See the ‘Account’ menu entry in P6 Console | account=view |
Read account information | account=read |
Edit account information | account=edit |
Do everything on the service | account=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=view
andaccount=read
- edit rights:
account=view
andaccount=read
andaccount=edit
- full rights:
account=*
Applications¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Applications’ menu entry in P6 Portal | applications=view |
List and read applications | applications=read |
Edit applications | applications=edit |
Delete applications | applications=delete |
Do everything on the service | applications=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
applications=view
andapplications=read
- edit rights:
applications=view
andapplications=read
andapplications=edit
- delete rights:
applications=view
andapplications=read
andapplications=delete
- full rights:
applications=*
Application Configurations¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Configuration’ menu entry in P6 Portal | appconfig=view |
List and read app configurations | appconfig=read |
Edit app configurations | appconfig=edit |
Delete app configurations | appconfig=delete |
Do everything on the service | appconfig=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
appconfig=view
andappconfig=read
- edit rights:
appconfig=view
andappconfig=read
andappconfig=edit
- delete rights:
appconfig=view
andappconfig=read
andappconfig=delete
- full rights:
appconfig=*
Application Profiles (P6 Console)¶
Note
- The
edit
action includes: create, update, assign and unassign to instance.
Feature | Permission |
---|---|
See the ‘Application Profiles’ menu entry in P6 Console | application-profiles=view |
List and read application profiles | application-profiles=read |
Edit application profiles | application-profiles=edit |
Delete application profiles | application-profiles=delete |
Do everything on the service | application-profiles=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=read
andapplication-profiles=view
andapplication-profiles=read
- edit rights:
account=read
andapplication-profiles=view
andapplication-profiles=read
andapplication-profiles=edit
(on account) - assign / unassign rights:
account=read
andapplication-profiles=view
andapplication-profiles=read
andapplication-profiles=edit
(on account and instance) - delete rights:
account=read
andapplication-profiles=view
andapplication-profiles=read
andapplication-profiles=delete
- full rights:
account=read
andapplication-profiles=*
Bundled Resources¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Bundled Resources’ menu entry in P6 Portal | bundledresources=view |
List and read bundled resources | bundledresources=read |
Edit bundled resources | bundledresources=edit |
Delete bundled resources | bundledresources=delete |
Do everything on the service | bundledresources=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
bundledresources=view
andbundledresources=read
- edit rights:
bundledresources=view
andbundledresources=read
andbundledresources=edit
- delete rights:
bundledresources=view
andbundledresources=read
andbundledresources=delete
- full rights:
bundledresources=*
Buttons¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Buttons’ menu entry in P6 Portal | buttons=view |
List and read buttons | buttons=read |
Edit buttons | buttons=edit |
Delete buttons | buttons=delete |
Execute the handler endpoints | buttons=display |
Do everything on the service | buttons=* |
Permissions required to access the service via P6 Portal with…
- handler-only rights:
buttons=display
- read-only rights:
buttons=view
andbuttons=read
- edit rights:
buttons=view
andbuttons=read
andbuttons=edit
- delete rights:
buttons=view
andbuttons=read
andbuttons=delete
- full rights:
buttons=*
Counters¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Counters’ menu entry in P6 Portal | counters=view |
List and read counters | counters=read |
Edit counters | counters=edit |
Delete counters | counters=delete |
Do everything on the service | counters=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
counters=view
andcounters=read
- edit rights:
counters=view
andcounters=read
andcounters=edit
- delete rights:
counters=view
andcounters=read
andcounters=delete
- full rights:
counters=*
Dashboard (P6 Console)¶
Note
The P6 Console dashboard contains information that comes from various services.
Therefore, to view that information, in addition to dashboard=view
the following permissions should
be applied: account=read
, instances=read
(both account and instances) and application-profiles=read
.
Otherwise, the dashboard would be available but empty.
Feature | Permission |
---|---|
See the ‘Dashboard’ menu entry and view the dashboard in P6 Console | dashboard=view |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=read
,dashboard=view
,instances=read
(both account and instances) andapplication-profiles=read
.
