Permissions

A permission is a string of characters structured as follows: feature=action. It allows the user to perform an action on a feature.

This section explains which user permissions are required to be allowed to perform specific actions on the various P6 services.

The permissions are cumulative.

For example, to edit service items related to a specific service via P6 Portal, you need to:

  • have access to the service UI via the Portal,
  • be allowed to list and read the service items,
  • have the permission to edit service items.

Except if you have an admin permission on this service (service_name=*), if it exists.

A user with a *=* permission can perform any action on the instance. No other permissions are needed.

Applications

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Applications’ menu entry on P6 Portal applications=view
List and read applications applications=read
Edit applications applications=edit
Delete applications applications=delete
Do everything on the service applications=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: applications=view and applications=read
  • edit rights: applications=view andapplications=read and applications=edit
  • delete rights: applications=view and applications=read and applications=delete
  • full rights: applications=*

Bundled Resources

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Bundled Resources’ menu entry on P6 Portal bundledresources=view
List and read bundled resources bundledresources=read
Edit bundled resources bundledresources=edit
Delete bundled resources bundledresources=delete
Do everything on the service bundledresources=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: bundledresources=view and bundledresources=read
  • edit rights: bundledresources=view andbundledresources=read and bundledresources=edit
  • delete rights: bundledresources=view and bundledresources=read and bundledresources=delete
  • full rights: bundledresources=*

Counters

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Counters’ menu entry on P6 Portal counters=view
List and read counters counters=read
Edit counters counters=edit
Delete counters counters=delete
Do everything on the service counters=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: counters=view and counters=read
  • edit rights: counters=view andcounters=read and counters=edit
  • delete rights: counters=view and counters=read and counters=delete
  • full rights: counters=*

Data Models

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Data Model’ menu entry on P6 Portal datamodels=view
List and read data models datamodels=read
Edit data models datamodels=edit
Delete data models datamodels=delete
Do everything on the service datamodels=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: datamodels=view and datamodels=read
  • edit rights: datamodels=view anddatamodels=read and datamodels=edit
  • delete rights: datamodels=view and datamodels=read and datamodels=delete
  • full rights: datamodels=*

Email Profiles

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Email Profiles’ menu entry on P6 Portal email=view
List and read email profiles email=read
Edit email profiles email=edit
Delete email profiles email=delete
Do everything on the service email=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: email=view and email=read
  • edit rights: email=view andemail=read and email=edit
  • delete rights: email=view and email=read and email=delete
  • full rights: email=*

Frames

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Frames’ menu entry on P6 Portal frames=view
Read frames frames=read
Edit frames frames=edit
Delete frames frames=delete
Do everything on the service frames=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: frames=view and frames=read
  • edit rights: frames=view andframes=read and frames=edit
  • delete rights: frames=view and frames=read and frames=delete
  • full rights: email=*

Home Pages

Note

  • The edit action includes: customize, create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Home’ menu entry on P6 Portal homepages=view
List and read home pages homepages=read
Edit home pages homepages=edit
Delete home pages homepages=delete
Customize home pages homepages=customize-own
Access to counters when editing home pages homepages=counters
Access to frames when editing home pages homepages=frames
Access to reports when editing home pages homepages=reports
Do everything on the service homepages=*

Permissions required to access the service via P6 Portal with…

  • read-only rights on all Home Pages: homepages=view and homepages=read
  • read-only rights on a specific Home Page: homepages=view and homepages=read('HomePageName')
  • rights to customize Home Pages: homepages=view and homepages=read and homepages=customize-own
  • rights to edit/configure Home Pages with Counters, Frames and Reports: homepages=view and homepages=read and homepages=edit and homepages=countersand homepages=framesand `homepages=reports
  • delete rights on Home Pages: homepages=view and homepages=read and homepages=delete
  • full rights on Home Pages: homepages=*

* Customizing a Home Page allows a user to apply and save personal changes - like resizing modules, moving them, hiding some, etc.

Local UI Test

To be completed

Organizations

Note

  • The edit action includes: create, update.
  • The read action includes: export.
Feature Permission
See the ‘Organizations’ menu entry on P6 Portal orgs=view
Read nodes in the organizational tree orgs=read
Edit nodes in the organizational tree orgs=edit
Delete Nodes in the Organization orgs=delete
Do everything on the service orgs=*

Permissions required to access the service via P6 Portal with…

  • rights to get node(s) from the organizational tree: orgs=view and orgs=read
  • rights to edit the organizational tree: orgs=view and orgs=read and orgs=edit
  • rights to delete an organization: orgs=view and orgs=read and orgs=delete
  • full rights: orgs=*

Warning

  • When a node is deleted, all child nodes are also removed.
  • A user with the orgs=delete permission can only delete a node below it’s current assigned node.

