Advanced Studio Permissions

Some features described in this article may subject to separate surcharge. See the Advanced Studio Permissions Licensing article for detailed information.

Introduction to Permissions

Roles and Permissions allow regulating the access to different Studio Composition areas for security reasons. For example, Solution Administrators or Solution Developers need to access different Studio Composition areas and functionalities compared to Support Engineers. The Advanced Studio Permission feature allows managing Permissions. Some Extensions also create submodules that are only available with specific Permissions. Studio Composition users with admin rights can assign Permissions to Roles.

In Studio Composition, Roles and Permissions are managed in System Configuration > Users/Groups/Roles > Roles > [right click] > Permissions. The Permissions modal window displays the whole list of possible accesses and actions for each granted Permission and its corresponding level, namely:

  • A green tick represents a possible access/action for a user in the current Role.
  • A red cross represents a forbidden access/action for a user in the current Role.

PermissionsOverview.png

Starting from FNZ Studio 2022.2, there are up to three levels of Permissions that can be granted to each Role. For each area (e.g., Packages, Process Instances, and so on) in fact, a Role may have:

  1. Full Access (FA) - The user with the current Role can perform all the listed actions in that submodule (e.g., for the Packages Permission, the Role can perform all actions on Packages, such as creating, editing, configuring Packages).
  2. Read-Only Access (RO) - The user with the current Role can view the related Studio Composition submodule but cannot perform any actions in that area (e.g., for the Packages Permission, the Role can view the Package content but cannot create, edit, or configure any Packages).
  3. No Access (NA) - The user with the current Role cannot either view nor perform any actions in that area (e.g., for the Packages Permission, the Role cannot either view the Package content nor perform any other actions).Note that, if no Permissions are granted for any submodule (Process Engine, Process Overview, and so on), the entire module (e.g., Solution Maintenance) is hidden altogether.

Creating Roles and Assigning Permissions

Studio Composition users with admin rights can create Role ans assign Permissions. To do so:

  1. Go to System Configuration > Users/Groups/Roles, and click on the Roles tab.
  2. Click on the menu icon and select the New User Role button. The New Role dialog is displayed.
  3. Enter the desired name for your custom Role. Consider that the Role name cannot be changed after it has been created.
  4. The Edit Role window is displayed, where you must assign one or more users to the newly created Role. Consider that you need to assign at least one User for the Role to be created.
  5. Once the Role has been created, right-click on the Role name and select the Permissions button.
  6. The Permissions dialog is displayed. For each Role, select the desired level of Permission:
    • Full Access - The user with the current Role can perform all the listed actions in that submodule.
    • Read-Only Access - The user with the current Role can view the submodule but cannot perform any actions in that area.
    • No Access - The user with the current Role cannot view the related submodule nor perform any action in that area.
  7. After closing the dialog, the available Permissions and the corresponding levels (FA, RO, NA) for each Role are also displayed in the Permissions column. The exact list of possible or forbidden accesses and actions is summarized in the sections below.

Setting Permission Cap

The Permission Cap feature allows setting the highest level of access available (Full Access, Read-Only Access, No Access) for each Permission in a specific environment. This may be useful to limit the user's possibility to perform certain operations in specific environments (e.g., preventing users from uploading extensions in a Cloud installation).

While the Permission Cap feature is technically configured through the configuration property nm.permissions.maxlevel (accepted values are: NONE, READ_ONLY and FULL_ACCESS , although this last value may not be relevant), note that it can only be set as an environment variable when the application server is started. To properly set this configuration property, you need to use the Permission technical names (e.g., ManageExtensions is the technical name of the Extensions Permission). The attached PDF provides the full mapping of Permission names.

Example: nm.permissions.maxlevel = ManageExtensions:READ_ONLY, ManageLicense:NONE, ManageValueStore:NONE

This property overrides the Permission settings configured at Role level on the Permissions dialog in System Configuration > Users/Groups/Roles.