Data Models¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Data Model’ menu entry in P6 Portal | datamodels=view |
List and read data models | datamodels=read |
Edit data models | datamodels=edit |
Delete data models | datamodels=delete |
Do everything on the service | datamodels=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
datamodels=view
anddatamodels=read
- edit rights:
datamodels=view
anddatamodels=read
anddatamodels=edit
- delete rights:
datamodels=view
anddatamodels=read
anddatamodels=delete
- full rights:
datamodels=*
Documents¶
Permissions related to documents go with the feature documents
or transactions
.
Permission scope | Description |
---|---|
transactions=view OR transactions=edit-form OR transactions=edit-all OR documents=view |
The user can view the content of a document. |
documents=edit-form |
The user can edit the document, only if a form is provided (formjs for the moment) and only via the form display (no access to source / raw content). |
documents=edit-all |
The user can edit a document via a form if one is provided or its raw content directly. |
documents=* |
The user can view and edit a document. |
Email Profiles¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Email Profiles’ menu entry in P6 Portal | email=view |
List and read email profiles | email=read |
Edit email profiles | email=edit |
Delete email profiles | email=delete |
Do everything on the service | email=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
email=view
andemail=read
- edit rights:
email=view
andemail=read
andemail=edit
- delete rights:
email=view
andemail=read
andemail=delete
- full rights:
email=*
Frames¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Frames’ menu entry in P6 Portal | frames=view |
Read frames | frames=read |
Edit frames | frames=edit |
Delete frames | frames=delete |
Do everything on the service | frames=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
frames=view
andframes=read
- edit rights:
frames=view
andframes=read
andframes=edit
- delete rights:
frames=view
andframes=read
andframes=delete
- full rights:
email=*
Instances (P6 Console)¶
Note
- The
edit
action includes: create and update. - The
read
action includes: download.env
file.
Feature | Permission |
---|---|
See the ‘Instances’ menu entry in P6 Console | instances=view |
List and view instances | instances=read |
Edit instance configurations | instances=edit |
Delete instances | instancess=delete |
Do everything on the service | instances=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=read
andinstances=view
andinstances=read
- edit rights:
account=read
andinstances=view
andinstances=read
andinstances=edit
- delete rights:
account=read
andinstances=view
andinstances=read
andinstances=delete
- full rights:
account=read
andinstances=*
Home Pages¶
Note
- The
edit
action includes: customize, create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Home’ menu entry in P6 Portal | homepages=view |
List and read home pages | homepages=read |
Edit home pages | homepages=edit |
Delete home pages | homepages=delete |
Customize home pages | homepages=customize-own |
Access to counters when editing home pages | homepages=counters |
Access to frames when editing home pages | homepages=frames |
Access to reports when editing home pages | homepages=reports |
Do everything on the service | homepages=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Home Pages:
homepages=view
andhomepages=read
- read-only rights on a specific Home Page:
homepages=view
andhomepages=read('HomePageName')
- rights to customize Home Pages:
homepages=view
andhomepages=read
andhomepages=customize-own
- rights to edit/configure Home Pages with Counters, Frames and Reports:
homepages=view
andhomepages=read
andhomepages=edit
andhomepages=counters
andhomepages=frames
and `homepages=reports - delete rights on Home Pages:
homepages=view
andhomepages=read
andhomepages=delete
- full rights on Home Pages:
homepages=*
Customizing a Home Page allows a user to apply and save personal changes - like resizing modules, moving them, hiding some, etc.
Local UI Test¶
To be completed
Organizations¶
Note
- The
edit
action includes: create, update. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Organizations’ menu entry in P6 Portal | orgs=view |
Read nodes in the organizational tree | orgs=read |
Edit nodes in the organizational tree | orgs=edit |
Delete Nodes in the Organization | orgs=delete |
Do everything on the service | orgs=* |
Permissions required to access the service via P6 Portal with…
- rights to get node(s) from the organizational tree:
orgs=view
andorgs=read
- rights to edit the organizational tree:
orgs=view
andorgs=read
andorgs=edit
- rights to delete an organization:
orgs=view
andorgs=read
andorgs=delete
- full rights:
orgs=*
Warning
- When a node is deleted, all child nodes are also removed.
