Task assignment by User Group

Hi,
I need to restrict Task assignment by user Group

For example an User Task, can be claimed only by users belonging to “Buyer” group and so on

Thanks in advance, regards

1 Like

Hi Antonio,

You can set candidateGroup.
If you use the rest api this can be achieved with identity links.
Check this:
https://docs.camunda.org/manual/7.8/reference/rest/task/identity-links/post-identity-link/
and you need to pass the groupid of the candidate group.

Best regards,
Yana

Thanks for reply @yana.vasileva, can restrict/deny assignation for user wich not included in that group in this way?

Because I tried to set allowed group at bpmn level but task is still assignable for all kind of user :frowning:

Thanks a lot

1 Like

Hi Antonio,

What do you mean by assign user on bpmn level?
We have new option to set candidateGroup when you develop the process in the Modeler.
https://blog.camunda.com/post/2018/04/camunda-modeler-1130-released/

Best regards,
Yana

Thanks for reply @yana.vasileva I tried to set candidate group on bpmn as shown below:

But each User can still claim and complete task

2 Likes

Do you need restriction on task? Or it will work for you restriction on process level also?

Yes the goal is to allow task assignation and completition only to user incuded to a specified Group

2 Likes

Hi Antonio,

It is not possible to restrict task assignation. (docs)
However, you can create filters for task and those filters could be restricted to specific users or groups.

This means if you have group A.
Create filter which contains task with candidate group A.
Enable this filter only for users of group A.
Hope that helps.

Best regards,
Yana

1 Like

Thanks for reply @yana.vasileva

Filter solution is for only tasklist, I need to prevent unhautorized task assingment as global rule.

Are there any other options?
Or else I can consider to implement a TaskListener?

I don’t think so.

Correct.

Hi @yana.vasileva,
Can be a solution configuring authorization restricting a Task Definition Key to a single Group?

For Example: “UserTask1 -> Group1”
Can we even do that?

Hi @antonior
Only group members should have access to the task unless you have explicitly assigned permissions to others to access it.
You can review the permissions assigned from the admin application.
May you send your granted permissions for the process definition and process instance resources, please?

thanks for reply @hassang I will do a trial!

Is also possible to deny task claim by expressions?
For example, deny task claim to the ‘starter’ user or to a specific one?

Thanks in advance

Hi @antonior

You could revoke authorizations for initiator using TaskListener

<userTask id="myTask" name="My Task" >
    <extensionElements>
      <camunda:taskListener event="assignment" class="org.camunda.bpm.TestTaskListener" />
    </extensionElements>
  </userTask>

Below the implementation of the TaskListener

package org.camunda.bpm;

import java.util.logging.Logger;

import org.camunda.bpm.engine.AuthorizationService;
import org.camunda.bpm.engine.authorization.Authorization;
import org.camunda.bpm.engine.authorization.Permission;
import org.camunda.bpm.engine.authorization.Permissions;
import org.camunda.bpm.engine.authorization.Resources;
import org.camunda.bpm.engine.delegate.DelegateTask;
import org.camunda.bpm.engine.delegate.TaskListener;

public class TestTaskListener implements TaskListener {

  private static final Logger log = Logger.getLogger(TestTaskListener.class.getName());
  
  @Override
  public void notify(DelegateTask delegateTask) {
    // TODO Auto-generated method stub
    String initiator = delegateTask.getExecution().getProcessInstance().getVariable("initiator").toString();
    log.info("initiator: " + initiator);
    
        AuthorizationService authorizationService = delegateTask.getProcessEngineServices().getAuthorizationService();
        Authorization authorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_REVOKE);
        
        Permission[] permissions = new Permission[1];
        permissions[0] = Permissions.ALL;
        
        authorization.setUserId(initiator);
        authorization.setResource(Resources.TASK);
        authorization.setResourceId(delegateTask.getId());
        authorization.setPermissions(permissions);
        
        authorizationService.saveAuthorization(authorization);
      }

    }
2 Likes

Hi @hassang
Is it possible to make TaskListener get valid authorization on a specific task only for his Candidate Groups?
I mean that if a specific user of group “A” tries to claim a task which has as Candidate Groups “B”, “C” and “D” but not “A” , is the task listener able to block that claim? How can it be implemented?
Is it also possible to avoid TaskAlreadyClaimedException?

Hello @hassang,
Thank you for this solution, I’ve used it but unfortunately it didn’t work for my case .
My task could be claimed by other users that not belong to my candidateGroup.
My task user - bpmn process.

<bpmn:userTask id=“Activity_1fpnoak” name=“task” camunda:candidateGroups=“group”>
bpmn:extensionElements
<camunda:taskListener class=“org.camunda.bpm.TestTaskListener” event=“assignment” />
</bpmn:extensionElements>
bpmn:incomingFlow_0y73yn6</bpmn:incoming>
bpmn:outgoingFlow_0bs8oji</bpmn:outgoing>
</bpmn:userTask>

And I’ve added to your TaskListener class this instruction toset authorization to my candidateGroup only. authorization.setGroupId("groupId");
Any help, thank you

Hi @HEss,

Setting camunda:candidateGroups to specific group(s) should do the job.
If others still can claim the task then either authorization is disabled or others have been granted the permission(s) to claim the task.

Please make sure that authorization is enabled & review “Task Authorizations” page in the admin app.
https://docs.camunda.org/manual/latest/user-guide/process-engine/authorization-service/#when-are-authorizations-checked

1 Like

Thank you for your reply @hassang,
Correct me if I’m wrong, to enable authorization I’ve added to my configuration.

camunda:
bpm:
authorization:
enabled: true

But I keep getting the same thing, claiming tasks by other users even they aren’t in the group.

Regarding other users have been granted permissions, i don’t think so, only 2 users I have in the group.
Thank you very much

Hi @HEss,

I am not experienced in springboot but seems correct configuration as per the docs.

As per the docs, rebuild and rerun the application again. Don’t forget to call mvn clean before calling mvn install again

1 Like

This doesn’t seem to be working for me. Here’s what I did:

  1. Assigned group “finance” to a task’s “candidate groups”.
  2. Create filter called Finance with criteria “Candidate Group*” = finance
  3. and with permission group = finance

After doing this, if I am logged into as a member of something other than the finance group, I expected that I wouldn’t see the the Finance filter. However, I do see the filter and can claim displayed tasks.

What am I doing wrong?