Authorization Service

Camunda allows users to authorize access to the data it manages. This makes it possible to configure which user can access which process instances, tasks, etc…

Authorization has a performance cost and introduces some complexity. It should only be used if required.

When is Authorization required?

Not every CIB seven setup needs to enable authorization. In many scenarios, CIB seven is embedded into an application and the application itself ensures that users can only access data they are authorized to access. Generally speaking, authorization is only required if untrusted parties interact with the process engine API directly. If you embed the process engine into a Java application, you usually do not need to enable authorization. The application can control how the API is accessed.

Situations in which authorization is required:

  • Camunda Rest API is made accessible to users who should not have full access, even after authentication.
  • Camunda Webapplication is made accessible to users who should not have full access, even after authentication.
  • Other situations in which an untrusted user can directly construct the queries and commands executed on the process engine.

Situations in which authorization is not required

  • An application completely controls the API methods invoked on the process engine.
  • Camunda Webapplication is made accessible to users who can have full access after authentication.

Example

Assume that you have the following authorization requirement: As a regular user, I can only see the tasks that are assigned to me.

If the engine is embedded into a Java application, the application can easily ensure this by restricting the task query on the assignee property. The application can guarantee this since the Camunda API is not directly exposed to the user.

By contrast, if the Camunda Rest API is directly exposed over the network to a Javascript application, then a malicious user, once authenticated, can send a request to the server querying all tasks, even the ones that are not assigned to this user. In this case, authorization needs to be turned on to ensure the user only sees the tasks which he is authorized to see, regardless of the query parameters.

Basic Principles

Authorizations

An Authorization assigns a set of Permissions to an identity to interact with a given Resource.

Examples

  • User ‘jonny’ is authorized to create new users
  • Group ‘marketing’ is not authorized to delete the Group ‘sales’
  • Group ‘marketing’ is not allowed to use the tasklist application.

Identities

CIB seven distinguishes between two types of identities: users and groups. Authorizations can either range over all users (userId = ANY), an individual user or a group of users.

Permissions

A Permission defines the way an identity is allowed to interact with a certain resource.

The basic permissions available in the engine are:

  • None
  • All
  • Read
  • Update
  • Create
  • Delete
  • Access

Note that the permission None does not mean no permissions are granted. Instead, it represents “no action”. Additionally, the All permission will vanish from a user if a single permission is revoked.

For detailed list of available permissions please check Permission by resource section.

A single authorization object may assign multiple permissions to a single user and resource:

authorization.addPermission(Permissions.READ);
authorization.addPermission(Permissions.UPDATE);
authorization.addPermission(Permissions.DELETE);

Resources

Resources are the entities the user interacts with.

The following resources are available:

Resource Name Integer representation Resource Id
Application (Cockpit, Tasklist, ...) 0 admin/cockpit/tasklist/*
Authorization 4 Authorization Id
Batch 13 Batch Id
Decision Definition 10 Decision Definition Key
Decision Requirements Definition 14 Decision Requirements Definition Key
Deployment 9 Deployment Id
Filter 5 Filter Id
Group 2 Group Id
Group Membership 3 Group Id
Process Definition 6 Process Definition Key
Process Instance 8 Process Instance Id
Task 7 Task Id
Historic Task 19 Historic Task Id
Historic Process Instance 20 Historic Process Instance Id
Tenant 11 Tenant Id
Tenant Membership 12 Tenant Id
User 1 User Id
Report 15 Report Id
Dashboard 16 Dashboard Id
User Operation Log Category 17 User Operation Log Entry Category
System 21 *
System resources do not support individual resource ids. You have to use them with a wildcard id (*).

Note: The Resource Id should be ‘*’ when you create new authorization with CREATE permissions only.

Authorization Type

There are three types of authorizations:

Authorization type Description Integer representation
Global Authorization (AUTH_TYPE_GLOBAL) Ranges over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource. 0
Grant Authorization (AUTH_TYPE_GRANT) Ranges over users and groups and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes. 1
Revoke Authorization (AUTH_TYPE_REVOKE) Ranges over users and groups and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group that the global authorization grants. 2

Performance of REVOKE Authorizations

See the Performance Considerations section on this Page.