- A user with the
orgs=delete
permission can only delete a node below it’s current assigned node.
Reports¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Reports’ menu entry in P6 Portal | reports=view |
List and read reports | reports=read |
Edit reports | reports=edit |
Delete reports | reports=delete |
Do everything on the service | reports=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Reports:
reports=view
andreports=read
- read-only rights on specific Reports:
reports=view
and `reports=read(‘Report1’,’Report2’) - edit rights on Reports:
reports=view
andreports=read
andreports=edit
- delete rights on Reports:
reports=view
andreports=read
andreports=delete
- all rights:
reports=*
Routes¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Routes’ menu entry in P6 Portal | routes=view |
List and read the routes | routes=read |
Edit and execute the routes | routes=edit |
Delete routes | routes=delete |
Do everything on the service | routes=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
routes=view
androutes=read
- edit and execute rights:
routes=view
androutes=read
androutes=edit
- Delete Routes:
routes=view
androutes=read
androutes=delete
- all rights:
routes=*
Routing Orders¶
Note
- The
edit
action includes: update. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Routing Orders’ menu entry in P6 Portal | routingorders=view |
List and read routing orders | routingorders=read |
Edit and reprocess routing orders | routingorders=edit |
Delete Routing Orders | routingorders=delete |
Do everything on the service | routingorders=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
routingorders=view
androutingorders=read
- edit and reprocess rights:
routingorders=view
androutingorders=read
androutingorders=edit
- delete rights:
routingorders=view
androutingorders=read
androutingorders=delete
- all rights:
routingorders=*
Scripts¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Scripts’ menu entry in P6 Portal | scripts=view |
List and read scripts | scripts=read |
Execute scripts | scripts=run |
Edit scripts | scripts=edit |
Delete Scripts | scripts=delete |
Do everything on the service | scripts=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
scripts=view
andscripts=read
- execute rights:
scripts=view
andscripts=read
andscripts=run
- edit rights:
scripts=view
andscripts=read
andscripts=edit
- delete rights:
scripts=view
andscripts=read
andscripts=delete
- full rights:
scripts=*
Stored Procedures¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Stored Procedures’ menu entry in P6 Portal | storedprocedures=view |
List and read stored procedures | storedprocedures=read |
Edit stored procedures | storedprocedures=edit |
Delete stored procedures | storedprocedures=delete |
Do everything on the service | storedprocedures=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
storedprocedures=view
andstoredprocedures=read
- edit rights:
storedprocedures=view
andstoredprocedures=read
andstoredprocedures=edit
- full rights:
storedprocedures=*
Stripe Payments¶
Feature | Permission |
---|---|
See the ‘Stripe Payment’ menu entry in P6 Portal | stripe=view |
Read the data | stripe=read |
Be assigned to a payment task | workflow=role('Invoice Payers') |
Pay | stripe=pay |
Do everything on the Stripe Payment service | stripe=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
stripe=view
andstripe=read
- edit rights:
scripts=*
- pay rights:
workflow=role('Invoice Payers')
andstripe=pay
Tables¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
allow
action includes: export.
Feature | Permission |
---|---|
See the ‘Tables’ menu entry in P6 Portal | tables=view |
Allow access to all Tables and their records (read-only) | tables=allow(*) |
Allow access to Table1 and Table 2 (read-only) | tables=allow('Table1'(*), 'Table2'(*)) |
Allow access to the records in Table1 where column1 has the value1 | tables=allow('Table1'('column1'='value1')) |
Edit the structure of allowed Tables | tables=edit-table |
Delete the structure of allowed Tables | tables=delete-table |
Edit records of allowed Tables | tables=edit-data |
Delete the records on allowed Tables | tables=delete-data |
Do anything on the Tables service | tables=* |
Permissions required to access the service via P6 Portal with…
- read-only rights on all Tables:
tables=view
andtables=allow(*)
- read-only rights on specific Tables:
tables=view
andtables=allow('Table1(*)','Table2(*)')
- edit rights on Tables structure:
tables=view
andtables=allow(*)
andtables=edit-table
- edit rights on Tables structure and data:
tables=view
andtables=allow(*)
andtables=edit-table
andtables=edit-data
- delete rights on Tables structure and records:
tables=view
andtables=allow(*)
andtables=delete-table
andtables=delete-data
- full rights:
tables=allow(*)
andtables=*
Transactions¶
A user with transactions=*
and transactions=allow(*)
permissions will have access to all “Transactions” and “Workflow Tasks”.
