Granting and Revoking System Privileges

System privileges can be granted to a custom role for all objects of a type in a partition or system-wide. Custom roles are created in the authentication system, they are created in Redwood Server as soon as a user with that role logs on.

You cannot modify any of the core, predefined, or user access roles:

Core roles (always required):

  • scheduler-administrator - can perform all actions.
  • scheduler-bae-only-user - indicates that the user account is restricted to logging in via the SAP Inbound interface, only.
  • scheduler-isolation-administrator - can import and modify users.
  • scheduler-screen-reader - indicates that you are using a screen reader.
  • scheduler-user - has access to Redwood Server only, cannot see any objects (always required, even for administrators).
  • scheduler-viewer - read only access to all objects.
  • redwood-administrator - can perform all actions.
  • redwood-login - has access to Redwood Server only, cannot see any objects (always required, even for administrators).
  • redwood-support - read only access to all objects.

The user access roles are bound to features that require a specific license key:

  • scheduler-business-user - can access the business-user-centric user interface.
  • scheduler-it-user - can access the it-user-centric user interface.

Predefined roles (optional):

  • scheduler-event-operator - can raise and clear events, as well as all privileges assigned to scheduler-viewer.
  • scheduler-job-administrator - can create/edit/delete event definitions, Process Definitions, and Chain Definitions and modify both processes, and chains, as well as all privileges assigned to scheduler-event-operator.
  • redwood-operator - combination of the above two roles.

Note: The roles scheduler-business-user and scheduler-it-user are use by the Insight module.

Note: Special care needs to be taken when you revoke privileges from users that have scheduled processes and chains with recurrences. If you revoke a privilege that is required to re-submit the process or Chain, the resubmit of the process or Chain will fail.

Restricting BAE Users

You have the Business Automation Enabler Module and would like to prevent a user created specifically for the BAE interface from logging-on from other interfaces (for example the web interface).

You grant that user the following roles and this user will only be able to access Redwood Server via the BAE interface (SAP Inbound objects):

  • scheduler-user - has access to Redwood Server only, cannot see any objects.
  • scheduler-bae-only-user - indicates that the account is restricted to logging in via the SAP Inbound interface, only.

Procedure

Granting privileges to a custom role

  1. Navigate to "Security > Roles".
  2. Choose Edit from the context menu of an editable role. Editable roles have a description: Created automatically on first login.
  3. On the Assign Privileges tab, choose an Object definition and then Next.
  4. Choose the desired range of the privileges.
  5. Choose a Rank with the desired privileges. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Granted privileges allow the user to perform the actions.

Revoking privileges from a custom role

  1. Navigate to "Security > Roles".
  2. Choose Edit from the context menu of an editable role. Editable roles have a description: Created automatically on first login.
  3. On the Assign Privileges tab, choose an Object definition and then Next.
  4. Choose the desired range of the privileges.
  5. Choose a Rank with the desired privileges. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Granted privileges allow the user to perform the actions.

See Also