Authorization Precedence

Authorizations may range over all users, an individual user or a group of users, or they may apply to an individual resource instance or all instances of the same type (resourceId = ANY). The precedence is as follows:

  • An authorization applying to an individual resource instance precedes over an authorization applying to all instances of the same resource type.
  • An authorization for an individual user precedes over an authorization for a group.
  • A Group authorization precedes over a GLOBAL authorization.
  • A Group GRANT authorization precedes over a Group REVOKE authorization.
  • A User GRANT authorization precedes over a User REVOKE authorization.

When are Authorizations checked?

Authorizations are checked if

  • the configuration option authorizationEnabled is set to true (default value is false).
  • there is a currently authenticated user.

The last item means that even if authorization is enabled, authorization checks are only performed if a user is currently authenticated. If no user is authenticated, then the engine does not perform any checks.

When using the Camunda Webapps, it is always ensured that a user is authenticated before the user can access any restricted resources. When embedding the process engine into a custom application, the application needs to take care of authentication if it needs authorization checks to be performed.

Authentication vs. Authorization

Authentication and Authorization are two distinct concepts as explained here.

Permissions by Resource

This section explains which permissions are available on which resources.

Read, Update, Create, Delete

The permissions Read, Update, Create, and Delete are available for most of the resources. The following table gives an overview for which resources they are available:

Read Update Create Delete
Authorization X X X X
Batch X X X X
Decision Definition X X
Decision Requirements Definition X
Deployment X X X
Filter X X X X
Group X X X X
Group Membership X X
Process Definition X X X
Process Instance X X X X
Task X X X X
Historic Task X
Historic Process Instance X
Tenant X X X X
Tenant Membership X X
User X X X X
User Operation Log Category X X X

To execute an operation asynchronously, only a Create permission on the Batch Resource is required. However, when executing the same operation synchronously, the specific permissions (e.g. Delete on Process Instance Resource) are checked.

For example, a user without the Update permission on the Process Instance Resource and granted Create permission on the Batch Resource can modify multiple process instances asynchronously by creating a batch. However, the user can’t execute this operation synchronously.

Additional Task Permissions

In addition to Update, Read, and Delete, the following permissions are available on the Task Resource:

  • Task Assign
  • Task Work
  • Update Variable

A user can perform different actions on a task, like assigning the task, claiming the task or completing the task. If a user has Update permissions on a task (or Update Task permissions on the corresponding process definition), the user is authorized to perform all these task actions. If finer grained authorizations are required, the permissions Task Work and Task Assign can be used. The intuition behind Task Work is that it only authorizes the user to work on a task (i.e., claim and complete it) but not assign it to another user or in another way “distribute work” to colleagues.

If a user has Update Variable permission on a task (or Update Task Variable permission on the corresponding process definition) the user is authorized to perform set/remove task variable actions.

The table below shows a detailed overview on which permissions authorize a user to perform which task actions:

Task Work Task Assign Update Variable Update
Claim X X
Complete X X
Add Candidate User X X
Delete Candidate User X X
Set Assignee X X
Set Owner X X
Add Candidate Group X X
Delete Candidate Group X X
Save X X
Set Priority X X
Set Name X X
Set Description X X
Set Due Date X X
Set Follow Up Date X X
Set Local Variable X X
Remove Local Variable X X

GRANT and REVOKE authorizations with Task Work, Task Assign, and Update Variable permissions precede over Update and Update Task.

Default Task Permissions

When a user is related to a task as an assignee, a candidate user, a part of a candidate group, or an owner, these users obtain the default permissions as either Task Work or Update, based on the process engine configuration property defaultUserPermissionNameForTask.

If the “defaultUserPermissionNameForTask” configuration option is not set, then by default Update permission is granted.

