spiff-arena/docs/DevOps_installation_integra.../permission_url.md

# Permission URL

The permission URL, or target URI, refers to the specific endpoint or resource that is being granted permission to perform certain actions.

- **PG:** [process_group_identifier]: Applies to the specified process group, including all sub process groups and process models.
- **PM:** [process_model_identifier]: Applies to the specified process model.
- **BASIC:** Allows basic access to complete tasks and use the site.
- **SUPPORT:** BASIC permissions and add significant administrative permissions.
- **ELEVATED:** Includes SUPPORT permissions and adds the ability to view and modify secrets. Does not include the ability to view or modify process groups and process models.
- **ALL:** Grants access to all API endpoints, with no limitations.

```{admonition} Note
An asterisk (*) can be used as a wildcard to give access to everything within a specific category. For example, `/process-models/*`, allows access to all resources related to process models. 
```

This functionality is implemented in [authorization service.py](https://github.com/sartography/spiff-arena/blob/main/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py).

(pg)=
## PG

Process Groups permissions controls access rights granted to users or entities within the given process group.

(pm)=
## PM

These permissions relate to process models, and assigns permissions and access rights to users or entities specifically within a given process model.

## BASIC

These permissions cover basic actions such as signing in to the site and completing tasks that are assigned to you.

## SUPPORT

These permissions are significant, allowing support personnel to debug process instances and take corrective action when errors occur.
In typical scenarios, a user with SUPPORT permissions would also be assigned access to view or modify process groups and models.
See [PG](#pg) and [PM](#pm).

## ELEVATED

A user with elevated permissions can do anything on the site except interact with process models.
In typical scenarios, a user with ELEVATED permissions would also be assigned access to view or modify process groups and models.

## ALL

The "ALL" permission grants unrestricted access to all API endpoints.
It provides administrator-level permissions, allowing the user to perform any action or operation available within the system.

### ALL URLs

% use bash syntax here to avoid syntax highlighting. otherwise it gets highlighted as if it's python
```bash
  /active-users/unregister/{last_visited_identifier}:
  /active-users/updates/{last_visited_identifier}:
  /authentication_callback/{service}/{auth_method}:
  /authentications:
  /connector-proxy/typeahead/{category}:
  /debug/test-raise-error:
  /debug/version-info:
  /event-error-details/{modified_process_model_identifier}/{process_instance_id}/{process_instance_event_id}:
  /github-webhook-receive:
  /login:
  /login_api:
  /login_api_return:
  /login_return:
  /login_with_access_token:
  /logout:
  /logout_return:
  /logs/typeahead-filter-values/{modified_process_model_identifier}/{process_instance_id}:
  /logs/{modified_process_model_identifier}/{process_instance_id}:
  /messages/{message_name}:
  /messages:
  /permissions-check:
  /process-data-file-download/{modified_process_model_identifier}/{process_instance_id}/{process_data_identifier}:
  /process-data/{modified_process_model_identifier}/{process_instance_id}/{process_data_identifier}:
  /process-groups/{modified_process_group_identifier}/move:
  /process-groups/{modified_process_group_id}:
  /process-groups:
  /process-instance-reset/{modified_process_model_identifier}/{process_instance_id}/{to_task_guid}:
  /process-instance-resume/{modified_process_model_identifier}/{process_instance_id}:
  /process-instance-suspend/{modified_process_model_identifier}/{process_instance_id}:
  /process-instance-terminate/{modified_process_model_identifier}/{process_instance_id}:
  /process-instances/find-by-id/{process_instance_id}:
  /process-instances/for-me/{modified_process_model_identifier}/{process_instance_id}/task-info:
  /process-instances/for-me/{modified_process_model_identifier}/{process_instance_id}:
  /process-instances/for-me:
  /process-instances/report-metadata:
  /process-instances/reports/columns:
  /process-instances/reports/{report_id}:
  /process-instances/reports:
  /process-instances/{modified_process_model_identifier}/{process_instance_id}/run:
  /process-instances/{modified_process_model_identifier}/{process_instance_id}/task-info:
  /process-instances/{modified_process_model_identifier}/{process_instance_id}:
  /process-instances/{modified_process_model_identifier}:
  /process-instances:
  /process-model-natural-language/{modified_process_group_id}:
  /process-model-publish/{modified_process_model_identifier}:
  /process-model-tests/{modified_process_model_identifier}:
  /process-models/{modified_process_group_id}:
  /process-models/{modified_process_model_identifier}/files/{file_name}:
  /process-models/{modified_process_model_identifier}/files:
  /process-models/{modified_process_model_identifier}/move:
  /process-models/{modified_process_model_identifier}/script-unit-tests/run:
  /process-models/{modified_process_model_identifier}/script-unit-tests:
  /process-models/{modified_process_model_identifier}:
  /process-models:
  /processes/callers/{bpmn_process_identifiers}:
  /processes:
  /secrets/{key}:
  /secrets:
  /send-event/{modified_process_model_identifier}/{process_instance_id}:
  /service-tasks:
  /status:
  /task-complete/{modified_process_model_identifier}/{process_instance_id}/{task_guid}:
  /task-data/{modified_process_model_identifier}/{process_instance_id}/{task_guid}:
  /tasks/for-me:
  /tasks/for-my-groups:
  /tasks/for-my-open-processes:
  /tasks/{process_instance_id}/send-user-signal-event:
  /tasks/{process_instance_id}/{task_guid}/save-draft:
  /tasks/{process_instance_id}/{task_guid}:
  /tasks/{process_instance_id}:
  /tasks:
  /user-groups/for-current-user:
  /users/exists/by-username:
  /users/search:
```
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00			`# Permission URL`