Note that, although the Permission Cap feature is publicly available, it has been developed mainly for FNZ Studio internal purposes. Moreover, the feature only applies if the Advanced Studio Permissions Licensing is available (see section below).++

Installation, Upgrade and Licensing Notes

The introduction of three-level Permissions in FNZ Studio 2022.2 introduced significant changes, and these are reported in the System Upgrade 2022.1 to 2022.2 document. Make sure you read this information carefully if you are upgrading your Platform from a version lower than 2022.2.

Moreover, the use of Advanced Studio Permissions is subject to the Advanced Studio Permissions Licensing. The type of license you have installed has implications on how the Permissions feature works, as descrivbed in the section below.

Licensing

  1. If the Advanced Studio Permissions License is NOT available:
    • The Administrator Role has all Permissions, therefore it has full access to all Studio Composition functionalities, both related to the Core Platform and Extensions (see the full list of Permissions).
    • The User Role has Workspace Permissions, therefore it has access to Studio Runtime (see Workspace Permissions).
    • The Permissions dialog (System Configuration > Users/Groups/Roles > Roles > [right click] > Permissions) is NOT available.
  2. If the Advanced Studio Permissions License IS available:
    • The Administrator Role has Studio Permission. This Permission is always and exclusively assigned to this Role, which is the only one who can access Studio Composition. All other Permissions can be removed from Administrator and reassigned to other Roles. Note on extensions: Extension-related Permissions are also assigned to the Administrator role. This means that, if non-Administrator users install a new extension, they will not see the related module in Studio Composition until the related Permission is granted to them (e.g. the BAM module is visible if the BAM Extension is installed and the user has the Business Activity Monitoring Permission). An exception to this behavior may occur when an extension is unistalled while the user has the related Permission assigned, and then reinstalled at a later time: in this case the user will still hold such Permission.
    • The Permissions dialog (System Configuration > Users/Groups/Roles > Roles > [right click] > Permissions) IS then available.
  3. If the Advanced Studio Permissions License is REMOVED at some point:
    • The Administration Role regains all Permissions. Permission configurations for other Roles are "memorized" in the system in case the License is installed again at a later point.

List of Permissions and Possible Actions

Special Permissions

These Permissions are assigned by default and cannot be changed.

  • Studio Permission - Default Permission that is always and exclusively assigned to the Administrator Role. It is used to control Studio Composition access.
  • Workspace Permission - Default Permission that is is always and exclusively granted to the User Role. It is used to control the access to Studio Runtime.

Solution Design

Interactive Script Editor

Use the Interactive Script Editor.

  • Full Access - Can use the Interactive Script Editor (ISE) (accessible through the Solution Maintenance > Script Language > Start Interactive Script Editor button or the Control+Shift+i shortcut).
  • No Access - Cannot access nor use the Interactive Script Editor (ISE).

Labels

View, create and translate Label Business Objects from various editors and tools in Studio Composition (see Languages, Labels and Translations document for details).

  • Full Access
    • Can view and translate Labels from the Translations tab (Solution Design module).
    • Can create and translate Labels from the Label Business Object library.
    • Can create and translate Labels from the Translations Tool in the Data Logic, Process, and Document Category Editors.
    • Can create and translate Labels from the Text Field context menu or from the Label Selector.
  • No Access - Cannot view, create or translate Labels from any editors.

Packages

View and manage Packages and their content (Business Objects and configurations), import/export Packages.

  • Full Access
    • Can create, edit, configure, and delete Packages and their content.
    • Can import Packages and Business Objects.
  • Read-Only
    • Can view Package content.
    • Can export Packages and Business Objects.
  • No Access - Cannot view Package content nor perform any other actions on Packages.

Solution Maintenance

Business Activity Monitoring

View and manage Business Activity Monitoring (BAM) measurement options, BAM Dashboard, and SLA Report. The BAM Extension must be installed.

