Users, Groups and Roles
KuFlow has a powerful access control system that allows you to model different use cases according to your needs. For example, within an organization we can have users with permissions to instantiate certain processes but not the set of all processes. Likewise, we can have users with administrative roles at the process management level that allow them to perform different operations on the set of process instances, but at the same time not grant them access to user administration, process definitions and other series of operations.
In this document we identify the different roles, their possible interactions in the system and how they are classified.
First things first
When we talk about "users", we are referring to the human concept of the term. That is, in KuFlow we define a User
as an entity that represents individually and concretely a human person. However, as specified in the different documentation of this website, the real power of KuFlow is the possibility of interaction between humans and machines or external systems. In order to identify the accesses of external systems (not humans), the concept Application
is defined as an entity that encompasses access credentials to the platform and to which different types of access or permissions can be granted.
Users
The "Users" menu in the administration section of the application offers a place to manage the organization's users. From this place it is possible to send invitations for new users to register in our organization.
It is possible to temporarily deactivate a user registered in the system, simply execute the action Deactivate user. This temporary deactivation prevents the user from accessing the organization but doesn't eliminate tasks or processes that the user may have in progress. If the user's access is re-enabled, he/she will be able to continue with his/her pending work.
The Delete user action removes the user from the organization by releasing a user account in your organization. This is a non-reversive action in terms of the user's pending jobs. If you delete a user with processes that are still running or with unfinished assigned tasks, you will be prompted to change the ownership of these items before proceeding.
Roles
There are different types of roles that can be granted to users. Possession of some of these roles does not imply that you have access to all the resources that their actions encompass. The permissions to resources that you can access will have to be granted individually. This gives greater power to the system.
-
Organization Owner:
- If the user has this role, they will be able to perform administrative tasks in the organization and manage the users that can access to the platform.
-
Organization Administrator:
- If the user has this role, they will be able to manage Groups, Applications, Webhooks and create new Process Definitions, then the user can assign more permissions to each Process Definition.
-
Default:
A user without any of these roles is a general user of your organization. He/she will be able to start processes, complete or claim tasks as long as the evaluation of permissions on the different resources are resolved in a satisfactory way for that user.
See section Configure Process Permissions for more information on the Permissions that interact with these Roles.
Groups
Earlier we outlined a role-based access and permissions (RBAC) system that gives fine-grained control within the organization. However, dealing with permissions at the User level individually is somewhat unwieldy and scalable. This is why the concept of a Group
has been defined.
A Group
is nothing more than a grouping of users. With this we can set permissions to Groups, avoiding having to list each user with their permission individually. For example, we can have a "HR Managers" Group
with all the people who are dedicated to human resources. Subsequently, in the processes related to your business, you could indicate, for example, the Manager
permission on this group instead of on each person in it.
To create groups or view their users, go to the "Groups" menu of the application. To indicate that a user belongs to a certain group, you can do so from the same "Users" section.