Authorization

Authorization in ProcessMaker IDP ensures secure and controlled access to documents and resources. It is based on role-based access control (RBAC), where permissions are managed through roles and policies rather than individual users. Here’s what users can expect:

Role-Based Access Control

Permissions are determined by roles, which are assigned by administrators. Roles define what actions users can perform, such as reading, creating, or modifying documents.

Permissions and Policies

• Policies link roles to specific permissions and entities, determining the actions users can take. For instance, a policy might allow users to read a document but not edit it.

• Policies ensure users have access to necessary resources without compromising security.

User Experience

• Depending on their role, users will see different options and actions available in the document management interface.

• For example, a manager might have the ability to create and manage folders, while an employee might only have access to upload and view documents within their assigned folders.

---

Data Model

ProcessMaker IDP is based on role-based access control. Permissions are therefore managed through roles and policies rather than on a user-based level. Users and roles are managed in Keycloak, where policies and permissions are managed in the datastore.

---

Enabling/Disabling Authorization

By default, authorization is not enabled. It can be enabled at the environment and entity type levels. Authorization is automatically enabled on an environment once the DOCULAYER_ADMIN role is created. This role can perform all actions even if no policies are defined.

System Entities

When authorization is enabled for the environment, create, modify, and delete actions are disabled for non-admin users on system entities. System entities have the SYSTEM_ENTITY attribute set to true. Read actions are still possible for all users.

Non-System Entities

When authorization is enabled, all actions on non-system entities are still permitted for all users. Authorization for these entities can be enabled by setting the ENABLE_AUTHORIZATION attribute to true.

Flexible Data Model

Enabling authorization on an entity type will automatically trigger the creation of a _POLICY entity and the addition of the PROPAGATE and INHIBIT_PROPAGATION attributes. Disabling authorization on an entity type will not remove these attributes to prevent data loss.

---

Authorization Logic

The system checks several conditions to determine if a user can perform a requested action on non-system entities. The following questions show the general logic of this operation:

• Is the DOCULAYER_ADMIN role present in ProcessMaker IDP?

• Is the ENABLE_AUTHORIZATION value true for the entity the user wants to act on?

• Does the user have one or more policies assigned with a permission that corresponds to the action they want to perform?

• Does the entity have at least one policy assigned that matches the relevant user policies?

---

Create Flow

Create Permission

Authorization for a create request differs from other types of requests. Since it is not possible to check permissions on an entity that has not yet been created, the create permission applies at the entity type level rather than the entity instance level, as with read, modify, and other permissions. Therefore, the create permission should only be used in relation to an entity type

• It is highly recommended to separate policies that contain the create permission to prevent confusion.

• The create permission determines whether the current user can create an entity of a specific type.

Example:

• For a file, this translates to: Can the user upload a file to the system? This does not relate to any specific folder at this point.

Foreign Key Permission

In addition to the create permission, foreign key permissions might also apply to a create request. Foreign key permissions are relevant when the created entity contains one or more references. The permissions of the referenced items are considered.

Foreign key permissions provide the functionality to limit the folders in which a user can upload a file.

• Foreign key permissions determine whether the current user can create an entity of type X that contains a reference to item Y.

• For example, for a file, this means: Can the user create a file X that contains a reference to folder Y?

---

User Permissions

User permissions determine who is allowed to perform specific actions within ProcessMaker IDP. These permissions are set to control access and define the capabilities of each user, ensuring that only authorized individuals can perform certain tasks, such as creating, reading, modifying, or deleting documents and folders. This structure helps maintain security and order within the system by clearly defining user roles and their corresponding permissions.

User

Users are created and stored in Keycloak. A user can be assigned one or more roles.

Roles

• Roles are created in Keycloak and synced with the ROLE table in the datastore,

• Roles should never be created directly in ProcessMaker IDP.

• The relationship between roles and users is managed in Keycloak, where a user can have multiple roles. Permissions are assigned to roles through one or more policies. For example, an ADMIN role may have full permissions, while a READ_ONLY role may only have read permissions.

• Roles can also be created for a single user, such as ROLE_ALICE. Roles are implementation-specific, allowing for tailored access control based on the needs of the organization.

Policies

• Policies are the core of the authorization model in ProcessMaker IDP.

• They connect users (through roles) to permissions and resources (entities) for which these permissions are applied. For example, for a user to be authorized to read the contents of a folder, a policy must exist that is assigned to the user through a role, assigned to the specific folder, and includes the READ permission.

• Policies are implementation-specific, allowing for customized access control based on organizational needs.

Example:

For instance, a role called EMPLOYEE could have policies like EMPLOYEE_RMD and EMPLOYEE_READ_ONLY. A user with the EMPLOYEE role can read, modify, and delete any resources associated with the EMPLOYEE_RMD policy but can only read resources associated with the EMPLOYEE_READ_ONLY policy.

