Privileges
A privilege is an activity that a user is allowed to carry out (e.g., set a password, read users and roles, stop any job, etc.). A user can be assigned zero to all of the available privileges. It is recommended to assign privileges via roles rather than to assign privileges directly to the user. The assigning of privileges and roles to a user is done by a user that has been assigned this privilege. Initially, it is the root user that has this privilege.
Inheritance
You can assign privileges directly to a user (e.g., 
Alethia Alonso) or to a particular role (e.g., 
Marketing Manager). It is recommended to assign privileges to roles rather than to individual users because it simplifies the maintenance and management of privileges in the long term.
You can model the hierarchy of your organization by assigning roles to other roles in FlowForce Server. The diagram below illustrates a sample organization, for which three roles and one user have been defined. The Employees role contains a role called Marketing Department. This means that the privileges and permissions granted to the Employees role will automatically be inherited by the users belonging to the Marketing Department role.
The Marketing Department role contains the Marketing Manager role. In this case, the Marketing Manager role will inherit all the privileges from the Marketing Department and Employees roles. A user called Alethia Alonso is the marketing manager, and she has been assigned the Marketing Manager role. This implies that she will inherit all the privileges from the broader roles.
Assigning a privilege
To assign a privilege to a user, click a user of interest in the Users tab on the Administration page and select the privilege(s) you wish to assign. To assign a privilege to a role, select a role of interest in the Roles tab on the Administration page and select the privilege(s) you wish to assign.
Available privileges
The available privileges are summarized in the table below.
Privilege | Description |
|---|---|
Define execution queues | This privilege allows defining settings related to job execution queues.
|
Log in to Web UI | With this privilege enabled (default), users can log in to the Web UI. If the privilege is disabled, the following applies:
•Users can call only jobs that are exposed as web services. •Users cannot log in to the Web UI. •Users cannot trigger jobs from the Web UI, create or edit job configurations.
Use-case scenario: In some organizations, certain employees should be able to run existing services but should not be able to modify job configurations or create new ones. By removing their Log in to Web UI privilege, you ensure they can only consume services through service URLs.
|
Maintain global settings | This privilege allows changing the FlowForce Server global settings (the time zone and mail server settings) on the Settings page. This is an administrative privilege and should only be granted to FlowForce Server administrators.
|
Maintain users, roles and privileges | This privilege allows adding, editing, and deleting the following data: users, roles, privileges, and passwords. This is an administrative privilege and should only be granted to FlowForce Server administrators. By default, only the root user has this privilege.
|
Override security | Users with this privilege can change container permissions without having the write permission. This allows FlowForce Server administrators to regain access to resources accidentally rendered inaccessible. This is an administrative privilege and should only be assigned to FlowForce Server administrators. By default, only the root user has this privilege.
|
Read users and roles | By default, users can see only their own user accounts and any roles they are members of. When users are granted this privilege, they can see all existing users and roles. By default, only the root user has this privilege.
|
Retrieve sensitive data | This privilege allows retrieving and viewing passwords as plain text. By default, only the root user has this privilege.
|
Set own password | This privilege allows changing their password. Users who do not have this privilege need to have their password set by a FlowForce Server administrator. By default, the authenticated role has this privilege, which means that every user account, except for anonymous, also has this privilege.
|
Stop any job | This privilege allows stopping any running FlowForce Server job, regardless of the user who created it.
|
View unfiltered log | By default, users can see log entries related to configurations to which they have read access. Users with this privilege can read all log entries, including those not associated with a specific configuration. By default, only the root user has this privilege.
|
The tab Administration | Reports | Privileges Report provides a list of all privileges, with each privilege being listed together with all the users/roles that have that privilege.