Completed tasks / follow my process instance in the Camunda tasklist

Hello, all.

I am wondering how do you guys follow the process instance that has been started.
Consider the following case:
– I login to Camunda Tasklist.
– I start the process (an embedded form is attached to the start event).
– Afterwards I want to see where is my process instance, and who is working on this instance.

Is there a way to see the tasks of the process instances that I’ve started? (I cannot work on them, because they are assigned to other users).

Best,
Oleks

1 Like

You can log into Cockpit and look up the Process and it will show you the details of the instance.

Hello Stephen.

Thanks for a quick reply.

How do I know the process to look up for? (and how do I look up the process in general?)
Assume I have a processInstanceId.

Best,
Oleks

What is Unique about your process instances? are you using a business key or have a process variable that is equivalent to a UID?

I have a randomly generated application id for each process instance. This application id is stored in JSON object that is application.id.

Best,
Oleks

In the cockpit in Processes you can open the specific process and use the filter tab to filter based on a start date, process variable or business key.

So you just need something that is at least semi-unique.

Well, I am wondering if all users should access the Cockpit (it contains some information that shouldn’t be relevant for everybody: like deployments, number of deployed processes etc).

Is there a way to create such a filter in the Tasklist? Or is it a Camunda way to go to the Cockpit?

Thank u.

What is your use case? What is it that you want users to look up?

Thanks for the patience.

I want a user to be able to perform the following actions:

  • login to the Tasklist application (and don’t have access to other parts of camunda)
  • start a process (in my simple example this is a vacation application process; in the start of the process I know all the assignees for all the tasks in the process)
  • see that the process is started (in my case I’ve solved this with an email containing the application id; application id is unique)
  • login to the Tasklist application after some time and be able to track the state of this process he has started (by tracking I mean: find the task(s) that are active in the process and who is responsible for completing them)

As of now, I don’t know how a normal user can track the status of his application. Don’t take me wrong, I’m studying Camunda to see if it can cover my request. I assume that you might see the way users communicate with the Tasklist in a different way. Therefore, I am asking about the possibility, or your vision how to accomplish my task.

Best,
Oleks

Okay so the Tasklist is not really meant for looking up what has been done.

Best is to use the Cmaunda Authorization system + Cockpit.

Create two authorizations:

  1. Application:

And
2. Process Instance:

The Resource Id is the ID of your Process Definition.

Then when a user wants to check not eh status of processes, they can log into Cockpit and they will only be able to READ the instances of the process you gave them access to.

Setup the Authorizations in the Admin App under Authorizations tab

1 Like

Hi oleks.maistrenko,

If using cockpit is not proper in your use case & you need more specific/customized tracker page to be part of tasklist then you can build your own custom plugin to be part of the tasklist web application.

Tasklist uses the concept of plugins to add own functionality without having to extend or hack the Tasklist web application

https://docs.camunda.org/manual/latest/webapps/tasklist/tasklist-plugins/

1 Like

Did you try the Authorizations? Note that i believe you will need “enterprise” to view the completed processes in cockpit.

I have the same problem. If you setup the user to see cockpit he can see all the process instances and not only the ones he has started. He should see only his processes

Hi @Kostas_Karkaletsis,

So did you try to setup authorizations? More info here

Best regards,
Yana

Yes, but I think in authorizations you can’t filter to see only the processes the user has started

@Kostas_Karkaletsis whats the scale?

Something that comes to mind is you could have two scripts in your process: Generate Auth and Revoke Auth.

Basically when the process starts your generate a Read Auth for the process instance against that specific user, and when the process reaches the end you Remove that authorization. You could do this through the Java API in a script (or through java delegate) with listeners, etc.

Ya you can do it with Permissions/Auth.

Writing up a example…

Okay even better! @camunda set it up so when a process completes the authorization is auto removed! NOICE ;).

Okay that was fun.

