Camunda Authorizations for HistoricProcessInstances

hoestreich · September 13, 2022, 2:13pm

Hey there,

I’m currently experimenting with the authorization system of Camunda.
My goal: Users who are in a specific group should be able to query running process instances which were started by one of their group members.

If the process instance is started by user A, we automatically create the authorizations for the process instance for his/her group.
However, if the user B of the same team wants to query for the process instance that his/her group member started, we only get empty responses. Even though we added authorizations for the HistoricProcessInstance as well.

Only if we add the READ_HISTORY authorization on the process definition, the non-starting team member receives the process instances started by his/her group member.

My expectation would be that if we activate the HistoricInstancePermissions (Authorization Service | docs.camunda.org) the authorization on process definition level is not necessary anymore.
Is this a bug or a missunderstanding on my side?

Best regards,
Hendrik

fml2 · September 14, 2022, 7:29am

Your expectations are intuitive but, in the end, the truth lies in the code. Since there is no clear specification of how the authorities should work, every behaviour can be declared as “works as designed”. I think camunda will be very reluctant to changing anything here because of the backward compatibility (which is good). Hence your best option is to make some experiments and design your code accordingly – which you already do . Maybe create a patch for the docs clarifying the behaviour at this point.

hoestreich · September 15, 2022, 8:39am

@fml2 Thanks for your response.

My workaround now is the following:

Query for the running processInstances via the processInstanceApi (which considers the authorizations)
For the results execute a second query to the historicProcessInstanceApi to get the details (e.g. when was the process instance started and by whom)

This way group members can only see process instances which were started by themselves or their team mates.

fml2 · September 15, 2022, 6:57pm

Do you mean that you only have the restrictions for the running instances but not for the historic ones? E.g. you use the query for the running instances to find out which instances the user is permitted to see and then fetch the details via historic API. Is my understanding correct?

Also: How do you create the authorizations when you start the instances? Do you just call the appropriate APIs or do you use some kind of listener?

Thank you for the insights!

hoestreich · September 16, 2022, 9:32am

Yes your understanding is correct. If the authorizations / restrictions would work (as expected) for the HistoricProcessInstance queries, I could use one less query.

The authorizations are created right after process was started:

ProcessInstance processInstance = runtimeService.startProcessInstanceByKey(event.getProcessKey(),
                event.getBusinessKey().value(), event.getVariables());

Authorization processInstanceAuthorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
            processInstanceAuthorization.setGroupId(event.getGroupId());
            processInstanceAuthorization.setResourceType(Resources.PROCESS_INSTANCE.resourceType());
            processInstanceAuthorization.setResourceId(processInstance.getProcessInstanceId());
            processInstanceAuthorization.setPermissions(new Permission[]{Permissions.ALL});

            authorizationService.saveAuthorization(processInstanceAuthorization);

Authorization historicProcessInstanceAuthorization = authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
            historicProcessInstanceAuthorization.setGroupId(event.getGroupId());
            historicProcessInstanceAuthorization.setResourceType(Resources.HISTORIC_PROCESS_INSTANCE.resourceType());
            historicProcessInstanceAuthorization.setResourceId(processInstance.getProcessInstanceId());
            historicProcessInstanceAuthorization.setPermissions(new Permission[]{Permissions.ALL});

            authorizationService.saveAuthorization(historicProcessInstanceAuthorization);

But as described before, I still need the READ_HISTORY authorization on the process definition.

fml2 · September 16, 2022, 9:53am

Thank you for the clarification! I just have one more question: When do the created permissions get deleted? IMO it would be bad if they remained in the DB forever. Do you have a reliable mechanism for that?

hoestreich · September 16, 2022, 11:23am

No worries, glad to clarify the issue.

Yes, that’s also something I’ve thought of. Gladly the Authorization of the ProcessInstance Level are automatically deleted by Camunda, no need to take own action.
The authorizations for the HistoricProcessInstances currently remain in the DB.
Since in our use case it is important that users can access reports about their previous executions of a process, that is also necessary.