Additional Process Definition Permissions

In Addition to Update, Read and Delete, the following permissions are available on the Process Definition Resource:

  • Read Task
  • Update Task
  • Task Work
  • Task Assign
  • Create Instance
  • Read Instance
  • Update Instance
  • Retry Job
  • Suspend
  • Suspend Instance
  • Update Instance Variable
  • Update Task Variable
  • Migrate Instance
  • Delete Instance
  • Read History
  • Delete History
  • Update History

The Create Instance permission is required to start new process instances.

Start new process instance

To perform that action, the user also needs to have Create permission on the process instance resource.

GRANT and REVOKE authorizations with Retry Job, Suspend, Suspend Instance, Update Instance Variable, and Update Task Variable permissions precede over Update. Keep in mind that user who is allowed to perform variable updates could trigger other changes in the process by updating a variable. For example, successful evaluation of conditional event related to this variable.

Additional Process Instance Permissions

In addition to Create, Read, Update, and Delete, the following permissions are available on the Process Instance Resource:

  • Retry Job
  • Suspend
  • Update Variable

GRANT and REVOKE authorizations with Retry Job, Suspend, and Update Variable permissions precede over Update. Keep in mind that user who is allowed to perform variable updates could trigger other changes in the process by updating a variable. For example, successful evaluation of conditional event related to this variable.

Additional Decision Definition Permissions

In addition to Update, Read, and Delete, the following permissions are available on the Decision Definition Resource:

  • Create Instance
  • Read History
  • Delete History

The Create Instance permission is required to evaluate decisions with the decision service.

Additional Batch Permissions

In addition to Create, Update, Read, and Delete, the following permissions are available on the Batch Resource:

  • Read History
  • Delete History
  • Create Batch Migrate Process Instances
  • Create Batch Modify Process Instances
  • Create Batch Restart Process Instances
  • Create Batch Delete Running Process Instances
  • Create Batch Delete Finished Process Instances
  • Create Batch Delete Decision Instances
  • Create Batch Set Job Retries
  • Create Batch Set External Task Retries
  • Create Batch Update Process Instances Suspend
  • Create Batch Set Removal Time
  • Create Batch Set Variables
  • Create Batch Correlate Messages

GRANT and REVOKE authorizations with “Create Batch …” permissions precede over Create.

Default Read Variable Permissions

When the enforceSpecificVariablePermission process engine configuration is enabled, in order to read variables, the user needs to be granted the following permissions:

In case of Tasks

  • Read Variable (for process and standalone tasks)

In case of Historic Tasks

In case of Process Definitions

  • Read Instance Variable (for runtime process instance variables)
  • Read History Variable (for historic variables)
  • Read Task Variable (for runtime task variables)

Application Permissions

The resource “Application” uniquely supports the Access permission. The Access permission controls whether a user has access to a Camunda web application or not. Out of the box, it can be granted for the following applications (resource ids):

  • admin
  • cockpit
  • tasklist
  • optimize
  • * (Any / All)

User Operation Log Permissions

The resource “User Operation Log Category” controls whether a user can access user operation log entries from the specified categories. Out of the box, it can be granted for the following categories (resource ids):

  • TaskWorker
  • Admin
  • Operator
  • * (Any / All)

Historic Instance Permissions

The resources control whether a user can read the history related to a specific instance.

Compared to runtime permissions, historic permissions are not immediately removed when the related instance has been finished. The Removal-Time-based History Cleanup Strategy removes historic permissions at a later point.

You can enable the permissions with the help of a process engine configuration flag:

<property name="enableHistoricInstancePermissions">true</property>

The feature is disabled by default because of two reasons:

  1. When enabled, the SQL queries are more complex because additional authorization checks are performed. More complex queries may degrade the performance.
  2. When enabled and an Identity Link is added to a Task, the respective User or Group is authorized to read the associated history (e. g. for the Task, Variable, or Identity Link History). For CIB seven versions <= 7.12, the history is not readable in this case.

