this optimize docs section describes how the access to optimize is managed. It’s done by consulting the permissions of the “integrated” camunda systems.
I have a question about how Optimize does that. Does it issue a get-query request against the camunda REST API?
What do those REST API calls translate to in the camunda engine? Are direct DB queries executed that select the values from the DB tables where the permissions are stored? Or is that all made via calling the authorization service of the camunda engine (which might then query the DB but might also do something different if a custom authorization service is installed)?
We have to make some assumptions given the closed-source nature of Optimize, but Optimize only communicates with the engine via the REST API. There is an undocumented internal engine rest API that you might have to go rooting through for additional calls, but I think between the call that you linked and the authorization check call, Optimize can achieve what it needs to.
The authorizations themselves live in ACT_RU_AUTHORIZATION, so the underlying DB calls that the REST API will ultimately make will depend on how your identity service is setup, but if your users and groups are stored in the Camunda tables it’ll probably be a combination of queries to ACT_ID_USER, ACT_ID_GROUP, and ACT_ID_MEMBERSHIP then ACT_RU_AUTHORIZATION.
thank you for your hints. I’ve looked into the code of the Rest API. The authorization rest calls end up in calling the engine’s authorization service methods (createAuthorizationQuery etc.) The real access to the authorizations is made by the authorization service. That’s what I wanted to know.
Now it would be interesting to know what Rest API calls Optimize makes. But since it’s closed source it makes no sense to ask about it here.