Thanks for reply @yana.vasileva, can restrict/deny assignation for user wich not included in that group in this way?
Because I tried to set allowed group at bpmn level but task is still assignable for all kind of user 
Thanks a lot
1 Like
Hi Antonio,
What do you mean by assign user on bpmn level?
We have new option to set candidateGroup when you develop the process in the Modeler.
https://blog.camunda.com/post/2018/04/camunda-modeler-1130-released/
Best regards,
Yana
Thanks for reply @yana.vasileva I tried to set candidate group on bpmn as shown below:
But each User can still claim and complete task
2 Likes
Do you need restriction on task? Or it will work for you restriction on process level also?
Yes the goal is to allow task assignation and completition only to user incuded to a specified Group
2 Likes
Hi Antonio,
It is not possible to restrict task assignation. (docs)
However, you can create filters for task and those filters could be restricted to specific users or groups.
This means if you have group A.
Create filter which contains task with candidate group A.
Enable this filter only for users of group A.
Hope that helps.
Best regards,
Yana
1 Like
Thanks for reply @yana.vasileva
Filter solution is for only tasklist, I need to prevent unhautorized task assingment as global rule.
Are there any other options?
Or else I can consider to implement a TaskListener?
I don’t think so.
Correct.
Hi @yana.vasileva,
Can be a solution configuring authorization restricting a Task Definition Key to a single Group?
For Example: “UserTask1 -> Group1”
Can we even do that?
Hi @antonior…
Only group members should have access to the task unless you have explicitly assigned permissions to others to access it.
You can review the permissions assigned from the admin application.
May you send your granted permissions for the process definition and process instance resources, please?
thanks for reply @hassang I will do a trial!
Is also possible to deny task claim by expressions?
For example, deny task claim to the ‘starter’ user or to a specific one?
Thanks in advance
Hi @antonior
You could revoke authorizations for initiator using TaskListener
<userTask id="myTask" name="My Task" >
<extensionElements>
<camunda:taskListener event="assignment" class="org.camunda.bpm.TestTaskListener" />
</extensionElements>
</userTask>
Below the implementation of the TaskListener
package org.camunda.bpm;
import java.util.logging.Logger;
import org.camunda.bpm.engine.AuthorizationService;
import org.camunda.bpm.engine.authorization.Authorization;
import org.camunda.bpm.engine.authorization.Permission;
import org.camunda.bpm.engine.authorization.Permissions;
import org.camunda.bpm.engine.authorization.Resources;
import org.camunda.bpm.engine.delegate.DelegateTask;
import org.camunda.bpm.engine.delegate.TaskListener;
public class TestTaskListener implements TaskListener {
private static final Logger log = Logger.getLogger(TestTaskListener.class.getName());
@Override
public void notify(DelegateTask delegateTask) {
// TODO Auto-generated method stub
String initiator = delegateTask.getExecution().getProcessInstance().getVariable("initiator").toString();
log.info("initiator: " + initiator);
AuthorizationService authorizationService = delegateTask.getProcessEngineServices().getAuthorizationService();
Authorization authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_REVOKE);
Permission[] permissions = new Permission[1];
permissions[0] = Permissions.ALL;
authorization.setUserId(initiator);
authorization.setResource(Resources.TASK);
authorization.setResourceId(delegateTask.getId());
authorization.setPermissions(permissions);
authorizationService.saveAuthorization(authorization);
}
}
2 Likes
Hi @hassang
Is it possible to make TaskListener get valid authorization on a specific task only for his Candidate Groups?
I mean that if a specific user of group “A” tries to claim a task which has as Candidate Groups “B”, “C” and “D” but not “A” , is the task listener able to block that claim? How can it be implemented?
Is it also possible to avoid TaskAlreadyClaimedException?
Hello @hassang,
Thank you for this solution, I’ve used it but unfortunately it didn’t work for my case .
My task could be claimed by other users that not belong to my candidateGroup.
My task user - bpmn process.
<bpmn:userTask id=“Activity_1fpnoak” name=“task” camunda:candidateGroups=“group”>
bpmn:extensionElements
<camunda:taskListener class=“org.camunda.bpm.TestTaskListener” event=“assignment” />
</bpmn:extensionElements>
bpmn:incomingFlow_0y73yn6</bpmn:incoming>
bpmn:outgoingFlow_0bs8oji</bpmn:outgoing>
</bpmn:userTask>
And I’ve added to your TaskListener class this instruction toset authorization to my candidateGroup only. authorization.setGroupId("groupId");
Any help, thank you
Hi @HEss,
Setting camunda:candidateGroups to specific group(s) should do the job.
If others still can claim the task then either authorization is disabled or others have been granted the permission(s) to claim the task.
Please make sure that authorization is enabled & review “Task Authorizations” page in the admin app.
https://docs.camunda.org/manual/latest/user-guide/process-engine/authorization-service/#when-are-authorizations-checked
1 Like
Thank you for your reply @hassang,
Correct me if I’m wrong, to enable authorization I’ve added to my configuration.
camunda:
bpm:
authorization:
enabled: true
But I keep getting the same thing, claiming tasks by other users even they aren’t in the group.
Regarding other users have been granted permissions, i don’t think so, only 2 users I have in the group.
Thank you very much
Hi @HEss,
I am not experienced in springboot but seems correct configuration as per the docs.
As per the docs, rebuild and rerun the application again. Don’t forget to call mvn clean before calling mvn install again
1 Like
This doesn’t seem to be working for me. Here’s what I did:
- Assigned group “finance” to a task’s “candidate groups”.
- Create filter called Finance with criteria “Candidate Group*” = finance
- and with permission group = finance
After doing this, if I am logged into as a member of something other than the finance group, I expected that I wouldn’t see the the Finance filter. However, I do see the filter and can claim displayed tasks.
What am I doing wrong?
Dear Charles,
I am also met with the same scenario but not working me as well. Is this problem resolved now, if yes, please share the details.