Grant task-read-permission on process-instance-level


#1

According to the docs, I can grant the permission to read tasks on a specific process definition.
In my application, I’d like to grant this permission for specific process instances only, and not for all instances of a definition. Is this possible—or does this require some custom queries to be added in my spring boot application?


#2

That shouldn’t be a problem, it’s detailed here.


#3

According to this section, there are only 3 extra permissions, that can be assigned to process instances, namely Retry Job, Suspend, and Update Variable. I would need the Task Read permission, but it is not listed. Would it work anyway?


#4

Hi Timo,

Is it sufficient to assign READ permission to specific Process instance?
Or you want to be restricted to the Tasks only?


#5

Probably, I should bring up an example. Let’s say I have a process with pupils and teachers. (In fact, it’s an e-learning setting.)

  • The pupils should see all tasks that they candidate for or are assigned to (no matter the process instance.)
  • The teachers should be able to see all tasks of their pupils (all tasks, but only within certain process instances – because each process instances can belong to another teacher, and each teacher should only see her or his own instances.)
  • As a plus: The teachers should be able to spawn new instances – and for these instances, they should have again the permission to supervise their pupils.

How can I achieve, that

  • The pupils see all assigned-or-candidate tasks?
  • The teachers see all tasks within their own instances?
  • As a plus: Each teachers “owns” all instances created by her- or himself?

Thank you very much,
Timo


#6

Hi Timo,

Your explanation helped a lot to get the whole picture.
I think you can achieve your requirements easily.

  • Create a two task filters (one for teachers and one for students (only assigned tasks)). [1]
  • Once a task is assigned to a user, this user has all of the needed permissions so that this user can read and work on the task, so this will work out of the box for the students.
  • Create READ permission for specific process instances for each of the teachers.
  • Further you can think of using tenants for teachers. [2]