I am wondering how do you guys follow the process instance that has been started.
Consider the following case:
– I login to Camunda Tasklist.
– I start the process (an embedded form is attached to the start event).
– Afterwards I want to see where is my process instance, and who is working on this instance.
Is there a way to see the tasks of the process instances that I’ve started? (I cannot work on them, because they are assigned to other users).
In the cockpit in Processes you can open the specific process and use the filter tab to filter based on a start date, process variable or business key.
So you just need something that is at least semi-unique.
Well, I am wondering if all users should access the Cockpit (it contains some information that shouldn’t be relevant for everybody: like deployments, number of deployed processes etc).
Is there a way to create such a filter in the Tasklist? Or is it a Camunda way to go to the Cockpit?
I want a user to be able to perform the following actions:
login to the Tasklist application (and don’t have access to other parts of camunda)
start a process (in my simple example this is a vacation application process; in the start of the process I know all the assignees for all the tasks in the process)
see that the process is started (in my case I’ve solved this with an email containing the application id; application id is unique)
login to the Tasklist application after some time and be able to track the state of this process he has started (by tracking I mean: find the task(s) that are active in the process and who is responsible for completing them)
As of now, I don’t know how a normal user can track the status of his application. Don’t take me wrong, I’m studying Camunda to see if it can cover my request. I assume that you might see the way users communicate with the Tasklist in a different way. Therefore, I am asking about the possibility, or your vision how to accomplish my task.
The Resource Id is the ID of your Process Definition.
Then when a user wants to check not eh status of processes, they can log into Cockpit and they will only be able to READ the instances of the process you gave them access to.
Setup the Authorizations in the Admin App under Authorizations tab
If using cockpit is not proper in your use case & you need more specific/customized tracker page to be part of tasklist then you can build your own custom plugin to be part of the tasklist web application.
Tasklist uses the concept of plugins to add own functionality without having to extend or hack the Tasklist web application
I have the same problem. If you setup the user to see cockpit he can see all the process instances and not only the ones he has started. He should see only his processes
Something that comes to mind is you could have two scripts in your process: Generate Auth and Revoke Auth.
Basically when the process starts your generate a Read Auth for the process instance against that specific user, and when the process reaches the end you Remove that authorization. You could do this through the Java API in a script (or through java delegate) with listeners, etc.
var initiator = execution.getVariable('_initiator')
var processId = execution.getProcessInstanceId()
var newAuth = execution.getProcessEngineServices().getAuthorizationService().createNewAuthorization(1) // 1 == Grant Allow Permission Type
var permissions = Java.type('org.camunda.bpm.engine.authorization.Permissions') //Permissions Enum: see https://docs.camunda.org/javadoc/camunda-bpm-platform/7.8/org/camunda/bpm/engine/authorization/Permissions.html
newAuth.addPermission(permissions.READ)
newAuth.setResourceId(processId)
newAuth.setUserId(initiator)
newAuth.setResourceType(8) // https://groups.google.com/forum/#!topic/camunda-bpm-users/VI9BkpsjPRQ
var createdAuth = execution.getProcessEngineServices().getAuthorizationService().saveAuthorization(newAuth)
// If you wanted to manually remoke the pemrission:
// var authId = createdAuth.getId()
// execution.setVariable('authId', authId)
// Then in your Revoke Script:
// var authId = execution.getVariable('authId')
// var authService = execution.getProcessEngineServices().getAuthorizationService()
// authService.deleteAuthorization(authId)
Permissions are setup as so:
Process Definition: ALLOW steve READ, CREATE_INSTANCE auth_generation_1
Where steve is my username.
Process Instance: DENY steve ALL *
This creates a blanket “not allowed to access any instances”
Then we use the above script to generate a new authorization for Process Instance: ALLOW steve READ 6930a6b7-e10d-11e7-a9b4-0242ac120006
That will allow me to see the process instance in Cockpit:
The DENY permission will ensure that i cannot see other instances BUT i will be able to see the count (maybe this can be adjusted with permissions? @camunda).
So if i create another instance of Auth Generation with another user and view cockpit (Demo user has full permissions) i can see both instances:
I can only see the definition that i created before.
Few extra steps you can do:
If you are locking down all of your permissions then you will need to add a DENY * to Task permissions. So you will want to repurpose the code above to generate task authorizations when a task is generated assigned to a specific user (use the Task listeners). Edit: Looks like @camunda has some extra auth logic for tasks. When a user is assigned, a authorization is auto-created:
You should do a validation check to ensure that authorizations are not created for every user (only if needed?) so you could check if they are apart of a specific group then only apply the authorization if needed?
More complex logic will be needed for working with Claim/UnClaim scenarios / Multi-users working where you have very restricted logic: So would recommend using Groups for everything rather than specific username permissions.
When A Process is completed, the Authorization is removed. (at least in Community edition)
When a Task is assigned to you a Authorization for a Task is automatically generated. When task is completed, the authorization is auto-removed.
There is not link to ResourceTypes as seen in newAuth.setResourceType(8). Had to find it from: Redirecting to Google Groups. Even the Rest API docs just have a “e.g. Tasks”, but no link.
IMPORTANT: More docs are needed about what the specific ENUM permissions do, and which resource types each of Enums are(supposed to be) used in: Permissions (Camunda BPM Javadocs 7.8.14-ee). Had to use the Camunda Admin UI to choose, but you can apply additional enums to resourceTypes through code that are not supported in the Admin UI. So some detailed explanation about the different usecases in the docs would be really great. @camunda
Additional Use Cases:
Add additional logic for authorizations for different groups and parent groups such as managers.
Hi all,
I’m new to Camunda and now I’m trying complete task using TaskService without using delegates. Although I completed the task, the process could not continue to next task . How do I solve it?
This approach is great, however is not applicable in some use cases because initiator will be able to see all of process variables in process instance.