  • Full Access
    • Can configure the BAM database and install the Dashboards.
    • Can configure measurement options for Processes.
    • Can view BAM Dashboards and SLA Reports in Studio Composition.
  • No Access - Cannot view nor perform any actions in the BAM submodule.

Deployment API Token

Reset the API Token used to authenticate Deployment API execution. The DeploymentAPI Extension must be installed.

  • Full Access - Can reset Deployment API Token.
  • No Access - Cannot view nor perform any actions in the Deployment API Token submodule.

Notification Management

View and manage Notifications, including Topics, Subscriptions, and Inboxes.

  • Full Access
    • Can view Topics and Inboxes.
    • Can create and delete Topics and Notifications.
    • Can edit Subscriptions.
  • No Access - Cannot view nor perform any actions in the Notification Management submodule.

Obliteration

Permanently remove unused versions of Packages and Business Objects based on a date filter (see Obliteration documentation).

  • Full Access - Can access the Obliteration submodule and obliterate Business Objects.
  • No Access - Cannot view nor perform any actions in the Obliteration submodule.

Process Engine

View and manage Process Threads, Process Jobs, Process Triggers, and Process Locks (see documentation).

  • Full Access
    • Can start, stop, and add Process Threads.
    • Can reset Process Thread Statistics.
    • Can delete all Process Jobs.
  • Read-Only
    • Can view Process Threads, Process Jobs, Process Triggers, and Process Locks.
  • No Access - Cannot view nor perform any actions in the Process Engine submodule.

Process Instances

View and manage Process Instances.

  • Full Access
    • Can cancel and delete Process Instances.
    • Can change the Version Filter of Process Instances.
    • Can set Tokens to 'Completed'.
    • (If the ProcessMigration Extension is installed) Can migrate Processes.
  • Read-Only
    • Can view and update Process Instances.
    • Can view Process Instance Attributes.
    • Can view Process Instance details and Tokens.
  • No Access - Cannot view nor perform any actions in the Process Instances submodule.

Process Messages

View and manage Process Messages and Process Message Queues.

  • Full Access
    • Can add, delete, clear, edit, and clean up Queues.
    • Can send and delete Process Messages.
  • Read-Only
    • Can view Queues.
  • No Access - Cannot view nor perform any actions in the Process Messages submodule.

Value Stores

View and manage Value Stores and Data Entities (see documentation).

  • Full Access
    • Can delete Value Stores.
    • Can reset Value Store Statistics.
    • Can reset Data Entities Statistics.
  • Read-Only
    • Can view Value Stores.
    • Can view Data Entities.
  • No Access - Cannot view nor perform any actions in the Value Stores submodule.

Data & Integration

Business Data Storage (Configuration)

Select a Data Source, add and remove Data Classes, and sync Data Classes to the database. The BusinessDataStorage Extension must be installed.

  • Full Access
    • (Configuration) Can select the BDS Data Source.
    • (Stored Data Classes) Can view, add and remove Stored Data Classes.
    • (Stored Data Classes) Can sync Data Classes to the database.
  • No Access - Cannot view nor perform any actions in the Business Data Storage submodule.

Business Data Storage (Database Content)

Browse the list of tables in the database and clean up the content of the tables, deleting data from the database. The BusinessDataStorage Extension must be installed.

  • Full Access
    • (Database Content) Can browse the list of tables in the database.
    • (Database Content) Can clean up the content of the tables in the database.
  • No Access - Cannot view nor perform any actions in the Business Data Storage submodule.

Data History

Manage Data Classes and Data Class properties tracked by the DataHistory Extension (must be installed).

  • Full Access
    • Can view tracked Data Classes.
    • Can add and remove tracked Data Classes.
    • Can track or untrack properties of Data Classes.
  • No Access - Cannot view nor perform any actions in the Data History submodule.

Data Sources

View and manage Data Sources (including Password Encryption Key).

  • Full Access
    • Can view Data Sources.
    • Can create, update, and delete Data Sources.
    • Can set and remove the Password Encryption Key.
  • Read-Only - Can view Data Sources.
  • No Access - Cannot view nor perform any actions in the Data Sources submodule.

