How to check permissions in MWS programmatically


This is a copy of a post I sent to another forum ( But I re-post it here since this forum seems to be more appropriate. I apologise if it breaks some forum rules.

I want to check (from within a program) whether a certain MWS role (configured in MWS via user management) is allowed to see a certain page (specified by its alias). I.e. I’d need a function like this:

boolean hasPermission(String roleName, String pageAlias)

How is it possible to implement it? The function would be executed in MWS (not in IS). Is there some API to accomplish this?

There is a code sample (, but the code is not much documented and uses some classes which I could not find docs for.

Any advice would be much appreciated.

While at it, I’d also be very interested in how to check whether a role (or some other principal) is allowed to see instances of a certain process model.

Here is a snippet that demonstrates how to check access in MWS:

	 * Check access test driver
	public void checkAccessTest() throws PortalException {
		boolean granted = checkAccessToPage("Administrator", "folder.system");

	 * Check the access on a page/thing for a specific principal
	public boolean checkAccessToPage( String principalID, String pageAlias ) throws PortalException {

		// get the various managers we'll need
        IContext context = ContextFactory.acquireContext(true);
		IBizPolicyManager bizPolicyManager = (IBizPolicyManager) PortalSystem.getComponentProvider(IComponentNames.BIZPOLICY);
		IAccessPolicy accessPolicy = (IAccessPolicy) bizPolicyManager.getComponent(IBizPolicyNames.ACCESS);
        // get the thingID of the page/thing to check
        IThingID pageThingID = (IThingID)PortalSystem.getPortalSystem().acquireURI(pageAlias);

		// resolve the user to a principal URI
		PrincipalModel principalModel = (PrincipalModel)PrincipalModelFactory.createPrincipalModelFromID(principalID);
        IURI principalURI = principalModel.getPrincipalURI();

  		// get the principal's access to the page 
        Collection<Integer> rightsSet= accessPolicy.getAccessEx(context, pageThingID, principalURI);
		// check if the READ right is granted
        boolean canAccess = rightsSet.contains(IAccessRight.READ_RIGHT);

  		return canAccess;

Unfortunately, process models are stored outside of MWS, so the MWS folks may not be much help with determining access to the process models.

Hello Ron.

Thank you for this code fragment! Interestingly, it uses other classes than the code from the sample (IAclManager etc.), but (hopefully) does the same.

Is there a description (official or unofficial, maybe from some internal SAG forums) of the MWS security model and how it’s covered by the API?

As for the processes: I understand that the process models are not stored in MWS. But are the acces rights also stored there (i.e. not in MWS)? If they are stored at the same location as the models, then it should be the PRT or the Process Monitor, right? Should I dig there?

What confuses me is the fact that these rights are configured from the MWS UI: you first have a list of all roles, then you can select a role and choose process models that the role is allowed to see. Hence I conclude that the process models are also entities for the MWS. I tried to get it from the links (URLs) the roles point to, but they don’t tell me much.

I’d be grateful if you could talk to some guys from the appropriate team.

The AccessPolicy API is a better approach, as it is the API used internally to determine access to an item. It encompasses several security levels, including role membership and security realms as well as simple ACLs.

These security concepts are described in the “Managing Permissions” section of the Admin Guide. I’m not aware of any specific API documentation other than the published javadocs.

I’m afraid I won’t be much help with the Process Model question. Perhaps someone in the BPM forum can be more helpful.

Ron, thank you! I’ll try in the other forum.

Hello again Ron!

I have another little question. Should the code you provided also work directly in IS (I think all the needed Java libraries could be made accessible there if they are not already)? Or is it only for running withing the MWS server?

Thank you.


That code is intended for the MWS runtime only… It may work in IS, but it isn’t a supported configuration and may not work in future versions.

Out of curiosity, why would you be interested in Page access rights from IS?

OK, thank you! That’s what I thought.

It’s very simple. We have some test cases, implemented as IS services, that verify our system setup/deployment. One of the things we’d like to check is whether some roles have access to certain pages in MWS.

Hello Ron.

May I ask you to provide a code snippet that would check whether the specified MWS role is subscribed to notification mails for/from the task with the specified task type id? I.e. for the method

boolean isSubscribed(String roleName, String taskTypeId) ?

Thanks in advance

Two things, because this is a topic near and dear to my heart :slight_smile:

  1. Will those internal MWS APIs change without warning?
  2. I’ve struggled in the past to find a way to get a list of roles that can access a task. This would be an amazing building block in the quest for one universal inbox (I want to use it to constrain the Delegate button, which currently allows delegation to the CEO if the user wishes :slight_smile: ). Any thoughts?