Authorizations to re-assign a task and the burden of maintaining them


#1

This is related to a previous topic of mine,
https://forum.camunda.org/t/how-to-grant-a-user-the-rights-to-create-new-users-in-admin/13991/4?u=eugene
however I thought it would be prudent to start a new topic as it’s not entirely a continuation of that topic.

In Admin, I have a manager as a member of DepartmentManager and many clerks as members of DepartmentClerk. I’m trying to figure out which authorizations are required to allow the manager to re-assign a task to a specific clerk. As far as I could uncover, the DepartmentManager needs a User authorization of READ permissions on the clerks. So I’m left with two options :

  1. a single READ * This has the downside of the manager having full view of all the users in the entire database, not only the department. As per the above response from @martin.stamm it’s not possible to grant a department manager view of only those users in her/his department.

  2. multiple READ clerkID This is precisely what I want, however it’s an administrative nightmare, especially in view of my previous topic.

I even looked at making the manager a superfluous member of DepartmentClerk, but this did not alleviate the problem. Surely this use-case must’ve been encountered before? How did you solve it?

Any thoughts on approaching it from a different angle would be much appreciated.


#2

Hi @eugene,

what about using TaskAssign and TaskWork permissions: https://docs.camunda.org/manual/7.11/user-guide/process-engine/authorization-service/#additional-task-permissions

Hope this helps, Ingo


#3

Thanks so much @Ingo_Richtsmeier

I’ve re-read the docs regarding authorizations and cannot see any reference to authorizations on Users, as may be required to re-assign a task to another user. The DepartmentManager has the required authorizations on the Task, but it appears the manager also requires authorizations on Users in order to re-assign.

As per the comments by @martin.stamm in my previous topic, you cannot limit the manager to only users within the DepartmentClerk group. I hope I’m wrong, but if this is so, then the only way forward is to grant the manager READ authorizations on each and every clerk. The maintenance on these authorizations is simply not worth the effort.

I really hope you can propose a different perspective on solving this use-case :sweat_smile:


#4

Hi @eugene,

I just remembered the feature request behind the seperation into task workers and task managers:

The customer requested that task workers are only able to complete the task and are not able to reassign tasks to other users. Only task managers should assign tasks.

I’ve no experience if you can limit this to departments.

An idea could be to limit the user ids by preparing drop down lists in a custom user interface. You will get the employees of the manager from the LDAP directory and put them into a selection. I havn’t any details how to implement this, but maybe it’s worth to explore?

Hope this helps, Ingo


#5

Thanks @Ingo_Richtsmeier

I think your proposal is probably the best for now. Such custom UI for user management can either be in the form of a BPMN process or an Admin plugin. The BPMN process is probably the easier option.

In my mind, camunda probably needs some way of defining User authorizations at a Group level. Put differently, define a Group authorization which then applies to all members of that group, eg define a READ authorization on all members of the DepartmentClerk group.

I’ve never placed a feature request, but trust that the above is the essence of it.

Thanks for all your consideration.