Permission List

Comprehensive reference of all Portal permissions. Use this list to assign least-privilege access and understand which features each permission controls. Proper permission configuration ensures Portal security aligns with your organization’s access control policies.

Permission Architecture:

Portal’s permission system extends Axon Ivy Engine’s core security model with Portal-specific permissions. All permissions are configured in the Engine Cockpit under the PortalPermissions section and can be assigned to:

• Roles: Grant permissions to all users with specific roles (e.g., “Manager”, “Employee”)

• Individual Users: Grant permissions to specific user accounts (prefix with #)

• Combinations: Mix role-based and user-specific permissions for granular control

How to Use This Reference:

1. Find the permission category matching your use case

2. Locate the specific permission you need to configure

3. Note the permission name (used in Engine Cockpit configuration)

4. Assign permission to appropriate roles or users

5. Test with users from different roles to verify behavior

Configuration Location:

All permissions are configured in the Engine Cockpit under Security > PortalPermissions. For detailed configuration instructions and examples, see Permission Settings.

Best Practices:

• Start with Roles: Assign permissions to roles rather than individual users for easier maintenance

• Principle of Least Privilege: Grant only the permissions users need for their work

• Test Thoroughly: Verify permission configurations with users from different roles

• Document Decisions: Keep track of why specific permissions were granted or denied

Related Sections:

• Settings - Permission configuration examples and detailed explanations

• Customization - Build custom permission-based features

Overview

Portal has a flexible security system that allows you to configure who can access applications and what they can do/see in Portal.

Permission Categories

Category	Description
Portal Task Permissions	Control task visibility, actions, and modifications
Portal Case Permissions	Control case visibility, actions, and business details
Portal General Permissions	Dashboard, document, process list, and role access
Portal Absence And Substitute Permissions	Absence and substitute management permissions

Important

Portal Permission Support:

The Portal is built as a layer above the Axon Ivy Engine core. Not every core engine permission is automatically honored or supported by the Portal. If you require a specific engine permission not currently supported by the Portal, please contact Axon Ivy support.

Note

Permission Types in this Documentation:

• Portal Permissions - Custom permissions defined by Portal (e.g., DashboardWriteOwn, ShareTaskDetailsLink, NewsManagement)

• Engine Permissions - Core Axon Ivy permissions that Portal respects (see list at end of this page)

Permissions marked with “Granted to role Everybody by default” are automatically assigned when Portal is installed.

Portal Task Permissions

Permissions controlling task visibility, actions, and property modifications.

Task Visibility

TaskReadAll

🔑TaskReadAll

• View all tasks in the system regardless of assignment

• Typically granted to administrators

SystemTaskReadAll

🔑SystemTaskReadAll

• View system tasks (background/automated tasks)

• Required for debugging and system monitoring

TaskReadOwnCaseTasks

🔑TaskReadOwnCaseTasks

• View tasks related to cases where user is involved

• Granted to role Everybody by default

Task Actions

TaskParkOwnWorkingTask

🔑TaskParkOwnWorkingTask

• Reserve (park) own working tasks

• Allows users to temporarily set aside tasks they’re working on

• Granted to role Everybody by default

TaskResetOwnWorkingTask

🔑TaskResetOwnWorkingTask

• Reset own working tasks to their initial state

• Only works for tasks in states: RESUMED, PARKED, READY_FOR_JOIN, FAILED

• Granted to role Everybody by default

TaskReset

🔑TaskReset

• Reset any task in the system (administrative permission)

• Typically restricted to administrators

TaskResetReadyForJoin

🔑TaskResetReadyForJoin

• Reset tasks in READY_FOR_JOIN state

• Useful for workflow error recovery

TaskDestroy

🔑TaskDestroy

• Delete tasks permanently

• Only works if task state is not DESTROYED or DONE

• High-privilege permission for administrators

Task Property Modifications

TaskWriteName

🔑TaskWriteName

• Modify task name/title

TaskWriteDescription

🔑TaskWriteDescription

• Modify task description

• Cannot change terminated tasks (DONE, DESTROYED, FAILED)

TaskWriteOriginalPriority

🔑TaskWriteOriginalPriority

• Change task priority level

• Cannot change tasks in states: DONE, DESTROYED, FAILED

TaskWriteExpiryTimestamp

🔑TaskWriteExpiryTimestamp

• Change task deadline/expiry date

• Cannot change tasks in states: DONE, DESTROYED, FAILED

TaskWriteActivator

🔑TaskWriteActivator

• Delegate tasks to other users/roles

• Granted to role Everybody by default

TaskWriteExpiryActivator

🔑TaskWriteExpiryActivator

• Change the user responsible when task expires

• Cannot change tasks in states: DONE, DESTROYED, FAILED

TaskWriteDelayTimestamp

🔑TaskWriteDelayTimestamp

• Modify task delay/start time

Task UI Display Permissions

TaskWriteActivatorOwnTasks

🔑TaskWriteActivatorOwnTasks

• Delegate personal/group tasks assigned to user

• Not assigned to Everybody by default (more restrictive than 🔑TaskWriteActivator)