Data Store

Use and manage the DataStore Extension functionalities (must be installed).

  • Full Access - Can use and manage the DataStore Extension functionalities.
  • No Access - Cannot view nor perform any actions in the Data Store submodule.

View and manage Integration Links.

  • Full Access
    • Can start and stop Integration Links.
    • Can reset Integration Link Statistics.
  • Read-Only
    • Can view Integration Links.
    • Can test Integration Links.
  • No Access - Cannot view nor perform any actions in the Integration Link Management submodule.

Web Services (REST and SOAP)

View and manage REST and SOAP services enabled by the WebServices Extension (must be installed).

  • Full Access
    • Can view SOAP Web Services.
    • Can add and remove SOAP Web Services.
    • Can view REST Web Services.
    • Can add and remove REST Web Services.
  • No Access - Cannot view nor perform any actions in the REST and SOAP submodules.

Integration Troubleshooting Console

View and manage Integration Troubleshooting Console.

  • Full Access
    • Can enable or disable the Integration Troubleshooting Console and clear all data.
  • Read-Only
    • Can view data collected by the Integration Troubleshooting Console, but cannot enable or disable data collection or clear existing data.
  • No Access - Cannot view nor perform any actions in the Integration Troubleshooting Console submodule.

System Maintenance

Caches

View and manage System Caches, Cluster Caches, and Application Caches (see documentation).

  • Full Access
    • Can view System, Cluster and Application Caches.
    • Can flush System Caches.
    • Can delete Cluster Caches.
    • Can delete Application Caches.
  • No Access - Cannot view nor perform any actions in the Caches submodule.

Cluster Tools

Use Cluster Tools to inspect the Hazelcast cluster.

  • Full Access
    • Can clear Hazelcast Events
    • Can clear Near Caches
    • Can force Unlock of Hazelcast Locks
  • Read-Only - Can view Hazelcast Members, Events, Maps and Locks
  • No Access - Cannot view nor perform any actions in the Cluster Tools submodule.

Data Home Browser

View and edit files and directories in the Data Home.

  • Full Access
    • Can view and download files in the Data Home
    • Can create, edit and delete files and directories in the Data Home
  • No Access - Cannot view nor perform any actions in the Data Home Browser submodule.

Encryption

Access and modify the Platform's system keys via Script Functions.

  • Full Access
    • Can execute Script Functions that modify encryption keys
    • Can see the Password, Keys & Certificates submodule
  • Read-only Access
    • Can retrieve keys and certificates
    • Can manage passwords, keys and certificates
  • No Access - Cannot access the encryption system keys.

Garbage Collection

Request Garbage Collection to check memory usage and free up memory from the Overview or Memory Usage Statistics submodules.

  • Full Access
    • Can request Garbage Collection (Overview submodule)
    • Can request Garbage Collection and Update Memory Usage Statistics (Memory Usage Statistics submodule)
  • No Access - Cannot request Garbage Collection nor update Memory Usage Statistics.

Health

View and manage System Health Sensors.

  • Full Access
    • Can view Health Sensors.
    • Can query Health Sensors.
    • Can reset Health Sensors.
  • No Access - Cannot view nor perform any actions in the Health submodule.

HTTP Tracing

Use and manage HTTP Tracing/Network Statistics functionalities.

  • Full Access - Can start HTTP Tracing/Network Statistics and view collected data.
  • No Access - Cannot view nor perform any actions in the HTTP Tracing/Network Statistics submodule.

Job Scheduling

View Job Schedules and define policies for job execution.

  • Full Access
    • Can trigger Job Schedules.
    • Can edit Triggers.
    • Can pause and resume Job Schedules.
    • Can reset all statistics.
  • Read-Only
    • Can view Job Schedules.
  • No Access - Cannot view nor perform any actions in the Job Scheduling submodule.

Logging

View and manage loggers.

