Process humam activity assign to a group

Process humam activity assign to a group

  
Hello all,

What do you think it is the best way to assign a Group ( ex. an AD group ) to an human activity ? Where it's "Responsable" you can assign the ID of the User only as far as i know...

I have a few ideas but i'm not sure if they will work... ( will have to do it really soon, and really fast though)

Hi Miguel,

You will need to map the AD group to a privilege.

Create a permission area in your eSpace that represents the group of responsibles (eg: IssueSolver). In the Human Activity set the permissions to use only that permission area. Only the users with that privilege can perform that activity. More, if you don't specify a user id than the Platform will make available the activity to all the users holding that permission area. To make this puzzle complete you'll need to assign the permission area to the users of that AD group in Enterprise Manager for instance.

Cheers,
André
Hi Miguel,

Can you map your AD groups to Enterprise Manager groups?
If so, then you should use the public action in Enterprise Manager, BPMActivity_SetGroup(ActivityId, GroupId).
You should call it on the Activity's OnReady callback and/or the process general OnActivityReady  callback (if you want to apply to all activities in that process).
The built in taskbox will respond to this, and if the user has the required provileges in that group (via roles) than the activity will show up in his inbox.

If you cannot use the Enterprise Manager groups, you'll have to build a new entity relating activities to a "group" (whatever that is) but then you'll need to create a custom inbox that applies the filtering you need.

Let us know if you have any questions.
Kind regards,

Gonçalo Borrêga
Hi all, thanks for the answers,

Andre,

"You will need to map the AD group to a privilege. (...)  To make this puzzle complete you'll need to assign the permission area to the users of that AD group in Enterprise Manager for instance."

--  This was my first thought since i'm already using this option but for users only, however assuming you're creating an Object and you assign the Users of a AD Group to that object but they ain't enterprise users... that means i'd have to map all users to enterprise ? Futhermore can't find the dammed :P function to assing an user to a privilige from the oml, only through enterprise manager :)

The best way i can see:  An user is creating an object, chooses the ad group, and on submit i'd create the users in enterprise and give them the privilige whatever.

A friend of mine told me it is a bad policy to give priviligies through OML, don't know why yet :P


Gonçalo,

I'm very very raw with enterprise so i'll have to check what are those enterprise manager groups but i get the big picture. The second option seems more tricky and i'm not sure i understood it, i'd create an entity "group" and relate it to activities ( sounds like a privilige ), am i right ?


Thanks both :)

Hi,

That's right. You'd need to create an entity with attibutes ActivityId, and another attribute that identifies your AD Group (from your answer it seemed to be what you call "Object). An entry in this table would mean that anyone that has permissions for the "Object" has permissions for the activity.
Creating a custom inbox for this is indeed a tricky thing, mainly related to ensuring group assigned activities, and specific user assigned activities merge in a single list. That's why using Enterprise/EnterpriseManager facilities will help you a lot since it is already supported by the platform's taskbox.

Are you using Enterprise/EnterpriseManager for user authentication? If not we must reconsider the options.

Taking the chance....Can you check why giving privileges through OML would be a bad thing?

Thanks.

"Are you using Enterprise/EnterpriseManager for user authentication? If not we must reconsider the options. Taking the chance....Can you check why giving privileges through OML would be a bad thing?"

I am at the moment but won't be in the future, change of plans it seems. I'll consult the AD for the logins and Groups and then will have to import them to enterprise, however i'm trying to take advantage of enterprise manager neverless...

As far as i know it is because you would manage users in more than one place... but not sure though.
"You should call it on the Activity's OnReady callback and/or the process general OnActivityReady  callback (if you want to apply to all activities in that process).
The built in taskbox will respond to this, and if the user has the required provileges in that group (via roles) than the activity will show up in his inbox."