So:

auth_generation

auth_generation.bpmn (5.9 KB)

Which executes a javascript file “generate.js”:


var initiator = execution.getVariable('_initiator')
var processId = execution.getProcessInstanceId()

var newAuth = execution.getProcessEngineServices().getAuthorizationService().createNewAuthorization(1) // 1 == Grant Allow Permission Type

var permissions = Java.type('org.camunda.bpm.engine.authorization.Permissions') //Permissions Enum: see https://docs.camunda.org/javadoc/camunda-bpm-platform/7.8/org/camunda/bpm/engine/authorization/Permissions.html
newAuth.addPermission(permissions.READ)

newAuth.setResourceId(processId)
newAuth.setUserId(initiator)
newAuth.setResourceType(8) // https://groups.google.com/forum/#!topic/camunda-bpm-users/VI9BkpsjPRQ

var createdAuth = execution.getProcessEngineServices().getAuthorizationService().saveAuthorization(newAuth)

// If you wanted to manually remoke the pemrission:
// var authId = createdAuth.getId()
// execution.setVariable('authId', authId)
// Then in your Revoke Script:
// var authId = execution.getVariable('authId')
// var authService = execution.getProcessEngineServices().getAuthorizationService()
// authService.deleteAuthorization(authId)

Permissions are setup as so:

Process Definition:
ALLOW steve READ, CREATE_INSTANCE auth_generation_1

Where steve is my username.

Process Instance:
DENY steve ALL *

This creates a blanket “not allowed to access any instances”

Then we use the above script to generate a new authorization for Process Instance:
ALLOW steve READ 6930a6b7-e10d-11e7-a9b4-0242ac120006

That will allow me to see the process instance in Cockpit:



The DENY permission will ensure that i cannot see other instances BUT i will be able to see the count (maybe this can be adjusted with permissions? @camunda).

So if i create another instance of Auth Generation with another user and view cockpit (Demo user has full permissions) i can see both instances:

and if i go back as steve user and look at cockpit:
I can see the count shows the global total:

But if i go into the definition:


I can only see the definition that i created before.


Few extra steps you can do:

  1. If you are locking down all of your permissions then you will need to add a DENY * to Task permissions. So you will want to repurpose the code above to generate task authorizations when a task is generated assigned to a specific user (use the Task listeners). Edit: Looks like @camunda has some extra auth logic for tasks. When a user is assigned, a authorization is auto-created:

    . Something to read into the docs more.

  2. You should do a validation check to ensure that authorizations are not created for every user (only if needed?) so you could check if they are apart of a specific group then only apply the authorization if needed?

  3. More complex logic will be needed for working with Claim/UnClaim scenarios / Multi-users working where you have very restricted logic: So would recommend using Groups for everything rather than specific username permissions.

  4. When A Process is completed, the Authorization is removed. (at least in Community edition)

  5. When a Task is assigned to you a Authorization for a Task is automatically generated. When task is completed, the authorization is auto-removed.


Notes about the documentation:

  1. Description at the top of this javadoc is out of date: AuthorizationService (Camunda BPM Javadocs 7.8.14-ee). The createNewAuthorization() method requires int for authorizationType.
  2. There is no link to the int numbers for authorizationType in the AuthorizationService (Camunda BPM Javadocs 7.8.14-ee) docs.
  3. There is not link to ResourceTypes as seen in newAuth.setResourceType(8). Had to find it from: Redirecting to Google Groups. Even the Rest API docs just have a “e.g. Tasks”, but no link.
  4. IMPORTANT: More docs are needed about what the specific ENUM permissions do, and which resource types each of Enums are(supposed to be) used in: Permissions (Camunda BPM Javadocs 7.8.14-ee). Had to use the Camunda Admin UI to choose, but you can apply additional enums to resourceTypes through code that are not supported in the Admin UI. So some detailed explanation about the different usecases in the docs would be really great.
    @camunda

Additional Use Cases:

  1. Add additional logic for authorizations for different groups and parent groups such as managers.
2 Likes

Hi all,
I’m new to Camunda and now I’m trying complete task using TaskService without using delegates. Although I completed the task, the process could not continue to next task . How do I solve it?

Thank you in advance.

Best Regards,
Phu Lay

This approach is great, however is not applicable in some use cases because initiator will be able to see all of process variables in process instance.