HP OO 10 OnBoarding Kit – Community Assitstance Team

Flow Permissions in OO10

HP Operations Orchestration
HP Operations Orchestration 10 brings a simplified HP Operations Orchestration (HP OO) is a
permissions model compared with previous versions. next generation IT Process Automation
solution that is designed from the ground
One of the main differences is that permissions are no up to increase automation adoption
whether in a traditional data center or
longer set in the flow authoring tool, HP OO Studio. hybrid cloud environment.
In order to have a clear separation between the tasks
of an author and an administrator, permissions are set OO 10 Community Onboarding Kit
This tutorial is part of the onboarding kit
in Central, which is the administration tool. created for the OO community in order to
make it even faster to learn OO 10.
It is for both new OO 10 users and for
This tutorial highlights how you, as an administrator, existing OO 9 users who want to know
what’s new.
can assign permissions to flows, so that users are only The kit contains four persona-based
able see the flows they are entitled to run. learning tracks for administrators, flow
authors, integrators, and end users. Each
track provides knowledge assets of the
following types:
 Videos
Overview  Tutorials
 Quick Guides
This tutorial starts with a new installation of OO 10 and we will  Presentations
assume that there are two different user groups (aka roles) and each  Direct links to relevant manuals
have flows that users of the other group should not be able to run.
There is also a common set of flows that both user groups should
use.

The goal of this tutorial is to show how an administrator can assign

permissions on the flows and folders to achieve the desired result.
The tutorial does not discuss how to set up an advanced Role Based
Access Control (RBAC) model and other governance-related topics.

In the tutorial, we find a simple organizational setup (the Boston IT

Division) with two user groups:
 OPENSYS
 ERP

For simplicity, we will assume that each group has a dedicated folder
for their flows and that there is a common folder for flows that
everyone can run.

In the next sections, we will quickly look at the setup, and then dive
into setting permissions in OO 10 and clearly note the differences
from OO 9x.
Setting Flow Permissions in OO10

Initial Setup
Content pack deployment: We assume that each role has a content pack with a few flows and folders. Furthermore, we
have a content pack with the flows everyone should be able to run. For simplicity, we assume that all flows are
dependent only on the base content pack from HP.

The relevant content packs in our example are:

 oo10-base-cp-1.0.142.jar
 OPENSYS-CP-1.0.0.jar
 ERP-CP-1.0.0.jar
 commonflows-CP-1.0.0.jar

(The use of separate content pack means that a separate project was created in Studio for each content pack).

After the four content packs are deployed, the following structure will be created (see the Central User Guide for details
on how to deploy content packs):

Then, we will go to the system workspace and create the two roles:

Please refer to the “HP OO Central Guide” for details on creating roles.

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

Since we want the users only to be able to run specific flows, with no other capability, we have created the roles (user
groups) with no role permissions, as you can see in the following screenshot:

See the Central User Guide for a description of the different role permissions.

Adjusting Base Content

opensysUser is a member of the OPENSYS group, granted with the OPENSYS role. Before we set permissions, this is
what opensysUser can see when logging in to OO 9.X Central:

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

In version 9.X, this user can access and run all flows by default. Thus, when using 9.X, we want to hide all base folders
and the two sub folders called “Subflows and Operations” by changing the folder properties using Studio.

However in 10.X, this user does not have any default permissions, and thus can see only a blank Run workspace
screen:

If the user clicks the Run button, he will see no flows he can run:

This is due to the following changes in HP OO 10 default permissions:

 In 10.X, the user in not automatically granted the EVERYBODY out-of-the-box role, while in 9.X each user is.
 In 10.X, the EVERYBODY role does not have any permission by default, while in 9.X, the EVERYBODY role has access
to all the flows.

Limiting Flow Permissions to a Role

The relevant flows involve two business units: the ERP Team and the Open System Department.

The following table details the roles and permissions we want to set:

Business Role Application Role Entitlements

Open Systems Eng OPENSYS View, Run Open Systems Flows and common flows
ERP SME ERP View, Run ERP Flows and common flows

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

We will start by granting both roles permissions on the common flows.

In order to set the permissions, we will go to the Content workspace, and click the sub-folder for which we want to set
the permissions.

We will then choose the relevant role and click the Edit button.

If you are setting the permissions on a sub-folder and not a flow, ensure that the Apply To Children checkbox is
selected as shown below:

We will set the permissions on the ERP folder and the Open Systems folder in the same manner.

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

Adding Additional Flows and Folders

As an Administrator, let’s deploy a new version of the OPENSYS content pack (OPENSYS-CP-1.0.1.jar).
This CP version includes an additional sub-folder for the exchange team, with a flow named Export Distribution Lists.

Since we selected the Apply To Children checkbox at the Open Systems folder level, the permissions were inherited
and we did not need to grant the OPENSYS role the permissions on the sub-folder.

This is OO 10’s equivalent to “Copy permissions to new content when created” in 9.X.

Now, let’s log in as a user with the OPENSYS role:

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

As you can see, only the Run workspace is available, and the user can see the only the details of runs he is entitled to
view.

When we click the Run button, the user can see and run only the flows granted to him by the OPENSYS role:

Hiding a Subfolder
As you can see in the previous screenshot, the “Subflows and Operations” folder under Open Systems is visible. Let’s
tune it, so the user will only see the relevant main flows - we will go to the content workspace, edit the permissions for
the OPENSYS role as explained in the previous sections, but this time we will clear the view permission:

HP Operations Orchestration, January 2014

Setting Flow Permissions in OO10

As a result, our user will not see the sub folder anymore:

Upgrading and Permissions

If you need to import permissions from a 9.X system to a 10.X system as part of the upgrade procedure, you can use
the automatic import-permissions OOSH command. Details about upgrading permissions are available in the
“Synchronizing content permissions data” section of the Upgrade Guide.

If you have any questions or comments, please post them on the OO community forums:
https://hpln.hp.com/node/21/og/forum/37

HP Operations Orchestration, January 2014