Hi Gonçalo,

Can you explain how to create this groups?
Hi Hugo,

The Groups are created in EnterpriseManager backoffice. You can create a user, a group, a privilege (that maps to the platform's PermissionArea) and a role (collection of privileges). You can then assign a role to a user in a group. This means that the user will have the Privileges given by that Role in that Group.

Since it is not static, the logic to determine which groupId to set in your application must be yours. Maybe storing a site property or a Global Setting would be a good way. Or having it as an attribute of something that controls the launch of your process or the entity the process runs on...

I explorer the enterprisemanager and the place i saw that create entries in Group was Hierarchy, so i create there the Group and in users i change the Company and Organizational Node to the new Group but the process is not connect to the users in that Group. The way to create the groups you talk its like i did?

I notice that when i got the activity connect to the group the users dont see the inbox of process, if i take it off all users can see the inbox so he is checking that entity the problema is the connection to the users.

Ok i see that i was creating the group in the wrong place, think i have fix me problem.

Thx

Got another problem, when i send activity for a group of people, the first person to consult that activity it will be only available to that person and the rest of group cant see it anymore, even if that person only check information and dont accept or reject. Is there any way to prevent this?
Hi Gonçalo,

Found a problem using that way, i got a group name DSI some people are managers anothers user. All the activitys create for managers it will appear to the users too since they are the same group only diferent permissions. I try to use the permissions on human activity but if i dont choose to all register users noone will see the activitys, i think you cant use the group option with the permissions of human activity. If you now how to combine the two option pls tell me because i am out of ideas.

Btw, i am not using Roles because i got an action to create all users and groups and i connect the users to groups in the same action, then the admin gives Permissions to each person and not Roles.
Hi Miguel,

The default behaviour of the taskbox will make the filter apply as soon as a user picks one activity (the activitiy becomes assigned to the user implicitly when he opens it). If he wants to "give it back" to the group, he must "Release" that activity (there's a specific button for that in the taskbox as fas as I can remember). If you don't wan't it  to behave like this, you must build your own custom Taskbox (list of activities) where you can apply any filter you want.

Regarding your second question, if you apply direct privileges to persons then you don't have the concept of a "Permission in a group" which you require to filter the activities. The only way to do that is actually by using Roles. Once you add a Role to a User in a Team, the user will have the Permissions of that role in that specific team, and the taskbox will be able to filter the activities by Permission+Group.

Hope this helps,
Gonçalo
Is there anyway to get an activityid? I want to put a button to get to a process instead using the EPA. So i need to get that activityid from that expense, one way to do this is after activity start i save the activityid in my expense table but if there is another way to get pls tell me.

Thx
Hi Miguel,

If you have a process around an "expense" than the ExpenseId is probably an input to your process. You have a property in your Process called "Expose Process Entity" that if set to true will expose you a new entity called Process_ProcessName. This entity shows all input parameters of the process as attributes, and you can query on it just like any other entity. Take into consideration that this entity will only return active processes.

This will allow you to fetch the process for an expense. However, if you want a specific activity you can also use a "behaviour" approach. The idea is to have an entity ACTIVITY_BEHAVIOUR with ActivityId and BehaviourId (where BehaviourId is a FK to a static entity "BEHAVIOUR") and then OnActivityReady of any specific activity you add "behaviours" to that specific activity. 

In your example, I would create a record in the static entity BEHAVIOUR called IsExpenseApproval, and on the OnReady of the activity add an entry to entity ACTIVITY_BEHAVIOUR with the current activityId and BehaviourId Entities.BEHAVIOUR.IsExpenseApproval.
With this and with the process exposed as an entity you can easily query on the Process_Expense JOIN ACTIVITY_BEHAVIOUR where the ExpenseId = your expense and find the activity that is supposed to do what you want in the process instance that handles that specific expense.

Hope this helps.
Cheers.
You can also check the example in http://www.outsystems.com/NetworkForums/ViewTopic.aspx?Topic=BPT-Custom-Taskbox that uses Enterprise Manager for activity assignment as well as a custom inbox that allows you to extend the builtin taskbox as you want to.
Hi,

I want to change version 5.1 to 6 but i got some doubts. 

