Defining Security and Access

Part of an Demand Management process is the security configured for workflow steps. PPM controls permission to perform decision and execution steps using the following mechanisms:

Licenses. Licenses give users access to PPM products, but do not determine the specific actions a user is authorized to perform within the products.
Access Grants. Access grants (used with licenses) determine the actions a user can perform within a given PPM product.

For example, you can restrict what an Demand Management user can do using the following license and access grant combination:

License
- Demand Management
Access Grants
- View Requests
- Edit Requests

For more information about licenses and access grants, see the Security Model Guide and Reference.

We recommend that you specify security groups or tokens (dynamic access) to set workflow security. Avoid using a list of individual users to control an action. If the user list changes (as a result of department reorganization, for example), you would have to update your workflow configuration in several places to keep the process running correctly. If you use a security group, you update the security group once, and the changes are propagated throughout the workflow. Tokens are resolved dynamically at runtime and thus adapt to the current system context as necessary.

Table 2-10. Example of workflow security groups lists example workflow steps and the security groups that have access to the workflow and each workflow step.

Table 2-10. Example of workflow security groups
Workflow Step	Security Groups
Validate Request	Financial Apps - Validate and Approve Requests Financial Apps - Manage Resolution System
Pending More Information	Financial Apps - Create and View Requests Financial Apps - Manage Resolution System
Approve Request	Financial Apps - Validate and Approve Requests Financial Apps - Manage Resolution System
Schedule Work	Financial Apps - Schedule Requests Financial Apps - Manage Resolution System
Develop Enhancement	Financial Apps - Develop Requests Financial Apps - Manage Resolution System

For more information about setting security for workflows and requests, see the Security Model Guide and Reference.

Security and User Access Checklist

Use the checklist in Table 2-11. Security and user access checklist to help determine your security and user access requirements.

Table 2-11. Security and user access checklist
Done	Security and User Access Issue	Configuration Consideration
	Created the security groups to be granted access to screens and functions.	Required security groups have been created.
	Created security groups to associate with workflow steps.	Security groups to allow users to act on a specific workflow step have been created.
	Set security on request creation.	All available options that restrict who can create and submit requests are set.
	Set security on request processing.	All available options that restrict who can process requests are set.
	Set security on request system configuration.	Users who can modify the request process have been granted required permissions. This includes editing the workflow, object type, environment, security group assignment, and so on.
	Cover all security group and workflow considerations.	Associate security groups with workflow steps. Group members can act on the step. Set workflow and workflow step ownership.
	Cover all security group and object type considerations	Set ownership groups for object types. Only members of the ownership group (determined by associating security groups) can edit the object type.
	Cover all security group and environments considerations.	Set ownership groups for environments. Only members of the ownership group (determined by associating security groups) can edit the environments.
	Cover all security group and notification template considerations.	Set ownership groups for notification templates. Only members of the ownership group (determined by associating security groups) can edit the notification templates.
	Cover all security group and user data considerations.	Set ownership groups for user data. Only members of the ownership group (determined by associating security groups) can edit user data.