Permissions

A permission is a string of characters structured as follows: feature=action. It allows the user to perform an action on a feature.

This section explains which user permissions are required to be allowed to perform specific actions on the various P6 services.

The permissions are cumulative.

For example, to edit service items related to a specific service via P6 Portal, you need to:

have access to the service UI via the Portal,
be allowed to list and read the service items,
have the permission to edit service items.

Except if you have an admin permission on this service (service_name=*), if it exists.

A user with a *=* permission can perform any action on the instance. No other permissions are needed.

Accounts (P6 Console)¶

Note

Permission account=read is required everywhere on P6 Console

Feature	Permission
See the ‘Account’ menu entry in P6 Console	`account=view`
Read account information	`account=read`
Edit account information	`account=edit`
All	`account=*`

Permissions required to access the service via P6 Console with…

read-only rights: account=view and account=read
edit rights: account=view and account=read and account=edit
all rights: account=*

Applications¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Applications’ menu entry in P6 Portal	`applications=view`
List and read applications	`applications=read`
Edit applications	`applications=edit`
Delete applications	`applications=delete`
Do everything on the service	`applications=*`

Permissions required to access the service via P6 Portal with…

read-only rights: applications=view and applications=read
edit rights: applications=view andapplications=read and applications=edit
delete rights: applications=view and applications=read and applications=delete
all rights: applications=*

Application Configurations¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Configuration’ menu entry in P6 Portal	`appconfig=view`
List and read app configurations	`appconfig=read`
Edit app configurations	`appconfig=edit`
Delete app configurations	`appconfig=delete`
Do everything on the service	`appconfig=*`

Permissions required to access the service via P6 Portal with…

read-only rights: appconfig=view and appconfig=read
edit rights: appconfig=view andappconfig=read and appconfig=edit
delete rights: appconfig=view and appconfig=read and appconfig=delete
all rights: appconfig=*

Application Profiles (P6 Console)¶

Note

The edit action includes: create, update, assign and unassign to instance.

Feature	Permission
See the ‘Application Profiles’ menu entry in P6 Console	`application-profiles=view`
List and read application profiles	`application-profiles=read`
Edit application profiles	`application-profiles=edit`
Delete application profiles	`application-profiles=delete`
Do everything on the service	`application-profiles=*`

Permissions required to access the service via P6 Console with…

read-only rights: account=read and application-profiles=view and application-profiles=read
edit rights: account=read and application-profiles=view and application-profiles=read and application-profiles=edit (on account)
assign / unassign rights: account=read and application-profiles=view and application-profiles=read and application-profiles=edit (on account and instance)
delete rights: account=read and application-profiles=view and application-profiles=read and application-profiles=delete
all rights: account=read and application-profiles=*

Bundled Resources¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Bundled Resources’ menu entry in P6 Portal	`bundledresources=view`
List and read bundled resources	`bundledresources=read`
Edit bundled resources	`bundledresources=edit`
Delete bundled resources	`bundledresources=delete`
Do everything on the service	`bundledresources=*`

Permissions required to access the service via P6 Portal with…

read-only rights: bundledresources=view and bundledresources=read
edit rights: bundledresources=view andbundledresources=read and bundledresources=edit
delete rights: bundledresources=view and bundledresources=read and bundledresources=delete
all rights: bundledresources=*

Buttons¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Buttons’ menu entry in P6 Portal	`buttons=view`
List and read buttons	`buttons=read`
Edit buttons	`buttons=edit`
Delete buttons	`buttons=delete`
Execute the handler endpoints	`buttons=display`
Do everything on the service	`buttons=*`

Permissions required to access the service via P6 Portal with…

handler-only rights: buttons=display
read-only rights: buttons=view and buttons=read
edit rights: buttons=view andbuttons=read and buttons=edit
delete rights: buttons=view and buttons=read and buttons=delete
all rights: buttons=*

Charts¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Charts’ menu entry in P6 Portal	`charts=view`
List and read charts	`charts=read`
Edit charts	`charts=edit`
Delete charts	`charts=delete`
All	`charts=*`

Permissions required to access the service via P6 Portal with…

read-only rights on all Charts: charts=view and charts=read
read-only rights on specific Charts: charts=view and charts=read('Chart1','Chart2')
edit rights on Charts: charts=view andcharts=read and charts=edit
delete rights on Charts: charts=view and charts=read and charts=delete
all rights: charts=*