Permissions

Permissions represent individual actions that can be performed on a resource. Permissions are fixed values in ProcessMaker IDP and they should not be changed for individual implementations. Permissions are stored in the datastore as a DOMAIN. The following permissions are available:

• Read: A user with this permission can view the attributes and content of an entity.

• Create: A user with this permission can create an entity.

• Modify: A user with this permission can view/update the attributes and content of an entity. And also create/modify annotations of an entity.

• Delete: A user with this permission can delete an entity.

• Read permissions: A user with this permission can view permissions of an entity.

• Modify permissions: A user with this permission can view and update permissions of an entity.

• Download: A user with this permission can view only the attributes of an entity but not the content of an entity, so a user cannot download the content of an entity.

---

Entity Permissions

When authorization is enabled for an entity type, a corresponding _POLICY entity is created to store the authorization policies. When authorization is disabled, the _POLICY entity is not removed automatically to prevent data loss. It can still be removed from the admin panel.

TYPE_POLICY

The TYPE_POLICY table is used to set policies on entity instance-level. Policy permission behavior is as follows:

• Create: no effect

• Modify: can modify this specific record (for updating references, additional permissions are required - see foreign key permissions)

• Delete: can delete this specific record

• Read: can read this specific record

• Download: can download the content of this specific record

ENTITY_POLICY

An ENTITY_POLICY entity always exists because it is part of the core schema. This table will be used for checking the CREATE permission for entity types when creating the instance on root level. For example, creating a file without parent folder.

Other permissions (update/modify/delete) on policies assigned in this table, apply to the record of the referenced entity in the Entity table (and are therefore very powerful).

• Create: can create instances of this entity type (for creating references, additional permissions are required - see foreign key permissions)

• Modify: can modify this record in the Entity table

• Delete: can modify this record in the Entity table

• Read: can read this record in the Entity table

• Download: no effect

FOREIGN_KEY_PERMISSION

In the ProcessMaker IDP datastore, all relations between entities are defined by the means of foreign keys. Authorization on relations can, therefore, be accomplished by restricting a users ability to create foreign key references.

As an example consider a folder/file structure:

When a user is only allowed to upload files to a folder Folder A and not to Folder B, this effectively translates to: the user can create instances of the file entity, only if the FOLDER_ID (PARENT_ID in FILE entity) attribute refers to Folder A. In order to be able to create files in Folder A, this user should have at least a policy with create permission for file instances and a policy with a foreign key create permission on the FOLDER_ID of Folder A assigned. Because a user might in some cases only be allowed to make references from certain entity types, a general create permission on the parent

---

Policy Inheritance

For any user to perform actions on an entity, the entity must have policies assigned. Since manually adding these policies can be time consuming, they can be inherited from a list of default policies. Default policies can be defined at the entity type level or based on a relation.

Entity-Level Default Policies:

Entity level inheritance (entity default policies)

Entity-level default policies are defined in the ENTITY_DEFAULT_POLICY table. The entity-level default policies are the same for all users. For example, if any user adds a new dossier it should be visible for users with the policies READ_ONLY, EDITOR and ADMIN. Then these policies should be assigned to the FOLDER entity in the ENTITY_DEFAULT_POLICY table.

Relation level inheritance (foreign key permission default policies)

Foreign key permissions default policies provide the possibility to define default policies based on a relation. If such a definition is present this will overwrite the entity level default policies. For example, if a folder is only visible to users with the policy FOLDER_ONE_MANAGER. It is likely that files uploaded to this folder should also only be available to users with this policy. The default policies for this folder should, therefore, be set to FOLDER_ONE_MANAGER.

---

Policy Propagation

Policy propagation allows the inheritance of parent-level permissions to child entities. This allows users to control how permissions are inherited within their entity relationships, ensuring that permissions are appropriately managed according to their organizational requirements.

Propagate Permissions

The parent-child relationship is determined by the foreign keys of an entity. When creating the foreign keys for an entity type, users must specify which foreign key relationship represents the parent-child relation by selecting an attribute. This is necessary because an entity may have multiple foreign keys.

When permissions in a parent-child relationship are modified, these changes can be automatically propagated to the child entities.

Policy propagation occurs only if the parent’s propagate flag is set to true and the child's inhibit propagate flag is set to false.

Inhibit Propagate Permissions

The Inhibit Propagate feature prevents the inheritance of parent-level permissions to child entities. When permissions are propagated from a parent to a child, setting the child’s inhibit propagate flag to true will disable the propagation for that specific parent-child relationship.

User Interface

User Interface support for authorization is not part of the current release. No default routes are available for any of the authorization entities however, roles, policies, and permissions can be created through the admin panel. If authorization is configured correctly, policies are inherited during the creation of entities.

See an example of how to configure authorization in ProcessMaker IDP.