When I create users using the Spring Boot (embedded Process Engine) version using the Admin application, the users do not have any restrictions at all.
From vanilla install, the database is created and the form shows to create the admin user. Using this admin user any other created users have full permission. It is as though these users are “superusers” and changing their permissions makes no difference. I did not have this problem with a stand-alone process engine.
The log shows a warning when the Admin page loads:
o.glassfish.jersey.servlet.WebComponent : A servlet request to the URI http://localhost:8090/api/admin/auth/user/default/login/admin contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
Camunda version 7.6.0 with
<groupId>org.camunda.bpm.extension.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-webapp</artifactId>
<version>2.0.0</version>
and H2 database
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.3.171</version>