Hello
How does camunda:candidateUsers attribute influence the Task assignment?
I set an user in this attribute, but the task is not automatically assigned to him.
Also another user (who is not a “candidate”) can claim the task
Is there some functionality in the engine implemented about this attribute or its purpose is to be used in the custom filters, which the user can create?
(and I have similar question about candidateGroups attribute)
Thanks in advance
I am still interested in the answer of this question 
Hi @jaxx,
candidateUsers attribute marks assigned users as candidates who can claim the task.
If users who are not assigned as candidates can claim the task then it most probably happens because authorization is set as disabled so please enable it then try again.
Hi @hassang
Authorizations are enabled for the server:
If I try to send a REST request without authorization, I receive 401
The candidate user for my task is user1:
I am logged in TaskList using user2.
I start the process using user2.
The task is not assigned to the candidate user1.
user2 can see the task in the list with all tasks and can claim it:
Is there something, which I am doing wrong?
Thanks in advance
Hi @jaxx,
Please open admin app, open task authorizations page and check what authorizations are listed there.
If a user has “Update” permission on a task (or “Update Task” permission on the corresponding process definition) then the user is authorized to perform all these task actions
Can you please send a screenshot of the page…
Here is the screenshot from Admin / Authorizations/ Task:
this authorization for user1 is added automatically (probably because he is candidate user)
however user2 does not have any authorizations in the Task section
(he is not part of camunda-admin group)
Hi @jaxx,
Exactly this authorization got created automatically as user1 is set as candidate.
Can you please share a screenshot of the process definition authorizations page.
Hi @jaxx,
Then this is the reason why user2 can claim the task.
If a user has “Update” permission on a task (or “Update Task” permission on the corresponding process definition) then the user is authorized to perform all these task actions
Thank you @hassang
When I unticked the Task permissions at Process definition level, the management through the candidateUsers attribute started to work as expected.
Hi @hassang
It would be great if this is written in the documentation. This table contains zero explanation what the various rights do Authorization Service | docs.camunda.org
I have assigned the permissions to the user administrator as described above, but I can still execute the tasks for Rolle 2 with the User Administrator.
The Permissions are assigned as follows:
do you have any idea what could be missing?
I took out TASK_WORK and it works now. The user with Role1 can now only run the tasks for Role1.
I get now an exception when I try to start a process because an authorization for the user already exists:
Caused by: org.apache.ibatis.exceptions.PersistenceException:
### Error flushing statements. Cause: org.apache.ibatis.executor.BatchExecutorException: org.camunda.bpm.engine.impl.persistence.entity.AuthorizationEntity.insertAuthorization (batch index #1) failed. Cause: java.sql.BatchUpdateException:
A duplicate key row cannot be inserted into the dbo.ACT_RU_AUTHORIZATION object with the unique ACT_UNIQ_AUTH_USER index.
How can I prevent a process from writing the authorizations for a user? To Avoid this Exception …