@Mass_Shake it’s expected behaviour. Through REST api you can claim, set assignee or complete the task for the user by sending the userid as part of payload. It’s not mandatory that user need to be in camunda database.
When you claim/set assignee for any tasks, the task & user relation will be updated in ACT_RU_IDENTITYLINK table.
To prevent non camunda users, you can secure the rest api.
You can verify the user on rest api call via :
- POST `/identity/verify``.
For REST api Basic auth :
Keycloak SSO: