Grant task-read-permission on process-instance-level


According to the docs, I can grant the permission to read tasks on a specific process definition.
In my application, I’d like to grant this permission for specific process instances only, and not for all instances of a definition. Is this possible—or does this require some custom queries to be added in my spring boot application?


That shouldn’t be a problem, it’s detailed here.


According to this section, there are only 3 extra permissions, that can be assigned to process instances, namely Retry Job, Suspend, and Update Variable. I would need the Task Read permission, but it is not listed. Would it work anyway?


Hi Timo,

Is it sufficient to assign READ permission to specific Process instance?
Or you want to be restricted to the Tasks only?


Probably, I should bring up an example. Let’s say I have a process with pupils and teachers. (In fact, it’s an e-learning setting.)

  • The pupils should see all tasks that they candidate for or are assigned to (no matter the process instance.)
  • The teachers should be able to see all tasks of their pupils (all tasks, but only within certain process instances – because each process instances can belong to another teacher, and each teacher should only see her or his own instances.)
  • As a plus: The teachers should be able to spawn new instances – and for these instances, they should have again the permission to supervise their pupils.

How can I achieve, that

  • The pupils see all assigned-or-candidate tasks?
  • The teachers see all tasks within their own instances?
  • As a plus: Each teachers “owns” all instances created by her- or himself?

Thank you very much,


Hi Timo,

Your explanation helped a lot to get the whole picture.
I think you can achieve your requirements easily.

  • Create a two task filters (one for teachers and one for students (only assigned tasks)). [1]
  • Once a task is assigned to a user, this user has all of the needed permissions so that this user can read and work on the task, so this will work out of the box for the students.
  • Create READ permission for specific process instances for each of the teachers.
  • Further you can think of using tenants for teachers. [2]