TaskDisplayAdditionalOptions

🔑TaskDisplayAdditionalOptions

• Display additional action menu in task lists

• Granted to role Everybody by default

TaskDisplayResetAction

🔑TaskDisplayResetAction

• Show Reset action button in task interface

• Requires corresponding 🔑TaskReset permission to execute

• Granted to role Everybody by default

TaskDisplayReserveAction

🔑TaskDisplayReserveAction

• Show Reserve (Park) action button in task interface

• Requires 🔑TaskParkOwnWorkingTask to execute

• Granted to role Everybody by default

TaskDisplayDelegateAction

🔑TaskDisplayDelegateAction

• Show Delegate action button in task interface

• Requires 🔑TaskWriteActivator to execute delegation

• Granted to role Everybody by default

TaskDisplayDestroyAction

🔑TaskDisplayDestroyAction

• Show Delete/Destroy action button in task interface

• Requires 🔑TaskDestroy permission to execute

TaskDisplayWorkflowEventAction

🔑TaskDisplayWorkflowEventAction

• Show Workflow Events button in task details

• Allows viewing task execution history and events

TaskDisplayCustomFieldsAction

🔑TaskDisplayCustomFieldsAction

• Show Custom Fields button in task interface

• Displays additional business data fields

ShareTaskDetailsLink

🔑ShareTaskDetailsLink

• Show Share button in task details page

• Allows sharing direct links to specific tasks

• Granted to role Everybody by default

Portal Case Permissions

Permissions controlling case visibility, actions, and business details.

Case Visibility

CaseReadAll

🔑CaseReadAll

• View all cases in the system regardless of involvement

• Typically granted to administrators

• Combined with 🔑TaskReadAll for full system visibility

Case Actions

CaseDestroy

🔑CaseDestroy

• Delete cases permanently

• Only works when case state is RUNNING

• High-privilege permission for administrators

CaseOwnerTaskDelegate

🔑CaseOwnerTaskDelegate

• Delegate all related tasks within cases where user is the case owner

• Allows case owners to manage task assignments for their cases

Case Property Modifications

CaseWriteName

🔑CaseWriteName

• Modify case name/title

• Cannot change cases in DESTROYED state

CaseWriteDescription

🔑CaseWriteDescription

• Modify case description

• Cannot change cases in DESTROYED state

Case UI Display Permissions

ShowAllTasksOfCase

🔑ShowAllTasksOfCase

• Display “Show all tasks” action in case details

• Requires 🔑TaskReadOwnCaseTasks or 🔑TaskReadAll to view tasks

• Granted to role Everybody by default

ShowCaseDetails

🔑ShowCaseDetails

• Display Business Details tab in case interface

• Shows additional case information and custom widgets

• Granted to role Everybody by default

CaseDisplayCustomFieldsAction

🔑CaseDisplayCustomFieldsAction

• Display Custom Fields button in case interface

• Shows additional business data fields

ShareCaseDetailsLink

🔑ShareCaseDetailsLink

• Show Share button in case details page

• Allows sharing direct links to specific cases

• Granted to role Everybody by default

Portal General Permissions

General permissions for dashboards, documents, lists, roles, and Portal features.

Portal Page Access

AccessFullProcessList

🔑AccessFullProcessList

• Access full process list page showing all available processes

• Shows “Processes” in left menu and “Show all processes” on Dashboard

• See Full Process List for details

• Granted to role Everybody by default

AccessFullTaskList

🔑AccessFullTaskList

• Access full task list page showing all accessible tasks

• Shows “Tasks” in left menu and “Show full task list” on Dashboard

• See Full Task List for details

• Granted to role Everybody by default

AccessFullCaseList

🔑AccessFullCaseList

• Access full case list page showing all accessible cases

• Shows “Cases” in left menu

• See Full Case List for details

• Granted to role Everybody by default

Dashboard Permissions

DashboardWriteOwn

🔑DashboardWriteOwn

• Create and modify private (personal) dashboards

• Granted to role Everybody by default

DashboardWritePublic

🔑DashboardWritePublic

• Create and modify public (shared) dashboards

• Typically restricted to administrators or dashboard managers

DashboardExportOwn

🔑DashboardExportOwn

• Export private dashboards to JSON files

• Allows backup and sharing of personal dashboard configurations

DashboardExportPublic

🔑DashboardExportPublic

• Export public dashboards to JSON files

• Typically restricted to administrators

DashboardImportOwn

🔑DashboardImportOwn

• Import private dashboards from JSON files

• Allows restoring or applying dashboard templates

DashboardImportPublic

🔑DashboardImportPublic

• Import public dashboards from JSON files

• Typically restricted to administrators

ShareDashboardLink

🔑ShareDashboardLink

• Share dashboard links with other users

• Granted to role Everybody by default

Document Permissions

DocumentRead

🔑DocumentRead

• View all documents across all cases/tasks

• Administrative permission for full document visibility

DocumentWrite

🔑DocumentWrite

• Upload and delete any documents

• Administrative permission for document management

DocumentOfInvolvedCaseWrite

🔑DocumentOfInvolvedCaseWrite

• Upload and delete documents in cases where user is involved

• Standard permission for case participants

• Granted to role Everybody by default

Role Management Permissions

RoleReadAll

🔑RoleReadAll

• View all roles in the system

• Required for role selection in various features

• Granted to role Everybody by default

RoleManagement

🔑RoleManagement

• Access Role Management tab in Admin Settings

• Required to view dynamic role configuration interface

RoleCreate

🔑RoleCreate

• Create new dynamic roles

• Typically restricted to administrators

RoleDelete

🔑RoleDelete

• Delete existing dynamic roles

• Typically restricted to administrators

RoleMove

🔑RoleMove

• Change role hierarchy (select parent role)

