Authorization problem with LDAP: User can't see running processes and incidents


#1

Hello,

I have a problem with the Authorization management, it doesn’t behave as espected:

We have one Camunda Engine (Community Ed., 7.9) running which is connected to our LDAP system.
We use the “Single-engine multi-tenancy” approach with over 700+ tenants.
Via the Authorization plugin there’s an Admin group configured (called camunda-admin).
When I log in as a member of the camunda-admin group everything is fine! I can see all process instances, can start processes and so on.

But, now I want to add another group called camunda-viewer.
Members of this group may only use the cockpit.
Within the cockpit they may see all running processes and incidents, but must not change anything.

I gave an access right for the cockpit for this group and read-access to process instances, process definitions and tasks.

Now, when a user of this groups logs in, he/she can only see the cockpit. So far, so good
BUT the user cannot see any running processes and incidents. The user sees the cockpit with 0 running process and 0 incidents, which makes the cockpit useless.

Even if I give this group the permission to start processes: when a user starts a process the user won’t see the running process in the cockpit (but a user of the admin-group does).

Does anybody has an idea what’s the problem?


#2

+++ SOLUTION +++

Finally we have found a solution:

We set the tenantCheckEnabled property in the Process Engine Configuration to false:
<property name="tenantCheckEnabled">false</property> in bpm-platform.xml

Now, all authorized users can see data of all tenants in the Camunda web application (Cockpit).