			`The permission URL, or target URI, refers to the specific endpoint or resource that is being granted permission to perform certain actions.`

			`- PG: [process_group_identifier]: Applies to the specified process group, including all sub process groups and process models.`
			`- PM: [process_model_identifier]: Applies to the specified process model.`
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`- BASIC: Allows basic access to complete tasks and use the site.`
			`- SUPPORT: BASIC permissions and add significant administrative permissions.`
			`- ELEVATED: Includes SUPPORT permissions and adds the ability to view and modify secrets. Does not include the ability to view or modify process groups and process models.`
			`- ALL: Grants access to all API endpoints, with no limitations.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
			```{admonition} Note
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			An asterisk () can be used as a wildcard to give access to everything within a specific category. For example, `/process-models/`, allows access to all resources related to process models.
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00			```

Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`This functionality is implemented in [authorization service.py](https://github.com/sartography/spiff-arena/blob/main/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py).`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`(pg)=`
			`## PG`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`Process Groups permissions controls access rights granted to users or entities within the given process group.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`(pm)=`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00			`## PM`

Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`These permissions relate to process models, and assigns permissions and access rights to users or entities specifically within a given process model.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`## BASIC`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`These permissions cover basic actions such as signing in to the site and completing tasks that are assigned to you.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`## SUPPORT`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`These permissions are significant, allowing support personnel to debug process instances and take corrective action when errors occur.`
			`In typical scenarios, a user with SUPPORT permissions would also be assigned access to view or modify process groups and models.`
			`See [PG](#pg) and [PM](#pm).`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`## ELEVATED`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`A user with elevated permissions can do anything on the site except interact with process models.`
			`In typical scenarios, a user with ELEVATED permissions would also be assigned access to view or modify process groups and models.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
			`## ALL`

Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`The "ALL" permission grants unrestricted access to all API endpoints.`
			`It provides administrator-level permissions, allowing the user to perform any action or operation available within the system.`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00
			`### ALL URLs`

Feature/add support permissions (#445) * added support perm macro which removes secrets perms w/ burnettk * support perm macro inherits from basic now and updated docs on permissions to be more accurate w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com> 2023-08-22 03:23:26 +00:00			`% use bash syntax here to avoid syntax highlighting. otherwise it gets highlighted as if it's python`
			```bash
			`/active-users/unregister/{last_visited_identifier}:`