Note
The transactions
permissions apply to both Transactions and Workflow Tasks.
In order to search and display Transactions and Workflow Tasks, Views are required.
There are two types of Views, for Transactions and for Workflow Tasks.
Access to Transactions
In order to have access to Transactions, the transactions=view
permissions and a variant of the allow permission are required:
Feature | Permission |
---|---|
Allow access to all types of Transactions (Transactions and Workflow Tasks), across all Views | transactions=allow(*) |
Allow access to Transactions thanks to a transaction-typed View called TxView1 |
transactions=allow('TxView1'(*)) |
Allow access to Transactions thanks to two transaction-typed Views | transactions=allow('TxView1'(*),'TxView2'(*)) |
Allow access to Transactions that are assigned to the user’s branch via View TxView1 |
transactions=allow('TxView1'(BRANCH)) and orgs=read |
Allow access to Transactions that are assigned to the user’s unit via View TxView1 |
transactions=allow('TxView1'(UNIT)) and orgs=read |
Allow access to Transactions that are assigned to the user via View TxView1 |
transactions=allow('TxView1'(USER)) and orgs=read |
Allow access to Transactions that are assigned to the user’s email address via View TxView1 |
transactions=allow('TxView1'('UserEmail'='%USER.EMAIL%')) |
Allow access to Transactions matching a condition on a searchable field of a View | transactions=allow('TxView1'('Searchable_Name'='VALUE')) |
You can use multiple Searchable in the matching condition. All different Searchable will be see as an AND and same Searchable as an OR
Example
-
Searchable combination:
- Permission:
transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy'))
- Result: (Searchable_Name=’VALUE’ AND Searchable_Surname=’dummy’)
- Permission:
-
Multiple Searchable:
- Permisson:
transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy', 'Searchable_Surname'='ipsum'))
- Result: (Searchable_Name=’VALUE’ AND (Searchable_Surname=’dummy’ OR Searchable_Surname=’ipsum’))
- Permisson:
Other Permission sets
Permission scope | Description |
---|---|
transactions=view |
The user can search transactions (within the filters specified in allow) and view the content of the transactions. |
transactions=hide-detail |
The user will not be shown the view button to access transaction details and will not be allowed to select the details by double clicking the list item. (the View action button is not displayed and no double clicking) |
transactions=edit-form |
The user can edit and save a transaction, only if a form is provided (formjs for the moment) and only via the form display (no access to XML source). |
transactions=edit-all |
The user can view, edit and save a transaction. Changing the values of the element that constitutes the keys of the transaction will currently create a new transaction (it is an upsert). |
transactions=reprocess |
The user can trigger the reprocessing of a transaction. |
transactions=delete |
The user can delete a transaction. |
transactions=* |
The user can view, edit, reprocess and delete a transaction. |
Create a new Transaction
Note
The messages submit library has not been migrated yet, thus the permission’s feature is still messages
.