Counters¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Counters’ menu entry in P6 Portal	`counters=view`
List and read counters	`counters=read`
Edit counters	`counters=edit`
Delete counters	`counters=delete`
All	`counters=*`

Permissions required to access the service via P6 Portal with…

read-only rights: counters=view and counters=read
edit rights: counters=view andcounters=read and counters=edit
delete rights: counters=view and counters=read and counters=delete
all rights: counters=*

Dashboard (P6 Console)¶

Note

The P6 Console dashboard contains information that comes from various services. Therefore, to view that information, in addition to dashboard=view the following permissions should be applied: account=read, instances=read (both account and instances) and application-profiles=read. Otherwise, the dashboard would be available but empty.

Feature	Permission
See the ‘Dashboard’ menu entry and view the dashboard in P6 Console	`dashboard=view`

Permissions required to access the service via P6 Console with…

read-only rights: account=read, dashboard=view, instances=read (both account and instances) and application-profiles=read.

Data Models¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Data Model’ menu entry in P6 Portal	`datamodels=view`
List and read data models	`datamodels=read`
Edit data models	`datamodels=edit`
Delete data models	`datamodels=delete`
All	`datamodels=*`

Permissions required to access the service via P6 Portal with…

read-only rights: datamodels=view and datamodels=read
edit rights: datamodels=view anddatamodels=read and datamodels=edit
delete rights: datamodels=view and datamodels=read and datamodels=delete
all rights: datamodels=*

Documents¶

Permissions related to documents go with the feature documents or transactions.

Permission scope	Description
`transactions=view` OR `transactions=edit-form` OR `transactions=edit-all` OR `documents=view`	The user can view the content of a document.
`documents=edit-form`	The user can edit the document, only if a form is provided (`formjs` for the moment) and only via the form display (no access to source / raw content).
`documents=edit-all`	The user can edit a document via a form if one is provided or its raw content directly.
`documents=*`	The user can view and edit a document.

Email Profiles¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Email Profiles’ menu entry in P6 Portal	`email=view`
List and read email profiles	`email=read`
Edit email profiles	`email=edit`
Delete email profiles	`email=delete`
All	`email=*`

Permissions required to access the service via P6 Portal with…

read-only rights: email=view and email=read
edit rights: email=view andemail=read and email=edit
delete rights: email=view and email=read and email=delete
all rights: email=*

Forms¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Forms’ menu entry in P6 Portal	`forms=view`
List and read forms	`forms=read`
Edit forms	`forms=edit`
Delete forms	`forms=delete`
Execute the handler endpoints	`forms=display`
Do everything on the service	`forms=*`

Permissions required to access the service via P6 Portal with…

handler-only rights: forms=display
read-only rights: forms=view and forms=read
edit rights: forms=view andforms=read and forms=edit
delete rights: forms=view and forms=read and forms=delete
all rights: forms=*

Frames¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Frames’ menu entry in P6 Portal	`frames=view`
Read frames	`frames=read`
Edit frames	`frames=edit`
Delete frames	`frames=delete`
All	`frames=*`

Permissions required to access the service via P6 Portal with…

read-only rights: frames=view and frames=read
edit rights: frames=view andframes=read and frames=edit
delete rights: frames=view and frames=read and frames=delete
all rights: email=*

Instances (P6 Console)¶

Note

The edit action includes: create and update.
The read action includes: download .env file.

Feature	Permission
See the ‘Instances’ menu entry in P6 Console	`instances=view`
List and view instances	`instances=read`
Edit instance configurations	`instances=edit`
Delete instances	`instancess=delete`
All	`instances=*`

Permissions required to access the service via P6 Console with…

read-only rights: account=read and instances=view and instances=read
edit rights: account=read and instances=view and instances=read and instances=edit
delete rights: account=read and instances=view and instances=read and instances=delete
all rights: account=read and instances=*

Home Pages¶

Note

The edit action includes: customize, create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Home’ menu entry in P6 Portal	`homepages=view`
List and read home pages	`homepages=read`
Edit home pages	`homepages=edit`
Delete home pages	`homepages=delete`
Customize home pages	`homepages=customize-own`
Access to charts when editing home pages	`homepages=charts`
Access to counters when editing home pages	`homepages=counters`
Access to frames when editing home pages	`homepages=frames`
All	`homepages=*`

Permissions required to access the service via P6 Portal with…

read-only rights on all Home Pages: homepages=view and homepages=read
read-only rights on a specific Home Page: homepages=view and homepages=read('HomePageName')
rights to customize Home Pages: homepages=view and homepages=read and homepages=customize-own
rights to edit/configure Home Pages with Charts, Counters and Frames: homepages=view and homepages=read and homepages=edit and homepages=charts and homepages=counters and homepages=frames
delete rights on Home Pages: homepages=view and homepages=read and homepages=delete
all rights on Home Pages: homepages=*

Customizing a Home Page allows a user to apply and save personal changes - like resizing modules, moving them, hiding some, etc.

