Using Rest-API APG function without administration rights (e.g. for user self service)

Hello,

with the release of ARIS10 SR20 a function to start an APG workflow was provided for the REST API. However, the APG workflow can only be launched with a login of a user that has the "Process Governance-Administration" privilege.

This requirement is too high for the use case described below and heavily limits the use of the functionality.

Here an adjustment would be useful, which removes the restriction on the administrator right. The excessive or unauthorized startup should be handled and aborted within the APG workflow.

Use case: User Self-Service

A self-service is to be created in ARIS Connect where users can self-apply an ARIS user.

For this purpose, the relevant information should be entered by the user via an input mask in ARIS Connect.

With that information, an ARIS user should be automatically created and assigned to a default user group.

Such a self-service shortens the times needed for access requests and relieves the administration.

The use case is also graphically explained in the attached PDF file (In german).

Problems using the REST API APG functionality in the use case:

The idea here was to use the new REST API functionality to start an APG workflow that handles the creation and assignment of the user.

To start a REST-API call you have to request a session token via the Rest-API. (The Guest user cannot be used for this!).

For this, a username and the corresponding password is needed.

In the above use case this should be done using a technical user.

However, since the APG workflow is to be started from ARIS Connect and the data of the input mask is to be transferred, the entire call and the token request must take place on the client side (browser side).

This on one hand leads to the fact that between the request for the token and the logout of the token a valid session with a user exists, who has an administration right. This session can be intercepted and grant access to the process administration.

In addition, the credentials can be read and used in the browser.

Currently we do not know of any way to trigger the REST-API call, with transfer of the data from the input mask, on the server side.

If there is another way to provide such a self-service we would be very happy to receive the information.

Otherwise, a standard functionality for this would be desirable, or at least the removal of the restriction described in above when using the REST-API APG function.

We had created an incident for this problem: "SI-498975 Administrationsrecht zum Aufruf der APG-Rest-API benötigt".