I use the groups from the enterprise to assign process to a group and since this is use by Enterprise Actions and tables i want to ask if in outsystems 6  you can do the same thing wihtout enterprise?
Another question not about process but new User Espace from outsystems 6, in enterprise i can create user and put him in a group from a company since there are two DSI groups from different company, can i do this without enterprise in 6?
In fact the Groups in 6.0 are a very very light version of the EM Groups:
- They are not hierarchical
- They are not "typed" (functional, etc)
- In the Users Backoffice only Roles can be given to the group (which means all users in that group have that set of Roles - ex-permissions)
 
But the Group system entity has an extra attribute "Has_Custom_Management" which targets it's extensible usage by applications.
The idea is that you build your own structure of groups, companies, whatever makes sense to the business (Stores, Departments, Companies) and bind them (add a foreign key) to a Group that has the Custom Management flag set to true. These groups will not appear in the back office to be managed.
 
In the cases where you want to, for instance, assign a BPT activity to the Managers of the Finance department, you should, under the covers of the application (probably in the screen where you manage the departments) create a Finance_Managers group, add it the required Roles, add it the required users, set CustomManagement to true and assign the activity to that group.
 
So, in a way, there is not a direct mapping to the Group entity, but to use it as the System entity that binds your application to the security functionalities of the platform.

The Enterprise Manager 6.0 package has some more info regarding the usage of the new Security System entities.
Hope this helps
The way I have now it’s:
 
Create company and groups of that company
Associate users to the company and its group
 
To use process:
 
Create a role for each user with the permission he have (I do always this when the user log to the application)
I fill the role, user and group in the entity User_Master_Role
 
So for each user I got a role, this way is more easy to the company only change the permissions of the users and the application create automatic the roles for the process.
 

For Outsystems 6.0:
So now I create entity Company, MyGroups and a key from MyGroups to the Outsystems Groups.
I don’t need to create a role with the permissions since there are no permissions only roles. But the roles can be connected to the User instead of Group and the process works normal? Since I have in the same group persons with permission (role) Manager or User.


But the biggest problem is to change all the information from User_Master and Enterprise Groups to the new system, I am only trying to think of a way to change this because if Outsystems 7 gets out maybe there is no way to connect Outsystems 7 with the Enterprise. 
If I understood correctly you're very close. The only missing thing is related to the groups you create
As I see it you should create:
- Role (Manager & User) in ServiceStudio
- Company
- Create "Department" (a business entity) "Human Resources" -> which creates a system Group "Human Resources" (Id 1) (this last step is not really required in this case)
- Assign users to Department (which might, under the covers, assign a User to the Department' Group)
---- Until now this is Organizational structure only, no security for activities
- In your app, add a screen to manage Department Managers and Users
- Create a hidden Group "Human Resource Managers" (Id 2) and a "Human Resources Users" hidden Group (Id 3)
- When you add a User to the Human Resources department (in your business app), under the cover add the User to Group "Human Resources Users"
- When you add a Manager to the Human Resources department (in your business app), under the cover
    - Add the Role Manager to the User (this means he his a Manager, not specifically in the Human Resources Department). This is used to control whether this user is able to see screens that are set to only allow Managers
    - add the User to Group "Human Resources Managers". 
- If you want to assign an activity to the Managers of the Human Resource department
    - set the Activity Role to Manager
    - use the system function "ActivitySetGroup" using GroupId 2 (Human Resources Managers)

This way only those users in that Group will see the activity.
if you miss the last step, all users with Role Manager (directly given or inherited from any group) would be able to see the activity...
Hi

Since I believe this might be useful, I created a simple eSpace that shows, in version 6.0+, how to:
-> Assign a Human Activity to a group;
-> Have a user pick the Human Activity (in the example, implicitly by clicking on it in the taskbox).

I added some comments as reminders for easier understanding.

Cheers,