CODEWITHSUNDEEP
bpmncamunda
Sergey Shcherbakov
Sergey Shcherbakov

Reputation: 4778

Camunda: Restrict user access to the tasks and variables

I am using external LDAP service to define Camunda Groups, Users and User Group memberships. I can see the Groups and Users from LDAP in the Admin UI very well. I can also use Authorisations for example to provide or revoke read access to my deployment.

But no matter what I do, any application user can see complete list of the currently running [CMMN] tasks in the /tasks REST endpoint.

I am taking an LDAP user that is a member of 2 groups. Neither the user, nor any of his groups have any Authorizations set up in Camunda, except for ACCESS to an application (I restrict to 'cockpit' only). Still, when I login with that user the GET /tasks lists complete list of all currently running tasks.

My test user cannot see any data /process-instance (even though there are some running), but at the same moment it can see all process instance variables via /variable-instace. What's the purpose of restricting /process-instance without restricting /variable-instance ?

What am I missing here? Can access to the /tasks and /variable-instance be restricted?

Can the reason be that the User Tasks that I try to restrict access to had been generated by a CMMN process?

Update

Yes, my unprivileged user can see all CMMN tasks but no BPMN tasks. So the authorization is working but it doesn't cover CMMN :(

Upvotes: 1

Views: 744

Answers (1)

Sergey Shcherbakov
Sergey Shcherbakov

Reputation: 4778

According to this (Closed) feature request:

https://app.camunda.com/jira/browse/CAM-5875

The CMMN is 100% Enterprise version feature available since version 7.6 (I am on 7.7)

According to this (Open) feature request:

https://app.camunda.com/jira/browse/CAM-6754

The CMMN Tasks are not yet covered by the authorisation even in the enterprise version.

:(

Upvotes: 1

Related Questions