  • Full Access
    • Can create and edit Log4j Loggers
    • Can clear and delete Log Files
  • Read-Only
    • Can view and open Log Files, Log4j Loggers, and Appenders
  • No Access - Cannot view nor perform any actions in the Logging submodule.

System Report

Show and download the System Report containing technical information on the the Platform installation and environment.

  • Full Access - Can show and download the System Report.
  • No Access - Cannot view nor perform any actions in the Report submodule.

System Locking

Lock Studio Composition and Studio Runtime (documentation).

  • Full Access - Can lock and unlock the System.
  • No Access - Cannot view nor perform any actions in the System Locking submodule.

System Statistics

View system statistics and reset collected data in Memory Usage, Repository, Serialization, I/O, CPU and Web API Statistics.

  • Full Access - Can reset Memory Usage, Repository, Serialization, I/O, CPU and Web API Statistics.
  • Read-Only - Can view Memory Usage, Repository, Serialization, I/O, CPU and Web API Statistics.
  • No Access - Cannot view nor perform any actions in the Statistics submodule (except Network Statistics, which are managed by the HTTP Tracing Permission).

User Sessions

View and remove user sessions in the system.

  • Full Access
    • Can view User Sessions.
    • Can remove User Sessions.
  • No Access - Cannot view nor perform any actions in the User Sessions submodule.

System Configuration

AI Management

View and manage AI agent settings and statistics.

  • Full Access - Can configure Permissions for the available agents

  • Read-Only:

    • Can view the list of available agents and the corresponding properties

    • Can browse statistics about agent usage

  • No Access- Cannot view nor perform any actions in the AI Configuration module

Configuration Properties

View and edit the Platform Configuration Properties.

  • Full Access - Can edit Configuration Properties (Content, Server, and Memory).
  • Read-Only - Can view Configuration Properties (Content, Server, and Memory).
  • No Access - Cannot view nor perform any actions in the Configuration Properties submodule.

Email Configurations

View and manage inbound and outbound Email Configurations.

  • Full Access
    • Can view Email Configurations
    • Can add, edit, and delete Email Configurations
  • No Access - Cannot view nor perform any actions in the Email Configurations submodule.

Extensions

View and manage Extensions.

  • Full Access
    • Can upload and delete Extensions
    • Can start and stop Extensions
  • Read-Only
    • Can view and download Extensions
  • No Access - Cannot view nor perform any actions in the Extensions submodule.

Extension Configuration Properties

View and edit the Extension configuration properties.

  • Full Access - Can edit the Extension Configuration (right-click on the Extension and click on Edit Configuration)
  • Read-Only - Can view the Extension Configuration
  • No Access - Cannot view nor edit the Extension Configuration.

LDAP

View and manage LDAP configurations. It requires the LdapSyncAdapter Extension

  • Full Access - Can upload LDAP configuration files
  • Read-Only - Can view and download LDAP configuration files
  • No Access - Cannot view nor edit LDAP configurations in the LDAP Configurations submodule

Licenses

View and manage Platform licenses.

  • Full Access
    • Can replace License File
    • Can create Licensing Assignment Rules
  • Read-Only -
    • Can download Licensing Report
    • Can view License Files
    • Can view Licensing History, Assigned Licenses, and Licensing Assignment Statistics
  • No Access - Cannot view nor perform any actions in the Licenses submodule.

Users/Groups/Roles

View and manage User/Groups/Roles.

  • Full Access
    • Create, edit and delete Users/Groups/Roles
    • Edit Permissions assigned to Roles
    • (If LDAP Configuration is installed) Upload LDAP configuration files
  • Read-Only
    • View Users/Groups/Roles
  • No Access - Cannot view nor perform any actions in the User/Groups/Roles submodule.

OpenID Connect Providers

View and manage OpenID Connect providers.

  • Full Access
    • Create and update OpenID Connect Providers
  • Read-Only
    • View OpenID Connect Providers
  • No Access - Cannot view nor perform any actions in the OpenID Connect Providers submodule.