Only specific user should have access to specific BP Primary document and Instance Data

Hi Mark,

Thank you for your response. Actually the business scenario is that, we have a federal client so even within the superuser we have sub-categories of superuser's who should not view this federal data and its process flow execution in dashboard.

So far my understanding is, there is no way we can have restrictions on the superuser account. If the user is a superuser then he will have the highest level of privilege. Users that should not view or access any federal data should not be granted superuser permissions.

Thanks,

Sheela

Hi Sheela,

Our recommendation would be to remove permissions to the BP for those users who should not be able to view BPs, and they will lose the ability to execute the BPs as well.

The super user role is generally reserved for those users who need access to everything. If there are users who should not view BPs, but are super users then they should not have the super user role assigned. You may want to consider granting these users multiple individual/granular permissions to just what they need instead of the full super user set. Another alternative is to create a group with the necessary multiple individual permissions and add users to that group.

Hi Mark,

Yes, removing permissions to the BP will help. Also its ok if the user doesn't have execute permissions. I have a small doubt, even if the user is admin (super user) can we remove permissions for the admin account on that one specific BP ?

Thanks,

Sheela

Thank you for your reply. We have a few more questions to understand the broader use case:

• If a user should not be able to see the BP history including if it's been executed or not, would removing the permission to the BP satisfy your requirement?

  • consequence of this would be to prevent the user from executing the BP - is this ok?

I'm looking forward to your response. Once I can develop a clear picture of your request, I'll be able to let you know if we can add your idea to our future offering roadmap.

Hi Mark,

Thank you for your response. The obscure service will encrypt the process data & primary document. But I am looking for a solution where user should not be allowed to view the business process execution itself.

If we use the obscure service in the BPML, the data will be encrypted from the point the service is used. We will still be able to view the data in the process flow prior to obscure service call.

The requirement is that the data (process + primary) should not be visible to the users (in the entire process flow), if they are not authorized to view.

Thanks,

Sheela

Thank you for taking the time to provide your ideas to IBM. I truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations and ideas.

I need a little more information to understand your idea.

We currently have a couple of services to help obscure sensitive data that could be added to your BP. Would this satisfy what you are looking for?

• https://www.ibm.com/docs/en/b2b-integrator/6.2.0?topic=z-obscure-data-obscure-primary-document-service

• https://www.ibm.com/docs/en/b2b-integrator/6.2.0?topic=z-obscure-data-process-data-values-service

I'm looking forward to your response. Once I can develop a clear picture of your request, I'll be able to let you know if we can add your idea to our future offering roadmap.