Identity Tokens¶

Feature	Permission
Allow generation of identity-only JWT via the `Users` DSL	`identitytoken=build`

This is typically only required by the p6core Integration defined for an instance

Local UI Test¶

To be completed

Organizations¶

Note

The edit action includes: create, update.
The read action includes: export.

Feature	Permission
See the ‘Organizations’ menu entry in P6 Portal	`orgs=view`
Read nodes in the organizational tree	`orgs=read`
Edit nodes in the organizational tree	`orgs=edit`
Delete Nodes in the Organization	`orgs=delete`
All	`orgs=*`

Permissions required to access the service via P6 Portal with…

rights to get node(s) from the organizational tree: orgs=view and orgs=read
rights to edit the organizational tree: orgs=view and orgs=read and orgs=edit
rights to delete an organization: orgs=view and orgs=read and orgs=delete
all rights: orgs=*

Warning

When a node is deleted, all child nodes are also removed.
A user with the orgs=delete permission can only delete a node below it’s current assigned node.

Routes¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Routes’ menu entry in P6 Portal	`routes=view`
List and read the routes	`routes=read`
Edit and execute the routes	`routes=edit`
Delete routes	`routes=delete`
All	`routes=*`

Permissions required to access the service via P6 Portal with…

read-only rights: routes=view and routes=read
edit and execute rights: routes=view and routes=read and routes=edit
Delete Routes: routes=view and routes=read and routes=delete
all rights: routes=*

Routing Orders¶

Note

The edit action includes: update.
The read action includes: export.

Feature	Permission
See the ‘Routing Orders’ menu entry in P6 Portal	`routingorders=view`
List and read routing orders	`routingorders=read`
Edit and reprocess routing orders	`routingorders=edit`
Delete Routing Orders	`routingorders=delete`
All	`routingorders=*`

Permissions required to access the service via P6 Portal with…

read-only rights: routingorders=view and routingorders=read
edit and reprocess rights: routingorders=view androutingorders=read and routingorders=edit
delete rights: routingorders=view and routingorders=read and routingorders=delete
all rights: routingorders=*

Service control¶

Allow users to see the service status and start/stop buttons on the top right

Note

The edit action includes: read.

Feature	Permission
See service status	`servicecontrol=read`
Start service	`servicecontrol=edit`
Stop service	`servicecontrol=edit`

Permissions required to access the service via P6 Portal with…

view and read: Any service.

Scripts¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Scripts’ menu entry in P6 Portal	`scripts=view`
List and read scripts	`scripts=read`
Execute scripts	`scripts=run`
Edit scripts	`scripts=edit`
Delete Scripts	`scripts=delete`
All	`scripts=*`

Permissions required to access the service via P6 Portal with…

read-only rights: scripts=view and scripts=read
execute rights: scripts=view andscripts=read and scripts=run
edit rights: scripts=view andscripts=read and scripts=edit
delete rights: scripts=view and scripts=read and scripts=delete
all rights: scripts=*

Stored Procedures¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Stored Procedures’ menu entry in P6 Portal	`storedprocedures=view`
List and read stored procedures	`storedprocedures=read`
Edit stored procedures	`storedprocedures=edit`
Delete stored procedures	`storedprocedures=delete`
All	`storedprocedures=*`

Permissions required to access the service via P6 Portal with…

read-only rights: storedprocedures=view and storedprocedures=read
edit rights: storedprocedures=view andstoredprocedures=read and storedprocedures=edit
all rights: storedprocedures=*

Tables¶

Note

The edit action includes: create, update, rename, duplicate and import.
The allow action includes: export.

