How do I model a process which can start by either Role1 OR Role2 performing the first task? I would not like to use "Role1 or Role2" in the lane description
The BPMN specification does explicitly not specify the exact purpose of lanes (p. 304/335 in PDF).
Consequently, the approach Role1 or Role2 is actually compliant with the specification. The approach is also not far away from good practice. Adding multiple roles and even individual users as candidates to a task is often possible when configuring processes in BPX (Business Process eXecution) systems.
Typically, you would create a new role that encapsulates both Role1 and Role2 - let's call it Role1;2. This makes sense from an information systems perspective. For example, if you execute the process with IT support, you need to grant Role1 and Role2 access to the system/component that allows executing your first task. When configuring the access rights, the administrator will create a new user group - Role1;2 that contains the the user groups Role1 and Role2.
Note that a process role doesn't necessarily map to a job title. For example, a person who is employed as a Software engineer might share the process role Specification writer with a System analyst.
Related
How do we model a task where it is to be performed by all members of a specific role in BPMN? Especially when the number of members of this role is indeterminate at design time, and may increase or decrease at runtime from time to time.
Scenario: There is one task called "Review draft of new standards document" and it is assigned to the role called "Experts". Whenever this task is executed for a new document, we want all (not just any one of them) the members of the Experts role to review it individually and provide their comments and recommendations.
Now, at design time, I cannot be sure how many experts there are at any point in time in the future. New experts may join later; some may leave at a certain point in time. But however many there are at the time the new document needs to be reviewed, we want all of them to review it. Therefore, I cannot model it with a separate "Review" task for each expert ahead of time.
If I model just one task and assign it to the Role "Experts", how do I specify in BPMN that all the possible members of that Role (at that specific time) are to execute that one [sic] task, and not just any one of them will do?
I hope that my scenario is made clear here.
Also, I am interested in the implications in how an execution context might treat such a model (even if it can be modeled correctly in BPMN). If there happened to be 3 experts in the role of "Experts" at the specific time when document X is set to be reviewed, must all 3 of the experts complete their tasks before any subsequent task (for example, "Compile Comments and Modify Standards Document") can start? What if the editor wants to have the flexibility to start their work once the first review comments have been submitted without waiting for the rest to complete their review? What if the editor wants to ignore the review of the last expert if they are taking too long to do their review?
I am modeling some processes to be used by non-IT people (i.e. they need to be as clear as possible but I also don't wanna break any BPMN rules).
I attached a mockup of what I'm trying to show => a person performs some steps in the system but it's also important for the people reading the model to understand what system does after each of the user steps (e.g. that system automatically calculates a risk score). What's the best practice to model this in BPMN? I assume in any case (read: if this is a good approach in general) it is a pool, not a lane - but in this case the system pool would also need a start and finish, right?
The system is part of your organization so model it as a separate lane in the same pool as the rest of your process.
To indicate if the step is automated or done by a user use action types - script for steps done automatically by the system and user for those performed by a user.
Actions within the same pool are connected with solid lines to indicate business flow.
If we use MDA/CIM system not modeled as a part of proces (lane). Software is the tool not role....
(PS two pools, one for company second for system is bad, BPMN use one poll for one proces...).
We use mapping "activity to use case" for showing where is the system using.
As per my understanding it is user who has access to publish the specific page/resource.
Documentation goes like this:
Depending on the environment, the agent will use this user account to:
collect and package the content from the author environment
create and write the content on the publish environment
Leave this field empty to use the system user account (the account defined in sling as the administrator user; by default this is admin).
means this replication agent comes into action only when replicating the content from packagemenager(by clicking replicate for specific package) ? or activating the page/resource from siteadmin?
The Agent User ID property is used to manage what part of content tree will be replicated using given replication queue. This has nothing to do with actual package creation - it applies to all replication process.
Multitenant use case
For the complicated infrastructure it may happen that the multi-tenant architecture involves some sharding approach. Imagine a geo-spread architecture with no CDN involved where the brand site should be quickly accessible from the given localisation. Due to technical limitations, pushing whole content (all sites) around the world might not be acceptable.
Dedicated DAM environment use case
When DAM storage is shared across multiple AEM implementations it is often desired to dettach that from the regular authoring by creating a separated DAM-only instance. On such platform the replication agents should be configured to have the read access to /content/dam only in order not to mess up with other content trees.
Solution
In this case, the user agent ID can be configured to use a dedicated user permission scheme. All the changes the preconfigured user sees will be replicated to the corresponding endpoint. There are technical alternatives like implementing a transport handler (see https://github.com/Cognifide/CQ-Transport-Handler/blob/master/README.md)
Let's say I have the following simplified process:
How should I reflect there that the data could be added not only by manual input, but can be received from another system (without user verification)?
And is there more correct way to display the same actions done by different users (see Verification step done by Manager 1 or Manager 2; in reality there are much more steps than just Verification, and all of them are the same in Manager 1 and Manager 2 columns).
Obviously there are many open questions regarding your specific requirements, so I can just give you an example:
I am using two lanes, one for the manager, one for the user. I assume that the concrete person (or subrole) necessary to carry out the steps for the "manager" needs to be determined within the process. From a process perspective it's just one role carried out by people with different skill sets or authorizations. I show that "Assign" task here as an automatic step, but it could also be a manual step. A BPMN process can have several start "events", I am using here two of them to show the different ways in which the process can start. I am using a collapsed pool "External System" and a message flow to indicate where the automatic message is coming from.
(Please note that BPMN processes are typically modeled from left to right, but may also be modeled from top to bottom. Also note, that for more complex processes and a more finegrained level of detail, it is often preferable to show every process participant in a separate pool with a separate process and exchange of messages in between them. Modeling one process pool with several lanes quite soon reaches practical limits!)
I am currently designing a role based authentication system for resources where many users have different access rights to it.
A role may be a single user, or a group of roles (so a role is a tree of roles). (see graphic below)
A resource can have multiple authentication properties (like read, write, delete), where each of this is a list of roles allowed to do access the operation. (see graphic below)
The problem is if I want to check if a user has the right to access a property, i have to traverse n trees in worst case (where n is the number of roles assigned to an property).
So for example to check if 'Max' may read the property I might have to check the Marketing, Management and Administration trees if they contain 'Max'.
Do you know of any algorithm or alternative approach which removes the quite expensive tree searches while maintaining the role system or something equally powerful.
The perfect case would be some lookup like O(log(n)) for n roles.
Thanks,
Fionn
Have you measured this and determined that this traversal is a performance bottleneck?
I've never seen a system with so many roles / levels that the cost of traversing this kind of structure would become an issue. And if the tree really is that large, I'd be more concerned that administrators would have difficulty in understanding who is authorized to do what.
Regarding scalability, I would typically use the ASP.NET cache to cache the complete tree that maps between resources and roles, with a suitable cache timeout. And separately cache the mapping from Users to Roles (e.g. in Session or with a user-specific key in the ASP.NET cache).
Accessing the information from the cache will typically be blindingly fast compared with going to the database each time.
If you put your roles in a SQL database, lookups will perform substantially as you describe. I can help you with the database structure, if you're interested.
You need to reverse your pointers.
"Harry" is a member of "Site2 Admins" which has "Administrators" access to "Site2", so he can thus "Delete," "Write" and "Read that content.
Why "Administration" should be a common thing between "Harry" and "Joe" I'm not clear. Harry is an administrator on one site, but just a user on another, and Joe vice versa.