Authorization for User Task in Camunda REST API

I am using Camunda as an embedded service with Spring boot.
Just want to confirm my understanding of Authorization for Camunda REST API.

  • First thing I realized that after enabling authentication will not enable Authorization in REST API, we have to enable Authorization in application.yml using camunda.bpm.authorization.enabled property.

  • If a User Task is assigned to some user, then that task can be completed by that user only by logging into the Tasklist (here assuming the task is not reassigned or claimed by another user). But for completing the task the assigned user should have permission to complete the assigned task. And that can be done by providing required access to the user OR adding the user to a Group which contains the required access permissions. I guess creating different Groups as per requirement and assigning a user to a Group is preferred to assigning permissions to an individual user.

  • But from REST API I realized that it is not necessary to use the login/password of the assigned user is necessary (here consider that Basic Auth is enabled and authorization is also enabled), which feels from the Web apps usage. From REST API it is only required to use a user which has permission to complete the task, even if the task is not assigned to that user. It happens because ultimately Authorization means having some permissions in the Camunda engine and once you have the required permission you can access it using REST API.

  • I am trying to use Spring Security for REST APIs in place of Basic Auth, so I guess I can have a filter and set a Group (existing Group in Camunda DB) with the required access permission for the user so that when it moves to Camunda engine it will have the access as per Camunda Authorization.

Please confirm if my above understanding is correct. Point out if there is any mistake.