I have been looking at the documentation from camunda on authentication and authorization however not getting enough clarity on it, please could someone explain in simple terms or point me to some documentation that explains with examples -
Thanks
An external AD provides the information about the existing users, groups and their relations, i.e. what user is member in which group. In the default setup, this information is stored in a couple of DB tables in camunda, but you can install a plugin (e.g. LDAP or Keycloak – or write your own one) and from then on you’ll get this information from the AD.
Regardless of the source of the information about users and groups, the authorizations are stored in the camunda DB. The authorizations tell which user or group may perform which operations. This has the impact on the GUI (the cockpit), the REST API and also on optimize.
Why the permission management was put into and made an integral part of the engine (and not defined e.g. in the GUI) is a debatable question that has has been discussed here in the forums. But it’s not part of your question.
thanks for this, let’s say I have a simple scenario I have 2 groups in my LDAP/AD system - GROUP A and GROUP B. There are 4 users in LDAP/AD.
Group A has user 1 and user 2.
Group B has user 3 and user 4.
Now in context of Camunda I want that users of Group A should be able to do a certain task but users of Group B should not have that access.
Now to define/configure this in Camunda BPM what all actions do we need to perform ?
Do we need to create logical groups in Camunda admin or can we directly use Group A and B from LDAP to create these authorizations ?
thanks
You don’t have to define logical groups in camunda. You just have to create the authorization entries for the Group A and Group B. You can do this via the GUI (admin area, authorizations) or by directly inserting the rows into the DB table (you have to know what values to use) or by the API (authorization service).