Candidate users in a Task

Hello
How does camunda:candidateUsers attribute influence the Task assignment?
I set an user in this attribute, but the task is not automatically assigned to him.
Also another user (who is not a “candidate”) can claim the task

Is there some functionality in the engine implemented about this attribute or its purpose is to be used in the custom filters, which the user can create?
(and I have similar question about candidateGroups attribute)

Thanks in advance

I am still interested in the answer of this question :smiley:

Hi @jaxx,

candidateUsers attribute marks assigned users as candidates who can claim the task.

If users who are not assigned as candidates can claim the task then it most probably happens because authorization is set as disabled so please enable it then try again.

https://docs.camunda.org/manual/7.15/user-guide/process-engine/authorization-service/#when-are-authorizations-checked

Hi @hassang
Authorizations are enabled for the server:

If I try to send a REST request without authorization, I receive 401

The candidate user for my task is user1:

I am logged in TaskList using user2.
I start the process using user2.
The task is not assigned to the candidate user1.
user2 can see the task in the list with all tasks and can claim it:

Is there something, which I am doing wrong?

Thanks in advance

Hi @jaxx,

Please open admin app, open task authorizations page and check what authorizations are listed there.

https://docs.camunda.org/manual/7.15/user-guide/process-engine/authorization-service/#additional-task-permissions

If a user has “Update” permission on a task (or “Update Task” permission on the corresponding process definition) then the user is authorized to perform all these task actions

Can you please send a screenshot of the page…

Here is the screenshot from Admin / Authorizations/ Task:

this authorization for user1 is added automatically (probably because he is candidate user)
however user2 does not have any authorizations in the Task section
(he is not part of camunda-admin group)

Hi @jaxx,

Exactly this authorization got created automatically as user1 is set as candidate.

Can you please share a screenshot of the process definition authorizations page.

user2 has full authorizations here
(he is part of bousers group)

Hi @jaxx,

Then this is the reason why user2 can claim the task.

If a user has “Update” permission on a task (or “Update Task” permission on the corresponding process definition) then the user is authorized to perform all these task actions

Thank you @hassang
When I unticked the Task permissions at Process definition level, the management through the candidateUsers attribute started to work as expected.

1 Like