Historic Task Permissions

When permission is granted to a Historic Task, you can use the following queries to retrieve the entities related to the Historic Task:

  • Historic Task Instance Query
  • Historic Variable Instance Query
  • Historic Detail Query
  • Identity Link Log Query
  • User Operation Log Query

Historic Process Instance Permissions

When permission is granted to a Historic Process Instance, you can use the following queries to retrieve the entities related to the Historic Process Instance:

  • Historic Process Instance Query
  • Historic Activity Instance Query
  • Historic Task Instance Query
  • Historic Variable Instance Query
  • Historic Detail Query
  • Identity Link Log Query
  • Historic Incident Query
  • Job Log Query
  • External Task Log Query
  • User Operation Log Query

System permissions

Permissions for the system resource are usually granted to operations engineers who supervise processes and applications and ensure they run smoothly from a technical perspective. Typically, those people do not need full access to the system like an administrator does. They must be able to access and change system information, including system properties, metrics, database information, telemetry, and license key data. Administrators will not need to have system permissions because their role already grants them access to all features. See also the Administrators section.

The following table gives an overview of the features that the system permissions grant access to.

Read Set Delete
Configure Telemetry (Deprecated) X
Get Telemetry Data X
Get Telemetry Status (Deprecated) X
Get Database Table Count X
Get Database Table Name X
Get Database Table Meta Data X
Get History Level X
Get Property X
Set Property X
Delete Property X
Get License Key X
Set License Key X
Delete License Key X
Register Process Application X
Unregister Process Application X
Get Process Application for Deployment X
Register Deployment X
Unregister Deployment X
Get Registered Deployment X
Delete Metrics X
Delete Task Metrics X
Query Schema Log X

Administrators

CIB seven has no explicit concept of “administrator” beyond it being a user who has been granted all authorizations on all resources.

The “camunda-admin” Group

When downloading the CIB seven distribution, the invoice example application creates a group with id camunda-admin and grants all authorizations on all resources to this group.

In absense of the demo application, this task is performed by the Camunda Admin Web Application. If the Camunda webapplication is started for the first time and no user exists in the database, it asks you to perform the “initial setup”. In this process, the camunda-admin group is created and granted all permissions on all resources.

LDAP

The group “camunda-admin” is not created when using LDAP (since LDAP is only accessed in a read-only way). Also see the below section on the administrator authorization plugin.

The Administrator Authorization Plugin

The administrator authorization plugin is a process engine plugin with the following functionality: when the process engine is started, it grants administrative access to a configured group or user. Effectively this means that it grants all permissions on all resources to the configured group or user.

Usually this is used to bootstrap an LDAP installation: granting administrative access to an initial user who can then log in to Admin and configure additional authorizations using the UI.

The following is an example of how to configure the administrator authorization plugin in bpm-platform.xml / processes.xml:

<process-engine name="default">
  ...
  <plugins>
    <plugin>
      <class>org.cibseven.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
      <properties>
        <property name="administratorUserName">admin</property>
      </properties>
    </plugin>
  </plugins>
</process-engine>

The plugin will make sure that administrator authorizations (ALL permissions) are granted on all resources whenever the process engine is started.

It is not necessary to configure all LDAP users and groups which should have administrator authorization. It is usually enough to configure a single user and use that user to log into the webapplication and create additional authorizations using the User Interface.

Complete list of configuration properties:

Property Description
administratorUserName The name of the administrator user. If this name is set to a non-null and non-empty value, the plugin will create user-level Administrator authorizations on all built-in resources.
administratorGroupName The name of the administrator group. If this name is set to a non-null and non-empty value, the plugin will create group-level Administrator authorizations on all built-in resources.

Configuration Options

This section explains available process engine configuration options related to authorization.

Enable Authorization Checks

Authorization checks can be globally enabled or disabled using the configuration option authorizationEnabled. The default setting for this configuration option is false.

Enable Authorization Checks for User Code

The configuration option authorizationEnabledForCustomCode controls whether authorization checks are performed for commands executed by delegation code (i.e., a Java Delegate). The default setting for this configuration option is false.

