Hi
I’m trying to list all deployed process definitions that can be started by the giver user by his Id or group he belongs to. As I can see in the modeler, there are two fields which seems to be designed for such purpose (‘Candidate Starter Groups’ and ‘Candidate Starter User’). But I can find candidate group related api method on the ProcessDefinitionQuery. The only one which works fine is the startableByUser() which works fine , but what about groups? Its worth to mention that neither candidate user nor candidate group are returned with the ProcesSDefinition object, so I also can’t filter that by myself.
I’m using my own authorization from Spring Security and using Camunda API without settings Identity data.
Regards
Jan
Hi
Since there is no answer I would like to refresh the topic. I have updated my code to set the identity, but the I’m still looking for method to query for candidate starter group
processEngine.getIdentityService().setAuthentication(auth.getName(), auth.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList()));
@Niall Would you be so nice and point me to the correct method how to do that ?
Regards
Hello @JanGr ,
the thing you are pointing at is the following:
The interface ProcessDefinition provides to Getter for these fields. The implementation ProcessDefinitionEntity does indeed contain this information. Yet, this is not a String but an expression, as you can enter an expression in these fields in the Modeler.
I would suggest that, if you want to use Authorization features of the process engine, you also use the Authorization. You can for example link the Authorization from Spring Security to the engine by providing your own org.camunda.bpm.engine.impl.interceptor.SessionFactory for your own impl of org.camunda.bpm.engine.impl.identity.ReadOnlyIdentityProvider and configuring your Process Engine with it.
By this, the engine will just be able to use your RBAC but only read it.
Hope this helps
Jonathan
1 Like
Thank you @jonathan.lukas
I prefer to keep this separated due to some reasons. But I’m not sure If I understand correctly. I was expecting to be able to create query to list by candidate user and group, like:
processEngine.getRepositoryService().createProcessDefinitionQuery().active().startableByUser(userId)
But it seems that there is no candidate group criteria there. Am I right ?
Regards
Jan
Hello @JanGr ,
yes you are right. A query like this is not possible. All authorization-related things are handled inside the engine authorization.
You could adjust your own authorization layer to fulfill this requirement then.
Jonathan
@jonathan.lukas Sound great and it will fit to my needs. However, could you kindly please tell me what’s more needed here as setting as follows doesn’t work for me.
processEngine.getIdentityService().setAuthentication(userId, listOfGroups)
processEngine.getRepositoryService().createProcessDefinitionQuery().active().**startablePermissionCheck()**.latestVersion().list();
Hello @JanGr ,
to make this work, you have to enable authorization and configure it. (Users, Groups, Authorization Objects). Any interaction with the API will then use the Authorization of the currently authenticated user.
Jonathan
Hi @jonathan.lukas
I did it already by turning it on in yaml file - camunda.bpm.authorization.enabled=true
So I also expected that it would be enough to set the authentication as I copy pasted in my previous post (processEngine.getIdentityService().setAuthentication) and define authorization scopes in the modeler - like candidate starter group etc. I would like to keep as much as possible configured in the modeler so thats why I had a hope that this solution seems to be complete. But having this done is not limiting the processes to start when using the query.
Hello @JanGr ,
I just checked the Configuration possible and there is another property that could help:
camunda.bpm.authorization.enabled-for-custom-code: Enables authorization for custom code
Please find a reference here:
https://docs.camunda.org/manual/7.15/user-guide/spring-boot-integration/configuration/
Jonathan
Hi
Thank you very much for all you responses. I have tried that one but still, the processes list is not limited by the one dedicated for the group user belongs to. This is my yaml
camunda:
bpm:
database:
type: mssql
table-prefix: camunda.
schema-update: true
admin-user:
id:
password:
authorization:
enabled: true
enabled-for-custom-code: true
Hello @JanGr ,
now I am really out of responses, sorry 
. @Ingo_Richtsmeier @Niall @Nele do you have an idea?
Jonathan
Hi @jonathan.lukas
I have just noticed that I can filter the process definitions by setting the Process Definition Authorizations’ to particular process or just by wildcard * from the cockpit page which is not the case for me. It looks for me like candidate group given from the modeler does’t work and it is overwritten by the cockpit settings.
Hello @JanGr ,
yes this is possible. In Admin, you can set the Authorizations for process definitions.
I thought that using the Starter Candidate fields in the process model would do the same.
Excuse me I did not mention this earlier.
Can you make use of this?
Jonathan
Hi @jonathan.lukas
Well. Question if this is possible to follow what is set from modeler level rather then adjusting it inside the cockpit. Our idea was to describe it on the process level by designer person but not by the system admin.
It also look as what is set in modeler is not a part of authorization check ( candidate user and group), but could be only used in custom queries ( but groups are not a part of query API)
And I have just noticed that candidate group nor the candidate user is returned from the processDefinitionQuery in ProcessDefinition object which makes it impossible to filter the definitions in the code. Can it be worth reporting bug ?
.
Hi @Niall . Do you have any clue what I did wrong here ? Or this would not be possible with Java api ?
Hi @JanGr,
it took some time for me to figure out the details, as the documentation is missing a description.
When you set the candidateStarterGroup for a process definition, the engine creates identity links in the database during deployment. (camunda-bpm-platform/BpmnDeployer.java at master · camunda/camunda-bpm-platform · GitHub)
In my experiments, they are picked up when I provide the startableBy parameter to a process definition query (I tested with the Rest API).
I used the Tomcat distro, as group memberships are coming with the example. I added a process application and set the candidateStarterGroup to accounting. mary and demo are members of this group.
http://localhost:8080/engine-rest/process-definition?startableBy=demo returned the deployed process definition and http://localhost:8080/engine-rest/process-definition?startableBy=peter returned an empty result.
The setting is not picked up in Camunda Tasklist.
Hope this helps, Ingo
1 Like
Thank you very much @Ingo_Richtsmeier
I think that this is a case as startableBy is not accessible in java api. There is only startableByUser
Thx, Jan
Hi @JanGr,
the parameter from the rest api is mapped to startableByUser() in the Java API: camunda-bpm-platform/ProcessDefinitionQueryDto.java at master · camunda/camunda-bpm-platform · GitHub.
Hope this helps, Ingo
Hi @Ingo_Richtsmeier
This one works fine for candidateStarterUser but not for the candidateStarterGroup.