Camunda forms - how to manag user rights

Hi,

I see new version of Modeler and BPM platform has ability to create process forms. However I do not understand one thing - how make user A has access to one form and user B to another?
For instance in simple approval process; user A requests for something, user B approves ticket. How to make they both have different views (access to different forms/tasks)?

Regards

Hi @mkelton,

the visibilty is controled by assignee/candiates on the user tasks:
https://docs.camunda.org/manual/7.15/reference/bpmn20/tasks/user-task/#user-assignment-using-camunda-extensions

The form is referenced in the formKey on on user task:
https://docs.camunda.org/manual/7.15/user-guide/task-forms/#form-key

Hope this helps, Ingo

Thank you very much for help. More clear now.
I managed to create user on BPM platform and gave him “Application” rights (cockpit and tasklist).
User can login. But now I’m trying to understand if user can start a process or process can be only started by admin or API? Suppose this is request for service so ordinary way would be that user starts process, right?

If I click (logged as user) on “start process” i see no process name to start. I guess this is because proper rights? What right I should give to him to make it visible?
I rights mangement I have field ‘Resource ID’. Where to find ‘Resource ID’? I process definition I see only ‘Definition ID’ or ‘Deployment ID’.

Regards

Hi @mkelton,

the user needs permissions on the process definition and process instance to start a process instance. You can read more about the details here: Authorization Service | docs.camunda.org

Hope this helps, Ingo

OK, thank you.
And where to find ‘Resource ID’ ? If I understand correctly resource ID can be deployment ID. But if I put it there it does not work.

And why ‘My tasks’ menu is empty even if process is started and user is defined as ‘Candidate user’ in task?

1 Like

Also make note that there is no concept of variable security. If your user has access to the task they can access/modify all variables in the process.

Thanks for this note. But I still do not know how to limit user rights only to one process definition.

Hello @mkelton ,

a process definition has its own authorization as @Ingo_Richtsmeier already mentioned. If you want a user or group to be allowed to start a process instance from a certain process definition, we will need at least two authorizations:

  1. CREATE_INSTANCE on Process Definition, either with * as Resource ID OR with the Process Definition ID (can be found in cockpit, see screenshot) as Resource ID. Process Definition Key could also work, you can try this as well.
  2. CREATE on Process Instance, here a * on Resource ID will do as the ID of the Process Instance cannot be determined.

I hope this helps

Jonathan

Thank you Jonathan. I needed some time to test it so late reply.
I made some progress but still not able to understand what to do so user after reaching ‘tasklist’ menu can see his task. If I give user ‘*’ permision in ‘filter’ section - user can build a filter. But if I limit visibility to process name or ID - it does not work. He does see nothing. Although he can build filter - such filter does not work (show nothing). ‘My task’ display nothing but there’s at least one task assigned to this user.

I do not understand how it works. I should give user filter rights - right? But how to limit rights to specified process ID or name?
Here comes screen of default settings in Camunda. I do not see any process with ID that is there on the screen. Where to find this ID? I followed your instruction but found completly different IDs of preinstalled processes ( I meand preinstalled configuration, filter rights should have ID of the processed that exists in demo camunda - I do not see them).

EDIT:
I see that if I set filter permission to “Accessible by all users” then I can give filter rights to specified user in filter Authorization. Probably I can limit filter access to specified user/groups on filter details level.
I still do not get why “My Tasks” tab is empty (this user has task open).