Feature	Permission
See the ‘Tables’ menu entry in P6 Portal	`tables=view`
Allow access to all Tables and their records (read-only)	`tables=allow(*)`
Allow access to Table1 and Table 2 (read-only)	`tables=allow('Table1'(), 'Table2'())`
Allow access to the records in Table1 where column1 has the value1	`tables=allow('Table1'('column1'='value1'))`
Edit the structure of allowed Tables	`tables=edit-table`
Delete the structure of allowed Tables	`tables=delete-table`
Edit records of allowed Tables	`tables=edit-data`
Delete the records on allowed Tables	`tables=delete-data`
Do anything on the Tables service	`tables=*`

Permissions required to access the service via P6 Portal with…

read-only rights on all Tables: tables=view and tables=allow(*)
read-only rights on specific Tables: tables=view and tables=allow('Table1(*)','Table2(*)')
edit rights on Tables structure: tables=view and tables=allow(*) and tables=edit-table
edit rights on Tables structure and data: tables=view and tables=allow(*) and tables=edit-table and tables=edit-data
delete rights on Tables structure and records: tables=view and tables=allow(*) and tables=delete-table and tables=delete-data
all rights: tables=allow(*) and tables=*

Transactions¶

A user with transactions=* and transactions=allow(*) permissions will have access to all “Transactions” and “Workflow Tasks”.

Note

The transactions permissions apply to both Transactions and Workflow Tasks. In order to search and display Transactions and Workflow Tasks, Views are required. There are two types of Views, for Transactions and for Workflow Tasks.

Access to Transactions

In order to have access to Transactions, the transactions=view permissions and a variant of the allow permission are required:

Feature	Permission
Allow access to all types of Transactions (Transactions and Workflow Tasks), across all Views	`transactions=allow(*)`
Allow access to Transactions thanks to a transaction-typed View called `TxView1`	`transactions=allow('TxView1'(*))`
Allow access to Transactions thanks to two transaction-typed Views	`transactions=allow('TxView1'(),'TxView2'())`
Allow access to Transactions that are assigned to the user’s branch via View `TxView1`	`transactions=allow('TxView1'(BRANCH))` and `orgs=read`
Allow access to Transactions that are assigned to the user’s unit via View `TxView1`	`transactions=allow('TxView1'(UNIT))` and `orgs=read`
Allow access to Transactions that are assigned to the user via View `TxView1`	`transactions=allow('TxView1'(USER))` and `orgs=read`
Allow access to Transactions that are assigned to the user’s email address via View `TxView1`	`transactions=allow('TxView1'('UserEmail'='%USER.EMAIL%'))`
Allow access to Transactions matching a condition on a searchable field of a View	`transactions=allow('TxView1'('Searchable_Name'='VALUE'))`

You can use multiple Searchable in the matching condition. All different Searchable will be see as an AND and same Searchable as an OR

Example

Searchable combination:
- Permission: transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy'))
- Result: (Searchable_Name=’VALUE’ AND Searchable_Surname=’dummy’)
Multiple Searchable:
- Permisson:transactions=allow('TxView1'('Searchable_Name'='VALUE', 'Searchable_Surname'='dummy', 'Searchable_Surname'='ipsum'))
- Result: (Searchable_Name=’VALUE’ AND (Searchable_Surname=’dummy’ OR Searchable_Surname=’ipsum’))

Other Permission sets

Permission scope	Description
`transactions=view`	The user can search transactions (within the filters specified in allow) and view the content of the transactions.
`transactions=hide-detail`	The user will not be shown the view button to access transaction details and will not be allowed to select the details by double-clicking the list item. (the `View` action button is not displayed and no double clicking)
`transactions=edit-form`	The user can edit and save a transaction, only if a form is provided (`formjs` for the moment) and only via the form display (no access to XML source).
`transactions=edit-all`	The user can view, edit and save a transaction. Changing the values of the element that constitutes the keys of the transaction will currently create a new transaction (it is an upsert).
`transactions=reprocess`	The user can trigger the reprocessing of a transaction.
`transactions=delete`	The user can delete a transaction.
`transactions=*`	The user can view, edit, reprocess and delete a transaction.

Create a new Transaction

Note

The messages submit library has not been migrated yet, thus the permission’s feature is still messages.