Check Revoke Authorizations

The configuration option authorizationCheckRevokes controls whether authorization checks take into account authorizations of type Revoke.

Available values are:

  • always: Always enables check for revoke authorizations. This mode is equal to the < 7.5 behavior. NOTE: Checking revoke authorizations is very expensive for resources with a high potential cardinality like tasks or process instances and can render authorized access to the process engine effectively unusable on most databases. You are therefore strongly discouraged from using this mode.

  • never: Never checks for revoke authorizations. This mode has best performance and effectively disables the use of revoke authorizations. Note: It is strongly recommended to use this mode.

  • auto (default value): This mode only checks for revoke authorizations if at least one revoke authorization currently exits for the current user or one of the groups the user is a member of. To achieve this it is checked once per command whether potentially applicable revoke authorizations exist. Based on the outcome, the authorization check then uses revoke or not. NOTE: Checking revoke authorizations is very expensive for resources with a high potential cardinality like tasks or process instances and can render authorized access to the process engine effectively unusable on most databases.

Also see the Performance Considerations section on this page.

Java API example

An authorization is created between a user/group and a resource. It describes the user/group’s permissions to access that resource. An authorization may express different permissions, such as the permission to Read, Update, and Delete the resource. (See Authorization for details).

To grant the permission to access a certain resource, an authorization object is created. For example, to give access to a certain filter:

Authorization auth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);

// The authorization object can be configured either for a user or a group:
auth.setUserId("john");
//  -OR-
auth.setGroupId("management");

//and a resource:
auth.setResource("filter");
auth.setResourceId("2313");
// a resource can also be a process definition
auth.setResource(Resources.PROCESS_INSTANCE);
// the process defintion key is the resource id
auth.setResourceId("invoice");

// finally the permissions to access that resource can be assigned:
auth.addPermission(Permissions.READ);
// more than one permission can be granted
auth.addPermission(Permissions.CREATE);

// and the authorization object is saved:
authorizationService.saveAuthorization(auth);

As a result, the given user or group will have permission to Read the referenced filter.

Another possible example would be to restrict the group of persons who are allowed to start a specific process:

//we need to authorizations, one to access the process definition and another one to create process instances
Authorization authProcessDefinition = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
Authorization authProcessInstance = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);

authProcessDefinition.setUserId("johnny");
authProcessInstance.setUserId("johnny");

authProcessDefinition.setResource(Resources.PROCESS_DEFINITION);
authProcessInstance.setResource(Resources.PROCESS_INSTANCE);
//the resource id for a process definition is the process definition key
authProcessDefinition.setResourceId("invoice");
//asterisk to allow the start of a process instance
authProcessInstance.setResourceId("*")
// allow the user to create instances of this process definition
authProcessDefinition.addPermission(Permissions.CREATE_INSTANCE);
// and to create processes
authProcessInstance.addPermission(Permissions.CREATE);

authorizationService.saveAuthorization(authProcessDefinition);
authorizationService.saveAuthorization(authProcessInstance);

Camunda Admin Webapp

The Camunda Admin Webapplication provides an out of the box UI for configuring Authorizations.

Performance Considerations

Authorizations are calculated by the database which is most efficient. Example: when performing a task query, the database query only returns the tasks for which the user has a READ authorization.

Performance of Checking Grant Authorizations

When only Grant authorizations are used, the check is very efficient since the authorization table can be joined with the resource table (task table, process instance table, etc…).

Performance of Checking Revoke Authorizations

Revoke authorizations are expensive to check. The check needs to consider the precedence of authorizations. Example: a user level Grant is stronger than a group level Revoke. A sequence of nested SQL CASE statements and a subselect is used to account for the precedence. This has two downsides:

  • The check scales linearly with the cardinality of the resource table (doubling the number of tasks makes the query twice as slow)
  • The particular construct based on CASE statements performs extremely poorly on the following databases: PostgreSQL, DB2

On these databases, revoke authorizations are effectively unusable.

Also see the Configuration Options section on this page.

On this Page: