Here is my setup. Assume I have 100 processes.
I've created a role that grants SERVICE_INVOKE permissions.
I've assigned this role to the "All Principals" group.
This was an easy way of granting invoke permissions to all users on all processes.
Now, I want to add process 101. But, I only want a limited set of users to be able to invoke it. How do accomplish this?
Because of the role I created earlier, all principals will get invoke permissions on process 101 by default. It appears to me that in order to accomplish this I will have to
I didn't see a way of denying "All Principals" invoke permissions on process 101.
Now you need to differentiate between 1st set of users(who invokes the 100 processes) & 2nd set(for the newly created process).
Try the following:
1. Create two user groups
Group1 (All users except 2nd set of users) i.e 1st set
Group2 (2nd set of users)
2. Remove all principal from PROCESS_INVOKE role assignment
3. Assign PROCESS_INVOKE role to both groups for the 100 processes
4. For Group2, assign PROCESS_INVOKE role on 101th process
Will that workout?