in_depth_topics (#376) * in_depth_topics * Mostly fixing capitalized names and some foward vs back-slashes in file paths. --------- Co-authored-by: danfunk <daniel.h.funk@gmail.com> 2023-07-07 20:00:57 +00:00			`/active-users/updates/{last_visited_identifier}:`
			`/authentication_callback/{service}/{auth_method}:`
			`/authentications:`
			`/connector-proxy/typeahead/{category}:`
			`/debug/test-raise-error:`
			`/debug/version-info:`
			`/event-error-details/{modified_process_model_identifier}/{process_instance_id}/{process_instance_event_id}:`
			`/github-webhook-receive:`
			`/login:`
			`/login_api:`
			`/login_api_return:`
			`/login_return:`
			`/login_with_access_token:`
			`/logout:`
			`/logout_return:`
			`/logs/typeahead-filter-values/{modified_process_model_identifier}/{process_instance_id}:`
			`/logs/{modified_process_model_identifier}/{process_instance_id}:`
			`/messages/{message_name}:`
			`/messages:`
			`/permissions-check:`
			`/process-data-file-download/{modified_process_model_identifier}/{process_instance_id}/{process_data_identifier}:`
			`/process-data/{modified_process_model_identifier}/{process_instance_id}/{process_data_identifier}:`
			`/process-groups/{modified_process_group_identifier}/move:`
			`/process-groups/{modified_process_group_id}:`
			`/process-groups:`
			`/process-instance-reset/{modified_process_model_identifier}/{process_instance_id}/{to_task_guid}:`
			`/process-instance-resume/{modified_process_model_identifier}/{process_instance_id}:`
			`/process-instance-suspend/{modified_process_model_identifier}/{process_instance_id}:`
			`/process-instance-terminate/{modified_process_model_identifier}/{process_instance_id}:`
			`/process-instances/find-by-id/{process_instance_id}:`
			`/process-instances/for-me/{modified_process_model_identifier}/{process_instance_id}/task-info:`
			`/process-instances/for-me/{modified_process_model_identifier}/{process_instance_id}:`
			`/process-instances/for-me:`
			`/process-instances/report-metadata:`
			`/process-instances/reports/columns:`
			`/process-instances/reports/{report_id}:`
			`/process-instances/reports:`
			`/process-instances/{modified_process_model_identifier}/{process_instance_id}/run:`
			`/process-instances/{modified_process_model_identifier}/{process_instance_id}/task-info:`
			`/process-instances/{modified_process_model_identifier}/{process_instance_id}:`
			`/process-instances/{modified_process_model_identifier}:`
			`/process-instances:`
			`/process-model-natural-language/{modified_process_group_id}:`
			`/process-model-publish/{modified_process_model_identifier}:`
			`/process-model-tests/{modified_process_model_identifier}:`
			`/process-models/{modified_process_group_id}:`
			`/process-models/{modified_process_model_identifier}/files/{file_name}:`
			`/process-models/{modified_process_model_identifier}/files:`
			`/process-models/{modified_process_model_identifier}/move:`
			`/process-models/{modified_process_model_identifier}/script-unit-tests/run:`
			`/process-models/{modified_process_model_identifier}/script-unit-tests:`
			`/process-models/{modified_process_model_identifier}:`
			`/process-models:`
			`/processes/callers/{bpmn_process_identifiers}:`
			`/processes:`
			`/secrets/{key}:`
			`/secrets:`
			`/send-event/{modified_process_model_identifier}/{process_instance_id}:`
			`/service-tasks:`
			`/status:`
			`/task-complete/{modified_process_model_identifier}/{process_instance_id}/{task_guid}:`
			`/task-data/{modified_process_model_identifier}/{process_instance_id}/{task_guid}:`
			`/tasks/for-me:`
			`/tasks/for-my-groups:`
			`/tasks/for-my-open-processes:`
			`/tasks/{process_instance_id}/send-user-signal-event:`
			`/tasks/{process_instance_id}/{task_guid}/save-draft:`
			`/tasks/{process_instance_id}/{task_guid}:`
			`/tasks/{process_instance_id}:`
			`/tasks:`
			`/user-groups/for-current-user:`
			`/users/exists/by-username:`
			`/users/search:`
			```