Managing User Licenses, Groups and Access Rights

Every user in the system requires a license to access the respective SAP Signavio Process Transformation Suite solution. In the following examples, we look at licenses for SAP Signavio Process Manager and the SAP Signavio Process Collaboration Hub.

Since a license is always bound to a certain user, let's check what happens if users get invited or removed from workspaces.

• An administrator must assign at least one license to every user in a workspace. When you invite users via the user management, you select the license you want to assign.
• Users with a license for another workspace cannot access your workspace unless you assign this workspace license to your user.
• Users and their licenses can also be removed. When a user is removed from your workspace, their license is freed up and can be reassigned to someone else.

The two different approaches in the User Management.

By default, every modeling user has access to the complete content in the Shared documents folder. To restrict access rights of users, you can assign them to a user group with limited access permissions when you invite them to your Process Manager workspace. 

To restrict access rights based on organizational roles, we recommend setting up a folder structure that reflects the different access right variations. See examples for possible folder structures later in this lesson. Then, create user groups with access rights that are tailored to your organizational requirements. 

These users only have access to diagrams that have been explicitly published to the Collaboration Hub. The way you can manage access rights for the Collaboration Hub users depends on your usage scenario:

If the users authenticate via an Active Directory - or a SAML-based mechanism, you can manage access rights of the Collaboration Hub users based on their Active Directory user groups, or names, or SAML identities.

If you roll out an authentication certificate to your Collaboration Hub users, all users have access to all published diagrams.

There are two different ways to manage users and groups:

• Using user management accessible via SAP Signavio Process Collaboration Hub
• Using SAP Signavio Process Manager via Setup

We recommend using this option to:

• Invite workspace users.
• Get a quick overview of all users.
• Get an e-mail list of all users with one click.
• Remove users from all SAP Signavio Applications.
• Create or delete a user group.

We recommend using this to:

• Manage users and groups.
• Define authorizations on users or user groups to specific folders (H,R,W,D,P) or dictionary categories (V,W,D,P).
• Activate feature sets for your created groups.

There are two ways to create user accounts. They can either be created by an administrator, or through feedback invitations created by modelers.

Invite users to the workspace by e-mail, then assigns a license, and provides access rights to folders and groups. Basically, their accounts will be managed by you. The new user has to register with the same e-mail address to use the license.

SAP Signavio Process Manager users (modeling users) can invite internal and external process stakeholders to review and comment on diagrams. In the following we take a closer look on internal and external users.

Internal Users: They already have an account and use their existing e-mail address and password combination to log in. Remember that internal users are managed with the user management.

External Users: External users invited to comment on diagrams must register using the link on the invitation e-mail. They can then sign in to the SAP Signavio Process Collaboration Hub and view the diagram. Instead of a paid license, they are assigned a commenting license so that they can view and add comments.

These user accounts are similar to those created with user management, but the following restrictions apply:

• Users can only see the diagram that they are invited to.
• Users are not assigned to any user group, not even the default groups.
• Users cannot access any other SAP Signavio solution.

To revoke access, you need to remove the account from the user management and not just the license.

You have the following options to add users to your workspace:

1. Create accounts with bulk invites, in case you want to invite multiple users at the same time into the workspace.
2. Create user accounts individually, if you want to invite a specific user.

Every user you invite to your workspace has the following default permissions:

• Viewing and editing diagrams in the folder Shared documents.
• Viewing and editing dictionary entries.

You can change these permissions by going to Setup → Manage Access Rights. 

Details about access rights will be covered later on in this lesson.

Now, let's look at how to create and manage user accounts. In the video below we want to add a couple of new users to the user group "Hub Users".

Within the Users tab, you can assign licenses to a user, assign users to groups, reset the user's password, and delete an account. Note that when you delete an account, all content in the My Documents folder is removed from the workspace. However, the content in the Shared Documents folder, user's comments, and changes made will remain there.

In SAP Signavio Process Manager, administrators have extensive permissions to manage workspace settings and user access. The only thing that they cannot access or manage is the content in a modeler's My Documents folder. To create an administrator account, you create a user account and assign it to the Administrators user group. The user then receives administrative rights for your workspace. To revoke administrative rights, remove the user from the Administrators group.

Now, that we learned how to create, edit, and delete user accounts, let's look at how to do this with groups. 

In the Groups tab, you can edit the name of the group, add new users to a group automatically, create a group hierarchy, and remove users from a group. 

In the next video, we want to edit the name of our group - Users in Asia. We want to rename it to Users in Southeast Asia, add new users to this group automatically, and add two new users - Lisa and Eliza.

When customizing user groups, you can set one or more groups as default groups. For example, you can use a default group to provide new users with a basic set of access rights.

To define a group as a default group, activate the option Add new users to this group automatically (we saw this function in the previous video) in the group settings. Each user invited through the user management is assigned to all default groups by default.

To assign the user you want to invite to another group, you can assign user-specific user groups in the user management dialog when you set up the invitation.

Users created with SAML or CSV API are also assigned to the default groups, unless you specify other user groups by configuration.

You can activate specific feature sets in the user group management dialog. You can provide each modeler group with the feature sets so they can perform their tasks. In the case where only a certain group of users is allowed to upload documents to the workspace, the Restricting feature sets are useful.

This section describes how to define access rights to folders, diagrams, the dictionary, and dictionary categories. It also shows how to assign access rights to users and user groups.

Once users are assigned to a user group with specific access, the access rights cannot be taken away by adding the users to an additional group with less access, or by setting user-specific access rights.

Let's look at some practical examples on access rights based on folder structure and user groups. It is preferable to first decide on the folder structure before you begin to manage users and their access rights.

If users get access to a diagram and they do not have access to the folder containing the diagram, they can only view the diagram and the diagram path. They don't have access to any other diagrams in this folder.

When dealing with many users, the provided user group functionality allows you to manage access rights easily.

With groups, you can:

• Effectively manage many users.
• Define their access rights by creating a group for each organizational role.
• Set up a group hierarchy.

This simplifies assigning access rights and feature sets to users. You can also grant both groups and users access to read, edit, delete, and publish diagrams on a folder-level. 

Look at the groups' access rights below.

Both modeler groups are part of the group 'All Modelers' and have reading access to all folders and processes. Group A has an additional access right to edit processes in the public process folder, whereas the sensitive processes are edited by Group B only.

Watch the following video to see how to grant folder access.

The video demonstrated how to grant access to users and groups. Below is a summary of the available access rights that can be assigned to them.

• Hub (H): View published content in the Process Collaboration Hub.
• Read (R): View unpublished content in the simulation tool, the revision comparison tool, the commenting view, and in the Process Collaboration Hub.
• Write (W): Edit and save content in the Editor.
• Delete (D): Delete and move content. To delete and move content between folders, users need wrote access for both folders and delete access for the folder from which the content is removed.
• Publish (P): Publish diagrams in the Process Collaboration Hub.

When you grant access to a folder, users have access to the complete folder. Another possible approach is to limit the access to specific folder content.

Watch the next video to see how to limit access to specific content.

Setting up a sandbox allows you to keep an organized and productive environment while still allowing multiple users to provide input. The sandbox approach can be used for both the dictionary and process repository. We will cover that aspect in the next lesson.

Authorization to create or edit individual templates is managed the same way as folders and the dictionary. The following image shows an example in which administrators are the only group that have access to read, write, and delete.

Now, let's look at the next image. Here, you can see your process documentation templates on the left-hand side. You can choose a specific template and then choose an individual user or group in the right-hand box and assign them access rights.

In the following example, we want to grant access to Max Modeler for editing the template Process Overview for Certification.