Reports

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Reports’ menu entry on P6 Portal reports=view
List and read reports reports=read
Edit reports reports=edit
Delete reports reports=delete
Do everything on the service reports=*

Permissions required to access the service via P6 Portal with…

  • read-only rights on all Reports: reports=view and reports=read
  • read-only rights on specific Reports: reports=view and `reports=read(‘Report1’,’Report2’)
  • edit rights on Reports: reports=view andreports=read and reports=edit
  • delete rights on Reports: reports=view and reports=read and reports=delete
  • all rights: reports=*

Routes

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Routes’ menu entry on P6 Portal routes=view
List and read the routes routes=read
Edit and execute the routes routes=edit
Delete routes routes=delete
Do everything on the service routes=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: routes=view and routes=read
  • edit and execute rights: routes=view and routes=read and routes=edit
  • Delete Routes: routes=view and routes=read and routes=delete
  • all rights: routes=*

Routing Orders

Note

  • The edit action includes: update.
  • The read action includes: export.
Feature Permission
See the ‘Routing Orders’ menu entry on P6 Portal routingorders=view
List and read routing orders routingorders=read
Edit and reprocess routing orders routingorders=edit
Delete Routing Orders routingorders=delete
Do everything on the service routingorders=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: routingorders=view and routingorders=read
  • edit and reprocess rights: routingorders=view androutingorders=read and routingorders=edit
  • delete rights: routingorders=view and routingorders=read and routingorders=delete
  • all rights: routingorders=*

Scripts

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Scripts’ menu entry on P6 Portal scripts=view
List and read scripts scripts=read
Execute scripts scripts=run
Edit scripts scripts=edit
Delete Scripts scripts=delete
Do everything on the service scripts=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: scripts=view and scripts=read
  • execute rights: scripts=view andscripts=read and scripts=run
  • edit rights: scripts=view andscripts=read and scripts=edit
  • delete rights: scripts=view and scripts=read and scripts=delete
  • full rights: scripts=*

Stored Procedures

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Stored Procedures’ menu entry on P6 Portal storedprocedures=view
List and read stored procedures storedprocedures=read
Edit stored procedures storedprocedures=edit
Delete stored procedures storedprocedures=delete
Do everything on the service storedprocedures=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: storedprocedures=view and storedprocedures=read
  • edit rights: storedprocedures=view andstoredprocedures=read and storedprocedures=edit
  • full rights: storedprocedures=*

Stripe Payments

Feature Permission
See the ‘Stripe Payment’ menu entry on P6 Portal stripe=view
Read the data stripe=read
Be assigned to a payment task workflow=role('Invoice Payers')
Pay stripe=pay
Do everything on the Stripe Payment service stripe=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: stripe=view and stripe=read
  • edit rights: scripts=*
  • pay rights: workflow=role('Invoice Payers') and stripe=pay

Tables

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Tables’ menu entry on P6 Portal tables=view
Allow access to all Tables and their records (read-only) tables=allow(*)
Allow access to Table1 and Table 2 (read-only) tables=allow('Table1'(*), 'Table2'(*))
Allow access to the records in Table1 where column1 has the value1 tables=allow('Table1'('column1'='value1'))
Edit the structure of allowed Tables tables=edit-table
Delete the structure of allowed Tables tables=delete-table
Edit records of allowed Tables tables=edit-data
Delete the records on allowed Tables tables=delete-data
Do anything on the Tables service tables=*

Permissions required to access the service via P6 Portal with…

  • read-only rights on all Tables: tables=view and tables=allow(*)
  • read-only rights on specific Tables: tables=view and tables=allow('Table1(*)','Table2(*)')
  • edit rights on Tables structure: tables=view and tables=allow(*) and tables=edit-table
  • edit rights on Tables structure and data: tables=view and tables=allow(*) and tables=edit-table and tables=edit-data
  • delete rights on Tables structure and records: tables=view and tables=allow(*) and tables=delete-table and tables=delete-data
  • full rights: tables=allow(*) and tables=*

Transactions

A user with transactions=* and transactions=allow(*) permissions will have access to all “Transactions” and “Workflow Tasks”.

Note

The transactions permissions apply to both Transactions and Workflow Tasks. In order to search and display Transactions and Workflow Tasks, Views are required. There are two types of Views, for Transactions and for Workflow Tasks.

Access to Transactions

In order to have access to Transactions, the transactions=view permissions and a variant of the allow permission are required:

Feature Permission
Allow access to all types of Transactions (Transactions and Workflow Tasks), across all Views transactions=allow(*)
Allow access to Transactions thanks to a transaction-typed View called TxView1 transactions=allow('TxView1'(*))
Allow access to Transactions thanks to two transaction-typed Views transactions=allow('TxView1'(*),'TxView2'(*))
Allow access to Transactions┬áthat are assigned to the user’s branch via View TxView1 transactions=allow('TxView1'(BRANCH)) and orgs=read
Allow access to Transactions┬áthat are assigned to the user’s unit via View TxView1 transactions=allow('TxView1'(UNIT)) and orgs=read
Allow access to Transactions that are assigned to the user via View TxView1 transactions=allow('TxView1'(USER)) and orgs=read
Allow access to Transactions that are assigned to the user’s email address via View TxView1 transactions=allow('TxView1'('UserEmail'='%USER.EMAIL%'))
Allow access to Transactions matching a condition on a searchable field of a View transactions=allow('TxView1'('Searchable_Name'='VALUE'))