• Affects role inheritance structure

Notes and Comments

TaskCaseAddNote

🔑TaskCaseAddNote

• Add notes/comments to tasks and cases

• Enables collaboration and communication

• Granted to role Everybody by default

TaskCaseShowMoreNote

🔑TaskCaseShowMoreNote

• View “Show more” option to expand long notes

• Granted to role Everybody by default

NoteReadAllCaseTaskDetails

🔑NoteReadAllCaseTaskDetails

• View system notes in case and task details

• Allows non-admin users to see audit and system-generated notes

• New in LTS 12.0+: Replaces legacy global variables Portal.Histories.HideSystemNotes and Portal.Histories.HideSystemNotesForAdministrator

Note

Pre-LTS Versions: This permission does not exist in Portal versions before 12.0. Use global variables Portal.Histories.HideSystemNotes and Portal.Histories.HideSystemNotesForAdministrator instead.

Admin Settings & Configuration

• 🔑RoleManagement

  • Access Role Management tab in Admin Settings

  • See dynamic role configuration and management

NewsManagement

🔑NewsManagement

• Manage News widget content on dashboards

• Create, edit, and delete news items

PasswordValidation

🔑PasswordValidation

• Access Password Validation settings in Admin Settings

• Configure password complexity requirements

NotificationChannelsSetting

🔑NotificationChannelsSetting

• Customize notification channel preferences in My Profile

• Control email, browser, and other notification methods

• Granted to role Everybody by default

Process & External Links

CreatePublicExternalLink

🔑CreatePublicExternalLink

• Create public external links visible to all users

• Links appear in full process list for all users

• Useful for sharing processes with external systems

Portal Absence And Substitute Permissions

Permissions for managing user absences and task substitution.

Absence Management - Own Absences

UserReadOwnAbsences

🔑UserReadOwnAbsences

• View own absence records

• Granted to role Everybody by default

UserCreateOwnAbsence

🔑UserCreateOwnAbsence

• Create and edit own absence periods

• Allows users to mark when they are unavailable

• Granted to role Everybody by default

UserDeleteOwnAbsence

🔑UserDeleteOwnAbsence

• Delete own absence records

• Granted to role Everybody by default

Absence Management - All Users

UserReadAbsences

🔑UserReadAbsences

• View absence records of all users

• Administrative permission for HR or management

UserCreateAbsence

🔑UserCreateAbsence

• Create and edit absences for any user

• Typically restricted to administrators or HR personnel

UserDeleteAbsence

🔑UserDeleteAbsence

• Delete absence records for any user

• Administrative permission for absence management

Substitute Management

UserCreateOwnSubstitute

🔑UserCreateOwnSubstitute

• Create own substitute assignments

• Delegate tasks to others during absence

• Granted to role Everybody by default

UserCreateSubstitute

🔑UserCreateSubstitute

• Create substitute assignments for any user

• Administrative permission for managing substitutions

UserReadSubstitutes

🔑UserReadSubstitutes

• View substitute assignments for all users

• Required for seeing who is substituting whom

Engine Permissions Respected by Portal

Portal honors the following Axon Ivy Engine core permissions. These are documented here for completeness as they directly affect Portal functionality:

Task Permissions: 🔑TaskReadAll, 🔑TaskReadOwnCaseTasks, 🔑TaskParkOwnWorkingTask, 🔑TaskResetOwnWorkingTask, 🔑TaskReset, 🔑TaskDestroy, 🔑TaskWriteName, 🔑TaskWriteDescription, 🔑TaskWriteOriginalPriority, 🔑TaskWriteExpiryTimestamp, 🔑TaskWriteActivator, 🔑TaskWriteDelayTimestamp

Case Permissions: 🔑CaseReadAll, 🔑CaseDestroy, 🔑CaseWriteName, 🔑CaseWriteDescription

Role Permissions: 🔑RoleReadAll, 🔑RoleCreate, 🔑RoleDelete, 🔑RoleMove

Document Permissions: 🔑DocumentRead, 🔑DocumentWrite, 🔑DocumentOfInvolvedCaseWrite

Absence & Substitute Permissions: 🔑UserReadOwnAbsences, 🔑UserCreateOwnAbsence, 🔑UserDeleteOwnAbsence, 🔑UserReadAbsences, 🔑UserCreateAbsence, 🔑UserDeleteAbsence, 🔑UserCreateOwnSubstitute, 🔑UserCreateSubstitute, 🔑UserReadSubstitutes

Tip

For comprehensive details on each permission including usage context and restrictions, see the detailed sections above.