Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Process Invoke Permissions

Avatar

Level 4

Here is my setup.  Assume I have 100 processes.

I've created a role that grants SERVICE_INVOKE permissions.

I've assigned this role to the "All Principals" group.

This was an easy way of granting invoke permissions to all users on all processes.

Now, I want to add process 101.  But, I only want a limited set of users to be able to invoke it.  How do accomplish this?

Because of the role I created earlier, all principals will get invoke permissions on process 101 by default.  It appears to me that in order to accomplish this I will have to

  1. Remove the SERVICE_INVOKE permission from my role.
  2. Add the "All Principals" principal with INVOKE_PERM permission on each of the 100 processes
  3. Add the limited set of users with INVOKE_PERM to process 101

I didn't see a way of denying "All Principals" invoke permissions on process 101.

1 Reply

Avatar

Level 10

Now you need to differentiate between 1st set of users(who invokes the 100 processes) & 2nd set(for the newly created process).

Try the following:

1. Create two user groups

     Group1 (All users except 2nd set of users) i.e 1st set

     Group2 (2nd set of users)

2. Remove all principal from PROCESS_INVOKE role assignment

3. Assign PROCESS_INVOKE role to both groups for the 100 processes

4. For Group2, assign PROCESS_INVOKE role on 101th process

Will that workout?

Nith