How to prohibit a user from claiming a task

Apologies if this question has been answered before.
How do I restrict users from claiming a certain task? What I found out is that if the user doesn’t have TASK_ASSIGN, he/she won’t be able to claim an already assigned task. But if the task is unclaimed, he/she is still able to claim the task. Please advise.

Hi @khoanguyen123,

The below post might be of help to you

Thanks, @hassang. The other post helps, but it only solves half of my problem. Any unclaimed tasks can still be claimed by the user which I would like to prevent. My goal is to allow user A to claim only a few unclaimed tasks, not every unclaimed task.

Hi @khoanguyen123,

Does the other user specified as candidate user for the task? If yes then this is the reason why he/she can claim the unassigned task.

For example: If both user1 and user2 are specified as candidate users for a task then both are given the permission to claim it.
camunda:candidateUsers="user1, user2"

Hi @hassang,

The task has no candidate user or candidate group assigned. I also tried to set the candidate user and/or candidate group to a completely disjoint entity, and it didn’t prevent the user in question from claiming the task.

FYI, I am running the platform using Spring Boot, and below is my config:

camunda:
  bpm:
    authorization:
      enabled: true
    generic-properties:
      properties:
        default-user-permission-name-for-task: TASK_WORK

Hi @khoanguyen123,

Do you have permissions given explicitly to the user in question?

Can you please check from the cockpit the automatically created authorizations for the task once it gets created.

Hi @hassang,

To illustrate, I built a simple process. User Task “Say Hello” has no candidate user or group:

User Alice belongs to the ACCOUNTS group, which has READ, TASK_WORK permissions.

Alice is still able to claim the “Say Hello” task:

image

Authorizations snapshot:
image

What am I missing if I want to block Alice from claiming the task?

Thanks!

Hi @khoanguyen123,

This way all users of this group can claim and complete any running task. (*)

You don’t have to specify any task’s permissions.
Setting ACCOUNTS group as candidate group for this task “Say Hello” should do the job.
The system would automatically create a default authorization for this task once it gets created and remove it once task gets completed/deleted so if you have a look at this page “Task Authorizations” once the task gets created you would notice that a new authorization is created with Group set to ACCOUNTS, Permissions set to TASK_WORK and Resource ID set to task Id of the new created task “Say Hello”.

Hi @khoanguyen123,

Please be aware that setting Resource ID of an authorization to *, means any.

In the example I mentioned, any member of ACCOUNTS group can claim and complete this specific task to which group is assigned as candidate group so if members of this group shouldn’t have access to it then simply don’t assign it as a candidate group for this task and of course don’t set any task permissions manually.

Hi @hassang,

Thank you for being patient with me. My goal is the reverse actually: I DO NOT want Alice to be able to claim the task. What do I need to do to achieve that? I tried to set the candidate group of the “Say Hello” task to a group of which Alice is not a member, and it still doesn’t prevent Alice from claiming that task.

Hi @khoanguyen123,

In addition to what you did, remove the task permission you added.

No need to add task permissions.

Hi @khoanguyen123,

Remove below one2021-Oct-21_19-27-03

Hi @hassang,

Lightbulb moment for me! To recap, to prevent user Alice from claiming a task:

  1. Set candidate user and or group to an entity that Alice is not a member of
  2. DO NOT explicitly set any Task permissions to Alice or her groups

Thanks for the guidance.