New group has admin powers


#1

I created a new group with the admin, called Users. I did not assigned any authorization to them. So I created a user, I give it the group Users and I login with that user. Well, it has the same powers of an admin. How can it be?

PS: by default, there’s no “All Tasks” filter. This is intentional or the problem is I’m using Postgres and Hibernate does not support Postgres LOBs?


#2

That should not happen. what Version of Camunda are you running?
Can you provide a screenshot of the Application Authorizations page as well as the Groups Page of the User?

This is intentional, as we start Camunda with an empty database. Clicking ‘Create a simple filter’ will generate the ‘All Tasks’ filter for you.


#3

I use camunda-engine 7.11.0 with camunda-bpm-spring-boot-starter-webapp version 3.3.2.

PS: well, as you create the db, you can add a row for a “All Tasks” filter. The newbie is really confused about the fact no task is visible even if there are ones.
PPS: and it should undeletable IMHO.


#4

You can configure Camunda to create an “all” filter for you in startup:

Camunda.bpm.filter.create=All

In your application properties


#5

Well, but this should not be the default value?


#6

A lot of people use the engine and don’t use the filters at all, so it’s better to give the user a choice with the default adding nothing in case it’s not required.


#7

How they can’t use filters. If you don’t have a filter, you can’t see any task.


#8

There are a few different reasons

  • People are using technical processes that do no have any user task
  • People are using an external UI which send REST calls to the engine directly rather than using the filter system
  • People are using an embedded engine and make quires directly.

#9

Mmmmhhh… it seems to me the same arguments of rich people about public healthcare :smiley:

Jokes apart, ok, a lot of people don’t need tasks and will never land on the page. But the people that need tasks usually expects to see his tasks, not to create a filter for viewing tasks. It’s misleading, since no one expects that for viewing ALL tasks you have to create a FILTER.

Furthermore, what problem can cause having the All Tasks filter created by default?


#10

I disagree that people who use task list need the all tasks filter. From my experience when implemented for any kind of real use case the All Tasks filter is often removed or never added. Tasks are assigned to groups or users and it’s not often the case that task workers are presented with a list of ALL tasks across the whole engine to choose from.

with regard to your point about it confusing people who are maybe just having a look at camunda? Well thats why we add filters (including the all tasks filter) to the default disro you would find on the download page:

The only reason would not have seen filters is because you would have chosen to startup a completely fresh distro without any data.


#11

Ok, but what’s the problem of creating such a filter by default also in a fresh Spring Boot installation? If the user does not need it, it can remove it. But newbies like me will be not confused by the fact they see no tasks even if it should be one. An UX designer will suicide itself… :smiley:


#12

Not a problem, we have a number of maven archetypes one of which will create a springboot installation with additional data including a task filter.

From my perspective the default springboot installations should be as clean as possible, for a number of reasons including the fact that we don’t know how it’s intended to be used.

We have the archetype so that you can setup something to help you explore functionality.


#13

Well, Amen…


#14

Can I only add as final thought that for all the other categories, Deployments, Processes, Users and Groups, all the items are displayed by default? Tasks are the only exception and it’s confusing. No sane man will expect something like this as default behavior.

I understand Spring is intended to be a clan installation completely customizable, without any defaults. But I think that a filter that can be removed can’t hurt the sensibility of the more purist of Spring dev.


#15

Anyway, returning In Topic, what about the bug of users superusers, @martin.stamm?


#16

@martin.stamm ô¿ô


#17

Hi Marco,

Please share your application properties file and the records from the ACT_RU_AUTHORIZATION table.


#18

application.properties:

spring.datasource.url = jdbc:postgresql://localhost:5432/camunda
spring.datasource.username = camunda_remote
spring.datasource.password = ********

spring.datasource.tomcat.minSize = 35
spring.datasource.tomcat.initialSize = 35
spring.datasource.tomcat.maxActive = 250

appName = camunda

server.servlet.context-path = /${appName}

spring.http.encoding.charset = UTF-8
spring.http.encoding.enabled = true
spring.http.encoding.force = true

spring.servlet.multipart.max-file-size = 150MB
spring.servlet.multipart.max-request-size = 150MB

# CAMUNDA SETTINGS - START #
camunda.bpm.deployment-resource-pattern = classpath:workflow/*.bpmn, classpath:workflow/*.dmn, classpath:workflow/*.cmmn
# CAMUNDA SETTINGS - END #

# server.servlet.session.cookie.secure = true
# server.servlet.session.cookie.http-only = true

####### DEV ONLY, TO CHANGE IN PRODUCTION ##########
# logging.level.org.springframework.security=DEBUG
spring.cache.type = none
debug.clientTrace = true

ACT_RU_AUTHORIZATION:

id_ rev_ type_ group_id_ user_id_ resource_type_ resource_id_ perms_
691fd28c-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 0 * 2147483647
6920bced-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 1 * 2147483647
6921592e-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 2 * 2147483647
6922438f-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 3 * 2147483647
69232df0-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 4 * 2147483647
69241851-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 5 * 2147483647
6924b492-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 6 * 2147483647
69259ef3-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 7 * 2147483647
69266244-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 8 * 2147483647
69272595-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 9 * 2147483647
6927e8e6-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 10 * 2147483647
6928ac37-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 11 * 2147483647
69294878-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 12 * 2147483647
692a0bc9-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 13 * 2147483647
692aa80a-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 14 * 2147483647
692b6b5b-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 15 * 2147483647
692c55bc-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 16 * 2147483647
692cf1fd-ac8d-11e9-9f08-0e1a16446803 1 1 camunda-admin 17 * 2147483647

#19

@Yana: well?


#20

sorry for the delay, you need to explicitly enable the authorization:
camunda.bpm.authorization.enabled=true
please check the spring boot docs for reference