You have to enable a variant of the submit
permission:
Feature | Permission |
---|---|
See the ‘Create transaction’ and ‘Upload files’ buttons and be allowed to submit files in order to create transactions | messages=submit(*) |
See the ‘Create transaction’ button and be allowed to submit one or more files in order to create a single transaction | messages=submit('single') |
See the ‘Upload files’ button and be allowed to submit one or more files in order to create one to multiple transactions | messages=submit('bulk') |
Transaction Events (P6 Console)¶
Feature | Permission |
---|---|
View the ‘Transaction Events’ menu in P6 Console | transaction-events=view |
Search and view transaction statistics and events | transaction-events=read |
Do everything on the service | transaction-events=* |
Permissions required to access the service via P6 Console with…
- read-only rights:
account=read
andtransaction-events=view
andtransaction-events=read
- full rights:
account=read
andtransaction-events=*
User Administration¶
Feature | Permission |
---|---|
See the ‘User Administration’ menu entry in P6 Portal | admin=view |
List and read users | users=read('./*') |
Create and Edit users (cannot delete users) | users=edit |
Edit users (cannot delete users) | users=update |
Allows SSO users ONLY to set a password, not required for non-SSO users | users=assign-password |
Allows SSO users ONLY to delete their account, not required for non-SSO users | users=delete-account |
Do everything on users | users=* |
List and read permission sets | permsets=read('*') |
Edit permission sets | permsets=edit |
Do everything on permission sets | permsets=* |
List and read integrations | integrations=read |
Edit integrations | integrations=edit |
List and read SSO connections | sso=read |
Edit SSO connections | sso=edit |
Delete SSO connections | sso=delete |
Permissions required to access the service via P6 Portal with…
- read-only rights on users:
admin=view
andusers=read('./*')
- create rights on users:
admin=view
andusers=read('./*')
andusers=edit
- edit rights on users:
admin=view
andusers=read('./*')
andusers=update
orusers=edit
- full rights on users:
admin=view
andusers=read('./*')
andusers=*
- read-only rights on permissions:
admin=view
andpermsets=read('*')
- edit rights on permissions:
admin=view
andpermsets=read('*')
andpermsets=edit
- full rights on permissions:
admin=view
andpermsets=*
- rights to manage users and assign them a limited list of permission sets:
admin=view
anduser=read('./*')
andusers=edit
andpermsets=read('PermSet1','PermSet2')
Views¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Views’ menu entry in P6 Portal | views=view |
List and read the views | views=read |
Edit the views | views=edit |
Do everything on the service | views=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
views=view
andviews=read
- edit rights:
views=view
andviews=read
andviews=edit
- full rights:
views=*
Workflow Steps¶
Note
- The
edit
action includes: create, update, rename, duplicate and import. - The
read
action includes: export.
Feature | Permission |
---|---|
See the ‘Workflow Steps’ menu entry in P6 Portal | workflowsteps=view |
List and read the workflow steps | workflowsteps=read |
Edit the workflow steps | workflowsteps=edit |
Do everything on the service | workflowsteps=* |
Permissions required to access the service via P6 Portal with…
- read-only rights:
workflowsteps=view
andworkflowsteps=read
- edit rights:
workflowsteps=view
andworkflowsteps=read
andworkflowsteps=edit
- full rights:
workflowsteps=*
Workflow Tasks¶
Access to Workflow Tasks
In order to have access to Workflow Tasks, the transactions=view
permission and a variant of the allow permission are required:
Feature | Permission |
---|---|
Allow access to all types of Transactions (Transactions and Workflow Tasks) across all Views | transactions=allow(*) |
Allow access to Workflow Tasks thanks to a workflow-typed View called WfView1 |
transactions=allow('WfView1'(*)) |
Allow access to Workflow Tasks thanks to two workflow-typed Views | transactions=allow('WfView1'(*),'VfView2'(*)) |
Allow access to Workflow Tasks that are assigned to the user’s branch via View WfView1 |
transactions=allow('WfView1'(BRANCH)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s unit via View WfView1 |
transactions=allow('WfView1'(UNIT)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user via View WfView1 |
transactions=allow('WfView1'(USER)) and orgs=read |
Allow access to Workflow Tasks that are assigned to the user’s email address via View WfView1 |
transactions=allow('WfView1'('Assignee'='%USER.EMAIL%')) |
Allow access to Workflow Tasks matching a condition on a searchable field of a View | transactions=allow('WfView1'('Searchable_Name'='Value')) |
Workflow Assignees
On each Workflow Step, there is an <Assignee>
section that defines who the Workflow Tasks will be assigned to.
To be part of the Assignees, a user shall have a Permission set that contains the permission defined in the ‘scope’ attribute.
For example, if the Workflow Step contains the following configuration: <Assignee name="PO Approvers" path="/Acme_Prod/Customer_Service" type="UNIT" scope="workflow=role('PO review and approbation')">
then users shall have the workflow=role('PO review and approbation')
permission to be part of the assignees.