AT:

• the user can only create reports for process definitions he has access to
• when a user retrieves the list of all reports, he gets only those reports where he has been granted access to the process definition
• evaluating a report with a process definition the user has no access to returns an error message
• deleting a report for a process definition the user has no access to returns an error message
• a user is authorized for a definition if one of the following authorization in the engine are defined (assume the user is called "Kermit" and is in the "Kermits-Gang" group, aProcessDefinitionKey is a definition key that is in the engine):
  • Type: ALLOW, User: Kermit, Permissions: ALL/READ+READ_HISTORY, Resource ID: aProcessDefinitionKey
  • Type: ALLOW, User: Kermit, Permissions: ALL/READ+READ_HISTORY, Resource ID: *
  • Type: ALLOW, Group: Kermits-Gang, Permissions: ALL/READ+READ_HISTORY, Resource ID: aProcessDefinitionKey
  • Type: ALLOW, Group: Kermits-Gang, Permissions: ALL/READ+READ_HISTORY, Resource ID: *
  • Type: GLOBAL, User/Group: *, Permissions: ALL/READ+READ_HISTORY, Resource ID: aProcessDefinitionKey
  • Type: GLOBAL, User/Group: *, Permissions: ALL/READ+READ_HISTORY, Resource ID: *
• an authorization can be revoked with the following settings:
  • Type: DENY, User: Kermit, Permissions: ALL/READ+READ_HISTORY, Resource ID: aProcessDefinitionKey
  • Type: DENY, User: Kermit, Permissions: ALL/READ+READ_HISTORY, Resource ID: *
  • Type: DENY, Group: Kermits-Gang, Permissions: ALL/READ+READ_HISTORY, Resource ID: aProcessDefinitionKey
  • Type: DENY, Group: Kermits-Gang, Permissions: ALL/READ+READ_HISTORY, Resource ID: *
• the precedence of the authorizations is according to here