Authorization and assignment by workgroups in userTask

Hi,

I hope someone can help me soon.

In my process, I have several userTasks, the userTasks are assigned a workgroup; create three groups (com, pmo, fyc), these groups assign a single user to test.

What I did was:
In camunda Admin, create the users and assign them to the group they should belong to, create the authorizations for the workgroups, permissions “ALL” resourceID “tasklist”, create filters for the groups, permissions “READ” resourceID “*”.

created users:

groups created:

assign users to groups:



create authorizations for created groups:

create filters for groups:

I start my process, with the user “juan” who belongs to the group “com” I claim the task and so far it is fine.

However, if I log in with the user “lenin” this belongs to the group “pmo”; this user can remove the user “juan” that belongs to the group “com” and claim the task, this is wrong because the user “lenin” does not belong to the group “com” and can claim the task and manipulate any data that this user does not must be able to perform.

in summary what I want to achieve is:

*Create users (Done).
*Create groups (Done).
*Assign users to group (Done).
*Create filters by groups (Done)
*Create group authorizations (Done)

*Claim the task if the user
It is assigned to group A, if the task was already claimed, the user should no longer be allowed to claim or reset to claim the task again (I don’t know how to do it)

*It should not be allowed that another user who is not assigned to group A, can perform or claim the tasks (I do not know how to do it)

Please, if anyone knows how to authorize or block tasks by groups, I would greatly appreciate your help.

Any help or guidance is very valuable to me because I don’t know what else I need to add.

Hi @MarioH,

Have you created any task authorizations? If yes, could you specify please.

User who doesn’t belong to the group to which the task gets assigned shouldn’t have the right to claim the task unless he has been granted the required permission to do.

Hi, @hassang

thanks for answering me.

No, I understand very well what you mean by this:

Have you created any task authorizations? If yes, could you specify please.

Really what I show in the images is everything I have done. In camunda Admin, create the authorizations for the groups but I don’t know if that’s what you mean.

Hi @MarioH,

Have you tried to remove the user Juan while signing in as Lenin or you only assumed that is possible as long as the remove icon is available?

If you have tried then the normal behavior is to get an exception.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Hi @MarioH,

Have you checked whether Authorization for the engine is enabled or not?

Authorization is enabled per default in the Camunda distributions, but if you configure and run your own engine (e.g. via Spring), it is disabled by default

.