1 files changed, 25 insertions, 0 deletions

diff --git a/doc/31-Permissions.md b/doc/31-Permissions.md
new file mode 100644
index 0000000..b6b8b98
--- /dev/null
+++ b/doc/31-Permissions.md
@@ -0,0 +1,25 @@
+# Permission System
+
+The permission system of the module is based on permissions and restrictions.
+
+## Permissions
+
+The module has five levels of permissions:
+
+* Granting general module access allows a user to view business processes. (`module/businessprocess`)
+* Create permissions allow to create new business processes. (`businessprocess/create`)
+* Modify permissions allow to modify already existing ones. (`businessprocess/modify`)
+* Permission to view all business processes regardless restrictions. (`businessprocess/showall`)
+* Full permissions. (`businessprocess/*`)
+
+## Restrictions
+
+There are two ways to configure restrictions: prefix-based and access controls
+
+### Prefix-based
+
+This option allows to limit access of a role to only business processes with a specific prefix. For this the ID (Configuration name) of a business process has to start with a prefix and it has to be set as restriction on the role. (`businessprocess/prefix`)
+
+### Access controls
+
+This option allows for more fine granular permissions based on user (`AllowedUsers`), group (`AllowedGroups`) and role (`AllowedRoles`). These attributes take a comma-separated list, get added to the header of the business process configuration file and limit access to the owner and the mentioned ones.