Authorization Mapping

Hi Experts,
In my problems statement, I am connecting to LDAP to retrieve user and group list, where I need to map the same to the candidate groups/roles defined within my process where candidate groups are different than LDAP groups/users. In tools from IBM and Tibco, its quite a easy task to define the Org Model, Define the mapping in the Process Admin. Can you guide how can I do it in Camunda. I assume this is a very basic feature, so should be possible, just dont know how.

I would really appreciate if someone can answer this question, seems pretty basic.

Hard to know how to answer this - if you’re using LDAP as your users and groups then what exactly do you need to map? Camunda and the processes will use the users and groups from LDAP.

Hi Niall,
Thanks for the response.
Typically participant groups or candidate groups which created as part of process swim lanes are fine grained which are different from groups in LDAP which are coarse grained, and there may not be a direct mapping between these always. It will need a role binding. It becomes more important when we have a federated repository scenario.
Say, we have a hiring process, where we got three roles like Hiring Manager, Approving Manager, HR Manager where each corresponds to a lane in process. And the LDAP will have the Users and Groups (Employee, Managers). Or an appraisal system where there could be three participant groups like Performer, Appraiser, Reviewer which needs to be mapped to the roles (users/groups) fetched from LDAP.
I can do the above pretty easily in a visual way in any of the proprietary tools by

  • Creating the participant groups for the process in process designer, create an organisation model of roles
  • Creating the binding groups for the process in process admin, bind the same to different LDAP roles (users/groups)
  • Bind the participant groups to binding groups

So the questions are

  • Is it possible to do the above using Camunda?
  • Can I do it visually through designer/admin console or I will have to write some code using the Identity Service/Task Service

Hope it is more clear now.


Lanes have no execution semantics in Camunda, they’re purely visual.
To assign groups or users to a given task you need to use set that property on the individual task either as an expression or as a hard coded string