A process role defines a set of rights and obligations for principals. Principals are assigned to process roles. Permissions are assigned to process roles. Principals as members of roles acquire permissions to perform an action on one or more objects. Objects are, for example, tasks and processes.
Within the SAP NetWeaver platform various roles already exist, for example, UME (User Management Engine) roles and portal roles. These roles define a set of authorizations for static content. Process roles are used for allowing a dynamic role based access control for artifacts available during a process lifecycle.
More information: UME Roles and Portal Roles, Authorizations and Roles
In SAP NetWeaver Business Process Management (BPM), we can define processors at task, human activity, and lane level:
Task processors
The task processor can only execute the particular task he or she is assigned to.
Human activity processors
The processor who is assigned to a human activity overrides the task processor. This allows there to be different processors for a task because the task as reusable entity can be assigned to multiple human activities. Another processor can be assigned to each of the activities.
Lane processors
The processor who is assigned to a lane can execute all tasks, which are assigned to human activities in this lane. The lane processor overrides the task and human activity processors. If you use a task within a process, the potential processor definition of the surrounding lane takes precedence.
The following table shows the order of precedence of the roles defined at task, human activity, and lane level.
Process Role Defined |
|||||||
Task |
X |
X |
X |
X |
|||
Activity |
X |
X |
X |
X |
|||
Lane |
X |
X |
X |
X |
|||
Applied Process Role |
Lane |
Activity |
Lane |
Lane |
Task |
Activity |
Lane |
For more information about the artifacts, see Using BPMN Process Models.
The processor is evaluated while the task instance is created at runtime. During this process, UME groups and roles are resolved into UME users. This means that changes to the group or role after the task has been instantiated do not have any effect on the task instance that is currently being created. If a user is assigned to a group or role that allows the user to execute a task during the task instance creation, the user could continue to work on the task and complete the task even if the assignment to the group or role is changed or canceled. These changes only take effect on the future task instances.
Caution
Every user who works on any task in the process, can see the whole process context.
To define processors of a task, an activity, or a lane, you set them as potential owners. This means that the assigned processors are authorized to execute the task that is displayed in their universal worklist (UWL). A potential owner becomes the actual processor only when the task is opened. In the process composer you define the possible processors and give them the authorization to execute the task. When one of the potential owners claims the task, this user becomes the actual owner and therefore the processor of the task. In addition, the task is removed from the task list of all other potential owners.
You define potential owners on task level in the task editor, and at human activity and lane level in the properties.
In case of active principal propagation the principal information of the actual owner is propagated in the process flow and can be later consumed by an automated activity.
More information: Principal Propagation, Defining Potential Owners
Excluded owners are principals excluded from processing a task in the process model. This is required so that you can exclude users from approving their own request.
Example
A purchasing order process model contains an Order Request task and an Order Approve task. The requester and the one who approves the order should be different persons, that is the requester is excluded from processing the approval task.
You define excluded owners on task level in the task editor, and at human activity and lane level in the properties.
More information: Defining Excluded Owners
To enable users to access tasks in the universal worklist (UWL) and to execute tasks within a BPM process, you need to assign BPM portal roles to them.
More information: Configuring BPM Users
The actual owner of a task can invite at runtime other contributors to work on this task instance. Every user can be a contributor, except excluded owners. Contributors to a task can see the whole process context. They can monitor the task execution, can add notes and attachments but cannot complete the task instance. Users who are invited to contribute to a task receive the task in the universal worklist (UWL). When contributors open the task, they see who the actual owner is and the task description, if any.
More information: Sharing a Task
A business process administrator can execute administration tasks for processes, activities, or tasks.
Possible categories of administration tasks to influence the process flow:
Process Administration
The business process administrator can suspend, resume, and terminate a process.
More information: Managing and Monitoring Processes, Displaying and Starting Processes in the Process Repository
Task Administration
The business process administrator can, for example, execute, forward, suspend, resume a task, change deadlines, and priority of an activity or of a task.
More information: Managing and Monitoring Tasks
Troubleshooting
The business process administrator can use the debugging processes functionality in the process composer to go step-by-step through a running process to locate and analyze errors that occur. The administrator can also use the Troubleshooting tool integrated in the SAP NetWeaver Administrator to check for the availability of BPM components and subsystems.
More information: Debugging Processes, Process Troubleshooting
Note
To be able to debug processes, you need the SAP_BPM_Debug role. For more information, see Authorizations and Roles
Monitoring
The business process administrator can use the SAP NetWeaver Administrator tools to monitor and manage processes and tasks.
More information: Managing and Monitoring Processes and Tasks with SAP NetWeaver Administrator
If you do not assign a business process administrator, the above mentioned tasks are available to the technical administrator only, who is assigned to the role SAP_BPM_SuperAdmin.