I have created a spring-starter project with camunda 7.15.0. In addition for demo purpose, I configured and integrated ApacheDS for users and groups. I am able to get users and groups in Admin using
Further, I removed the default group camunda-all and used AD groups from the screenshot. So,
HMS Victory was able to access only Cockpit
HMS Bounty was able to access only ‘Tasklist’
HMS Lydia had no access to the system
This works too and gives expected result.
However, any change to ‘Camunda > Admin > Authorization’ requires restart to take effect. Otherwise the changes do not take effect. Any change required to make AD Group changes take effect at run time ? Below is my Groups configuration.
I had faced a similar issue.
- admin changes the application permission of a group ‘A’ from ‘*’ to ‘cockpit or tasklist’ and logout .
- On the same browser window I tried to login with a user from group A. I was not allowed to login and got the error as ‘Wrong credentials, locked user or missing access rights to application’ .
What I observed was that the url was incorrect which did not allow me to login:
The moment I changed the url as below back to the default one things worked fine.
Not sure if this is expected or it is a bug as logout should have landed us back to a default window.
It looks like url set in
logout is not correct. It needs to reset the logout url to welcome screen.
it depends on the changes. If you change the Application authorization, the chnaged user needs to logoff, as the authorizations for applications are only applied on login.
Changes to other resources (for example on the Process Definitions) will be checked on the next access to the resource.
See Authorization Service | docs.camunda.org for further details.
Hope this helps, Ingo