Access control functionalities in Bonita 6.5
I don't think there is a single easy answer to this question.
In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
And on this basis if you were to ask does a process have any access to any business data without it being assigned to the process, then I would have to say (contingent on the assumption the system hasn't been hacked) that the answer is least privilege is applied. No data is accessible to any process unless so assigned.
However you have to consider is what is minimal information for the process, this is beholden to the designer and developer of the physical process. I agree that ordinarily you would only want the relevant data necessary for a process. But looking at some previous questions people do not think like that...
Some have written processes that say for this Group of people under this role (C) show these fields but when under this role (D) show them a different sub-set of the same fields. The process still has access to the fields which these users are no-longer using and falls foul of the rules of least privilege.
Is this bad security, or good, normalized, process design?
Can a process extend it's reach beyond the data it has been assigned and hack its way to other data? Not that I know.
Further information on BonitaSoft Security can be found here:
and for the organization/actor mappings
I know it's not much help but hopefully it's a starter for 10...
Hello Sean McP, Thank you for your answer , but I think that my question wasn't clear , I was in particular asking about permissions given to a user. If he wants to do a task that requires a permission X , but he has other permissions , would all his permissions be "activated" or only permission X that is needed ? what about conflicting entities ? I hope it's clear now
Why aren't I getting answers ? what's wrong with that question ? :(
Oh I am sorry , I said that while the number of views were incrementing (60) and there are no answers , I was really not talking about you. I am sorry again and thank you for your help.