Authorization - start a process problem

Hi,
I try to understand the concept of authorization. I want a user from the group StudentGroup is abled to start the process bppminiwik. The user SekiMA from the group SekiGroup is only allowed to read the user task Stammdaten anzeigen.
grafik

I created the following user and groups
User: SekiMA (dedicated to SekiGroup)
User: Studi1 (dedicated to StudentGroup)

Group: StudentGroup
Group:SekiGroup

Authorizations:
grafik


Unfortunately the user Studi1 is not allowed to start the process (only allowed to see the tasklist). So I started the process with admin access. The User SekiMA can see now the task “Stammdaten anzeigen”.

Why is the user Studi1 not allowed to start the process?

Thanks for your help,
Nicole

Hi Nicole,

From your description:

Studi1 belongs to SekiGroup which doesn’t have permissions (CREATE_INSTANCE and CREATE) to start bppwkmini process.

Studi1 should belong to StudentGroup.

Oh that was a typo, sorry. No, it is configured right. (Studi1 belongs to StudentGroup)

In case you use Camunda 7.10, please have a look at:
https://docs.camunda.org/manual/7.10/webapps/tasklist/working-with-tasklist/#start-a-process

Required permissions: CREATE_INSTANCE and READ permissions on Process definition level, and CREATE permission for all Process instances.

2 Likes

Hi @NickiMueller,

For "Process Instance Authorizations"
Resource ID should be “*” instead of “bppwkmini”
and both of them need only READ permission.

For "Process Definition Authorizations"
In case members of “StudentGroup” should be able to work on the process too then, set both “CREATE_INSTANCE, READ” permissions to “StudentGroup” group.

Ah ok, I forgot the READ permission. Thanks

For better understanding: I thought if I type “*” the user or group is abled to start every process. I only want him to start the process bppminiwk. Do I think right?

Hi Nicole,

The resource id only of the Process Instances authorization needs to be set to “*” (for permission READ). The reason behind this is that there is no process instance id before the creation of the process instance. So you need to specify READ permission for all process instances (asterisk as resource id), as it is described in the docs.
You can leave bppwkmini as resource id for CREATE_INSTANCE, READ permission of the Process Definition.

I hope that the picture is more clear now.

Best regards,
Yana

2 Likes