You can use multiple Searchable in the matching condition. All different Searchable will be see as an AND and same Searchable as an OR

Example

  • Searchable combination:

    • Permission: transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy'))
    • Result: (Searchable_Name=’VALUE’ AND Searchable_Surname=’dummy’)
  • Multiple Searchable:

    • Permisson:transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy', 'Searchable_Surname'='ipsum'))
    • Result: (Searchable_Name=’VALUE’ AND (Searchable_Surname=’dummy’ OR Searchable_Surname=’ipsum’))

Other Permission sets

Permission scope Description
transactions=view The user can search transactions (within the filters specified in allow) and view the content of the transactions.
transactions=edit-form The user can edit and save a transaction, only if a form is provided (formjs for the moment) and only via the form display (no access to XML source).
transactions=edit-all
transactions=reprocess The user can trigger the reprocessing of a transaction.
transactions=delete The user can delete a transaction.
transactions=* The user can view, edit, reprocess and delete a transaction.

Create a new Transaction

Note

The messages submit library has not been migrated yet, thus the permission’s feature is still messages.

You have to enable a variant of the submit permission:

Feature Permission
See the ‘Create transaction’ and ‘Upload files’ buttons and be allowed to submit files in order to create transactions messages=submit(*)
See the ‘Create transaction’ button and be allowed to submit one or more files in order to create a single transaction messages=submit('single')
See the ‘Upload files’ button and be allowed to submit one or more files in order to create one to multiple transactions messages=submit('bulk')

User Administration

Feature Permission
See the ‘User Administration’ menu entry on P6 Portal admin=view
List and read users users=read('./*')
Edit users (cannot delete users) users=edit
Do everything on users users=*
List and read permission sets permsets=read('*')
Edit permission sets permsets=edit
Do everything on permission sets permsets=*
List and read integrations integrations=read
Edit integrations integrations=edit
List and read SSO connections sso=read
Edit SSO connections sso=edit
Delete SSO connections sso=delete

Permissions required to access the service via P6 Portal with…

  • read-only rights on users: admin=view and users=read('./*')
  • edit rights on users: admin=view and users=read('./*') and users=edit
  • full rights on users: admin=view and users=read('./*') and users=*
  • read-only rights on permissions: admin=view and permsets=read('*')
  • edit rights on permissions: admin=view and permsets=read('*') and permsets=edit
  • full rights on permissions: admin=view and permsets=*
  • rights to manage users and assign them a limited list of permission sets: admin=view and user=read('./*')and users=editand permsets=read('PermSet1','PermSet2')

Views

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Views’ menu entry on P6 Portal views=view
List and read the views views=read
Edit the views views=edit
Do everything on the service views=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: views=view and views=read
  • edit rights: views=view andviews=read and views=edit
  • full rights: views=*

Workflow Steps

Note

  • The edit action includes: create, update, rename, duplicate and import.
  • The read action includes: export.
Feature Permission
See the ‘Workflow Steps’ menu entry on P6 Portal workflowsteps=view
List and read the workflow steps workflowsteps=read
Edit the workflow steps workflowsteps=edit
Do everything on the service workflowsteps=*

Permissions required to access the service via P6 Portal with…

  • read-only rights: workflowsteps=view and workflowsteps=read
  • edit rights: workflowsteps=view andworkflowsteps=read and workflowsteps=edit
  • full rights: workflowsteps=*

Workflow Tasks

Access to Workflow Tasks

In order to have access to Workflow Tasks, the transactions=view permission and a variant of the allow permission are required:

Feature Permission
Allow access to all types of Transactions (Transactions and Workflow Tasks) across all Views transactions=allow(*)
Allow access to Workflow Tasks thanks to a workflow-typed View called WfView1 transactions=allow('WfView1'(*))
Allow access to Workflow Tasks thanks to two workflow-typed Views transactions=allow('WfView1'(*),'VfView2'(*))
Allow access to Workflow Tasks that are assigned to the user’s branch via View WfView1 transactions=allow('WfView1'(BRANCH)) and orgs=read
Allow access to Workflow Tasks that are assigned to the user’s unit via View WfView1 transactions=allow('WfView1'(UNIT)) and orgs=read
Allow access to Workflow Tasks that are assigned to the user via View WfView1 transactions=allow('WfView1'(USER)) and orgs=read
Allow access to Workflow Tasks that are assigned to the user’s email address via View WfView1 transactions=allow('WfView1'('Assignee'='%USER.EMAIL%'))
Allow access to Workflow Tasks matching a condition on a searchable field of a View transactions=allow('WfView1'('Searchable_Name'='Value'))

Workflow Assignees

On each Workflow Step, there is an <Assignee> section that defines who the Workflow Tasks will be assigned to.

To be part of the Assignees, a user shall have a Permission set that contains the permission defined in the ‘scope’ attribute.

For example, if the Workflow Step contains the following configuration: <Assignee name="PO Approvers" path="/Acme_Prod/Customer_Service" type="UNIT" scope="workflow=role('PO review and approbation')"> then users shall have the workflow=role('PO review and approbation') permission to be part of the assignees.