Cisco Cisco Process Orchestrator 3.0 User Guide

In Process Orchestrator, authorization is performed using a Role-Based Access Control System. Roles 
are a collection of permissions. Each permission pairs a set of operations that can be performed over 
some set of objects. A user assignment gives end users the ability to perform the role.

Typically, roles are defined according to a standardized job function within IT. Examples might include 
“Level 1 Helpdesk,” “Level 2 Helpdesk,” “Human Resources,” “Network Configuration,” “SAP Basis 
Expert,” and so on. Security groups already in the directory for the users in these job functions are then 
typically assigned to the roles.

Permissions define what operations can be performed over what objects. This defines the rights and 
associates them with set of Process Orchestrator objects. This is similar to file permissions (such as read 
or update). 

Operations are things such as Cancel, Change Owner, Create, Delete, Read, Start, Update, and Use. 
Most other Operations automatically allow Read. Change Owner automatically allows Update and 
Read. 

Objects specify rules that match elements from the functional model, such as Processes, Targets, and 
Runtime Users. Specifically, several types of object rules are supported:

Object List—Allows rights only to specified objects in the list.

Object Type—Allows rights to all objects of that type (for example, all targets or all processes).

Owner Security—Allows rights to all objects of a specified type that are owned by a specific 
principal (user or group in Active Directory).

A User Assignment is a link to a security principal. The user assignment is the thing that is defined in 
Process Orchestrator, since it defines the rule for who is in the Role. The Principal is actually in an 
external directory, so the user assignment is a reference to the directory.