Process Profile, Process Permissions and Process Groups

Permissions Lists for Multiple Process Profiles and Process Groups
Here is some information that will explain how all this works. The Process Profile: (Found on the General Tab of the User Profile)

The Process Profile contains the permissions a user requires for running batch processes through Process Scheduler. For instance, the process profile is where users are authorized to view output, update run locations, restart processes, and so on.

Only the Process Profile comes from this permission lists, not the list process groups.

Process Profile Permissions: (Found on any Permission List under the Process tab)

Process Scheduler security involves more than simply adding a few Process Groups to a Permission List. You also need to specify to what capacity a Role (or set of users) can modify certain Process Scheduler settings. The Process Profile definition determines the default Process Scheduler settings for a user.

This Permission List with the default Process Profile would be assigned directly to the User Profile on the General tab in the field Process Profile as stated above.

For instance, with the Process Profile, you specify such settings as where the system delivers the output of the process, whether the user can update the Process Request. I.E. Workstation Destinations, Server Destinations, OS/390 Job Controls, and
Allow Process Request. Can the user Override Output Destination, Override Server Parameters, View Server Status, Update Server Status, Enable Recurrence Selection, and Run Client Process. (For Client Processes see EXCEPTION below)

Process Group Permissions: (Found on any Permission List under the Process tab)

Process groups are collections of Process Definitions that you create using Process Scheduler. Typically, you group Process Definitions according to work groups within your organization, and only users who belong to a particular workgroup can invoke batch processes included in a specific Process Group. For instance, you may have a set of Process Definitions that relate to your Human Resources department and another set for your Manufacturing department.

Regardless of how you organize your Process Definitions, you must assign process groups to a Permission List. Users can run ONLY those processes, through Process Scheduler, that belong to process groups assigned permission lists that are assigned to the user through their Roles. Not through permission lists assigned directly to the user on the General tab of the user profile.

NOTE:
The above statement is true UNLESS you are trying to run the process through a push-button on an application page and you are seeing the following error message “You do not have authority to initiate the XX process”. Process group permissions do not work unless one process group is attached to the user’s primary permission list. A user must have a primary permission lists with at least one process group permission in order for the application to recognize the existence of process group permissions derived from other permission lists via roles. This is an application specific error. See resolutions at the bottom of this resolution for more details.

Here is the SQL for the tables so you can validate that the users and permission lists actually have the process groups you have assigned to them.

You will need to change the OPRID from PS to the OPRID you have a question about in this statement

select DISTINCT A.ACCESS_GROUP, B.OPRCLASS FROM PS_SCRTY_ACC_GRP A, PSOPRCLS B WHERE OPRID = ‘PS’ AND A.CLASSID = B.OPRCLASS

This is for the permission lists

select * from PSAUTHPRCS order by CLASSID

To define the correct processes to their Process Group (or to create a new Process Group) you need to do this through the Process Scheduler manager > Use > Process Definitions, then select a process and on the Process Definitions options tab you will assign or create the Process Group. (See Resolution 700912 – PT 8.1x Process Scheduler: How to create a new Process Group)

PT 8.4 information: In PeopleTools 8.4x, the Process Profile permission list in the User’s Profile General tab is not working as it should. For the Permission List set up in the Process Profile section, permissions are set up such that the user cannot select or access certain data. However, the user is still able to select and change this data while submitting the request. This is a known issue and is addressed and fixed in PeopleTools 8.44.

More information can be found in PeopleBooks under:

Administration Tools: Security > Working with Permission Lists & User Profiles
OTHER RELATED INFORMATION:
712138 – E-SEC: Users need access to view ONLY to their processes in Process Monitor
713525 – E-PRSC/SEC: Cannot run Client processes on Windows 2000 if User is System
711663 – E-SEC: Not authorized to run Process type ‘xxx’ and process ‘xxx’ (65,8)
716760 – E-SEC: You do not have authority to initiate the XX process (5010, 76)

ProcessSchedulerAdmin ROLE note: This role is the administrative role assigned to the OPRID used to boot the Process Scheduler as documented in PeopleBooks. The ProcessSchedulerAdmin role also has administrative rights to any and all process requests viewed from the Process Monitor so is not a role to grant to just any user. Users with this role may be able to submit any process request from a process request page.