Java API - Finding process definitions by candidate group

Hi
I’m trying to list all deployed process definitions that can be started by the giver user by his Id or group he belongs to. As I can see in the modeler, there are two fields which seems to be designed for such purpose (‘Candidate Starter Groups’ and ‘Candidate Starter User’). But I can find candidate group related api method on the ProcessDefinitionQuery. The only one which works fine is the startableByUser() which works fine , but what about groups? Its worth to mention that neither candidate user nor candidate group are returned with the ProcesSDefinition object, so I also can’t filter that by myself.
I’m using my own authorization from Spring Security and using Camunda API without settings Identity data.
Regards
Jan

Hi
Since there is no answer I would like to refresh the topic. I have updated my code to set the identity, but the I’m still looking for method to query for candidate starter group
processEngine.getIdentityService().setAuthentication(auth.getName(), auth.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()));
@Niall Would you be so nice and point me to the correct method how to do that ?

Regards

Hello @JanGr ,

the thing you are pointing at is the following:

The interface ProcessDefinition provides to Getter for these fields. The implementation ProcessDefinitionEntity does indeed contain this information. Yet, this is not a String but an expression, as you can enter an expression in these fields in the Modeler.

I would suggest that, if you want to use Authorization features of the process engine, you also use the Authorization. You can for example link the Authorization from Spring Security to the engine by providing your own org.camunda.bpm.engine.impl.interceptor.SessionFactory for your own impl of org.camunda.bpm.engine.impl.identity.ReadOnlyIdentityProvider and configuring your Process Engine with it.

By this, the engine will just be able to use your RBAC but only read it.

Hope this helps

Jonathan

1 Like

Thank you @jonathan.lukas
I prefer to keep this separated due to some reasons. But I’m not sure If I understand correctly. I was expecting to be able to create query to list by candidate user and group, like:

processEngine.getRepositoryService().createProcessDefinitionQuery().active().startableByUser(userId)
But it seems that there is no candidate group criteria there. Am I right ?

Regards
Jan

Hello @JanGr ,

yes you are right. A query like this is not possible. All authorization-related things are handled inside the engine authorization.

You could adjust your own authorization layer to fulfill this requirement then.

Jonathan

@jonathan.lukas Sound great and it will fit to my needs. However, could you kindly please tell me what’s more needed here as setting as follows doesn’t work for me.

processEngine.getIdentityService().setAuthentication(userId, listOfGroups)

processEngine.getRepositoryService().createProcessDefinitionQuery().active().**startablePermissionCheck()**.latestVersion().list();

Hello @JanGr ,

to make this work, you have to enable authorization and configure it. (Users, Groups, Authorization Objects). Any interaction with the API will then use the Authorization of the currently authenticated user.

Jonathan

Hi @jonathan.lukas
I did it already by turning it on in yaml file - camunda.bpm.authorization.enabled=true
So I also expected that it would be enough to set the authentication as I copy pasted in my previous post (processEngine.getIdentityService().setAuthentication) and define authorization scopes in the modeler - like candidate starter group etc. I would like to keep as much as possible configured in the modeler so thats why I had a hope that this solution seems to be complete. But having this done is not limiting the processes to start when using the query.

Hello @JanGr ,

I just checked the Configuration possible and there is another property that could help:
camunda.bpm.authorization.enabled-for-custom-code: Enables authorization for custom code

Please find a reference here:

https://docs.camunda.org/manual/7.15/user-guide/spring-boot-integration/configuration/

Jonathan

Hi
Thank you very much for all you responses. I have tried that one but still, the processes list is not limited by the one dedicated for the group user belongs to. This is my yaml

camunda:
  bpm:
    database:
      type: mssql
    table-prefix: camunda.
    schema-update: true
    admin-user:
      id: 
      password: 
    authorization:
      enabled: true
      enabled-for-custom-code: true

Hello @JanGr ,

now I am really out of responses, sorry :sweat: . @Ingo_Richtsmeier @Niall @Nele do you have an idea?

Jonathan

Hi @Niall I will appreciate any help here :wink:

Thx, Jan

Hi @jonathan.lukas
I have just noticed that I can filter the process definitions by setting the Process Definition Authorizations’ to particular process or just by wildcard * from the cockpit page which is not the case for me. It looks for me like candidate group given from the modeler does’t work and it is overwritten by the cockpit settings.

Hello @JanGr ,

yes this is possible. In Admin, you can set the Authorizations for process definitions.
I thought that using the Starter Candidate fields in the process model would do the same.
Excuse me I did not mention this earlier.

Can you make use of this?

Jonathan

Hi @jonathan.lukas
Well. Question if this is possible to follow what is set from modeler level rather then adjusting it inside the cockpit. Our idea was to describe it on the process level by designer person but not by the system admin.
It also look as what is set in modeler is not a part of authorization check ( candidate user and group), but could be only used in custom queries ( but groups are not a part of query API)

And I have just noticed that candidate group nor the candidate user is returned from the processDefinitionQuery in ProcessDefinition object which makes it impossible to filter the definitions in the code. Can it be worth reporting bug ?
.