You have to enable a variant of the submit permission:

Feature	Permission
See the ‘Create transaction’ and ‘Upload files’ buttons and be allowed to submit files in order to create transactions	`messages=submit(*)`
See the ‘Create transaction’ button and be allowed to submit one or more files in order to create a single transaction	`messages=submit('single')`
See the ‘Upload files’ button and be allowed to submit one or more files in order to create one to multiple transactions	`messages=submit('bulk')`

User Administration¶

Feature	Permission
See the ‘User Administration’ menu entry in P6 Portal	`admin=view`
List and read users	`users=read('./*')`
Create and Edit users (cannot delete users)	`users=edit`
Edit users (cannot delete users)	`users=update`
Allows SSO users ONLY to set a password, not required for non-SSO users	`users=assign-password`
Allows SSO users ONLY to delete their account, not required for non-SSO users	`users=delete-account`
Do everything on users	`users=*`
List and read permission sets	`permsets=read('*')`
Edit permission sets	`permsets=edit`
Do everything on permission sets	`permsets=*`
List and read integrations	`integrations=read`
Edit integrations	`integrations=edit`
List and read SSO connections	`sso=read`
Edit SSO connections	`sso=edit`
Delete SSO connections	`sso=delete`
Default SSO name on association	`users=edit('default.sso_name','MySSO')`

Permissions required to access the service via P6 Portal with…

read-only rights on users: admin=view and users=read('./*')
create rights on users: admin=view and users=read('./*') and users=edit
edit rights on users: admin=view and users=read('./*') and users=update or users=edit
all rights on users: admin=view and users=read('./*') and users=*
read-only rights on permissions: admin=view and permsets=read('*')
edit rights on permissions: admin=view and permsets=read('*') and permsets=edit
all rights on permissions: admin=view and permsets=*
rights to manage users and assign them a limited list of permission sets: admin=view and user=read('./*')and users=editand permsets=read('PermSet1','PermSet2')

Note

When using the default.sso_name permission, the admin user is expected to not have sso=read or any other users=edit permission This ensures the list of possible SSO connections is not displayed to the user and the default value defined in the users=edit('') parameter list is used when associating a new user

Views¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Views’ menu entry in P6 Portal	`views=view`
List and read the views	`views=read`
Edit the views	`views=edit`
All	`views=*`

Permissions required to access the service via P6 Portal with…

read-only rights: views=view and views=read
edit rights: views=view andviews=read and views=edit
all rights: views=*

Workflow Steps¶

Note

The edit action includes: create, update, rename, duplicate and import.
The read action includes: export.

Feature	Permission
See the ‘Workflow Steps’ menu entry in P6 Portal	`workflowsteps=view`
List and read the workflow steps	`workflowsteps=read`
Edit the workflow steps	`workflowsteps=edit`
All	`workflowsteps=*`

Permissions required to access the service via P6 Portal with…

read-only rights: workflowsteps=view and workflowsteps=read
edit rights: workflowsteps=view andworkflowsteps=read and workflowsteps=edit
all rights: workflowsteps=*

Workflow Tasks¶

Access to Workflow Tasks

In order to have access to Workflow Tasks, the transactions=view permission and a variant of the allow permission are required:

Feature	Permission
Allow access to all types of Transactions (Transactions and Workflow Tasks) across all Views	`transactions=allow(*)`
Allow access to Workflow Tasks thanks to a workflow-typed View called `WfView1`	`transactions=allow('WfView1'(*))`
Allow access to Workflow Tasks thanks to two workflow-typed Views	`transactions=allow('WfView1'(),'VfView2'())`
Allow access to Workflow Tasks that are assigned to the user’s branch via View `WfView1`	`transactions=allow('WfView1'(BRANCH))` and `orgs=read`
Allow access to Workflow Tasks that are assigned to the user’s unit via View `WfView1`	`transactions=allow('WfView1'(UNIT))` and `orgs=read`
Allow access to Workflow Tasks that are assigned to the user’s email address via View `WfView1`	`transactions=allow('WfView1'('Assignee'='%USER.EMAIL%'))`
Allow access to Workflow Tasks matching a condition on a searchable field of a View	`transactions=allow('WfView1'('Searchable_Name'='Value'))`

Workflow Assignees

On each Workflow Step, there is an <Assignee> section that defines who the Workflow Tasks will be assigned to.

To be part of the Assignees, a user shall have a Permission set that contains the permission defined in the ‘scope’ attribute.

For example, if the Workflow Step contains the following configuration: <Assignee name="PO Approvers" path="/Acme_Prod/Customer_Service" type="UNIT" scope="workflow=role('PO review and approbation')"> then users shall have the workflow=role('PO review and approbation') permission to be part of the assignees.