Can I create users in the back-end as a system user instead of the logged in user?

Camunda 7 Topics Discussion & Questions
1

Hi all,

We have a system where members of certain sales groups (competitors of one another) can submit some data. Let’s say we have two sales groups: hp_sales and ibm_sales.

After completing the first user form, a new user is created and assigned to the external_users group. (requiring READ and CREATE permissions on USER).

The issue is now that the authorization rules of the sales groups that complete the form are checked. So I can only end the form successfully when there are these two rules:

  • ALLOW GROUP hp_sales CREATE/READ *
  • ALLOW GROUP ibm_sales CREATE/READ *

But this also allows that ibm_sales can read users from hp_sales!

Is it possible to create this new user with a system user instead so I don’t have to define these two rules?
Below is the code where I create the user and assign it to the external-users group:

Group externalUserGroup = identityService.createGroupQuery().groupId(VariableConstants.EXTERNAL_GROUP_ID).singleResult();
        if(externalUserGroup != null) {
            LOGGER.debug("Creating new external user in Camunda.");

            ProcessEngineConfigurationImpl processEngineConfiguration = Context.getProcessEngineConfiguration();
            processEngineConfiguration.getCommandExecutorTxRequiresNew().execute((Command<Void>) commandContext -> {

                org.camunda.bpm.engine.identity.User camundaUser = identityService.newUser(userId);
                camundaUser.setFirstName(selectedUser.getFirstName());
                camundaUser.setLastName(selectedUser.getLastName());
                camundaUser.setEmail(selectedUser.getEmail());
                camundaUser.setPassword(tempPassword);

                identityService.saveUser(camundaUser);
                identityService.createMembership(camundaUser.getId(), VariableConstants.EXTERNAL_GROUP_ID);

                return null;
            });

            changeDefaultUserPermission(userId);
        }

/**
 * Override default user authentication from ALL to READ/UPDATE
 */ 
private void changeDefaultUserPermission(String userId) {
    Authorization defaultUserAuthorization = authorizationService.createAuthorizationQuery()
            .resourceType(Resources.USER)
            .hasPermission(Permissions.ALL)
            .userIdIn(userId)
            .resourceId(userId)
            .singleResult();

    if (defaultUserAuthorization != null) {
        defaultUserAuthorization.setPermissions(new Permission[]{Permissions.READ, Permissions.UPDATE});
        authorizationService.saveAuthorization(defaultUserAuthorization);
    }
}

Any help is highly appreciated. Thank you in advance!

2

Hi Nico,

In Java code, you can always call IdentityService#clearAuthentication to remove the context of the currently authenticated user. With no authenticated user, all engine interactions can be performed without authorization checks. So code could look like

IdentityService identityService = ..;
Authentication currentAuthentication = identityService.getCurrentAuthentication();
try
{
  identityService.clearAuthentication();
  // do things without authorization checks here
}
finally
{
  identityService.setAuthentication(currentAuthentication);
}
1 Like
3

Great! Thanks a lot!