Open in app

Sign in

Write

Sign in

Camunda: Authorizations by Group via REST

Camunda allows users to authorize access to the certain Tasks and BPMN flows. An Authorization assigns a set of Permissions to a Group of users to interact with a given BPMN.

Daniel Xav De Oliveira
2 min readDec 6, 2021

Introduction

In this blog I will document the different permission I set as part of a project involving Insurance users , with different levels of access.

I set my permissions using REST APIs. Here is a great link , that details all the endpoints.

Application Authorization

Firstly we need to give users the access rights to view Tasklist, within Camunda.

POST the following payload:

{
    "type": 1,
    "permissions": [
        "ACCESS"
    ],
    "userId": null,
    "groupId": "adjuster",
    "resourceType": 0,
    "resourceId": "tasklist"
}

Endpoint: http://localhost:8181/engine-rest/authorization/create

Create Groups

In order to create groups, use the POST method to request the following payload :

{
    "id": "adjuster",
    "name": "Desk Adjuster",
    "type": "WORKFLOW"
}

Endpoint: http://localhost:8181/engine-rest/group/create

Assign User to Group

PUT the users ID as a parameter along with the unique group ID used above

Endpoint: http://localhost:8181/group/{id}/members/{userId}

Process Instance Authorization (Interact with BPMN)

Here the goal is to specify which resource the user may interact with. This is done by specifying the resourceType:

{
    "type": 1,
    "permissions": [
        "READ",
        "UPDATE",
        "CREATE",
        "UPDATE_VARIABLE"
    ],
    "userId": null,
    "groupId": "adjuster",
    "resourceType": 8,
    "resourceId": "*"
}

In order to give users in group adjuster, the rights to interact with BPMN process instances , use the POST method to request the above payload.

Process Definition

This permission refers to giving users access to a particular BPMN flow. A common use case would be to restrict a User Task from to certain users.

Unfortunately this cannot be done of the activity level. This is done by isolating the User Task activity in its own BPMN flow. The unique ID of this BPMN flow is then used.

In order to assign group permissions to a BPMN flow, use the POST method to request the following payload :

{
    "type": 1,
    "permissions": [
        "READ",
        "UPDATE",
        "READ_TASK",
        "UPDATE_TASK",
        "CREATE_INSTANCE",
        "READ_INSTANCE",
        "UPDATE_INSTANCE",
        "READ_HISTORY",
        "TASK_WORK",
        "TASK_ASSIGN",
        "SUSPEND",
        "UPDATE_INSTANCE_VARIABLE",
        "UPDATE_TASK_VARIABLE",
        "READ_INSTANCE_VARIABLE",
        "READ_HISTORY_VARIABLE",
        "READ_TASK_VARIABLE"
    ],
    "userId": null,
    "groupId": "adjuster",
    "resourceType": 6,
    "resourceId": "BPMN_ID"
}

Once the above is completed , it is necessary to make sure that the Camunda filters are set so that the user can view the User Tasks.

Under criteria you should state the BPMN IDs used in the process definition authorization.

Thank you for reading! Feel free to make any other suggestions or recommendations for future challenges. Leave a few claps if it helped!

Camunda
Bpmn

--

--

Daniel Xav De Oliveira

Written by Daniel Xav De Oliveira

37 Followers

My aim is to document my journey as a Software Developer. Writing as I go along. To enforce new knowledge in my mind and to share with others !

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams