Hi @gumang,
The core of the Camunda engine treats users , groups and tenants as simple text strings
https://camunda.com/best-practices/securing-camunda/#_understanding_strong_users_strong_strong_groups_strong_and_strong_tenants_strong
Validation of assignee existence could by implemented by a generic task listener to be triggered on assignment event.
identityService = delegateTask.getProcessEngineServices()
.getIdentityService();
processEngine = Context.getProcessEngineConfiguration()
.getProcessEngine();
engineConfiguration = processEngine.getProcessEngineConfiguration();
if (delegateTask.getAssignee() != null) {
currentAuthentication = identityService.getCurrentAuthentication();
try {
identityService.clearAuthentication();
// run without authorization checks
assigneeEntity = identityService.createUserQuery()
.userId(delegateTask.getAssignee()).singleResult();
}
finally {
identityService.setAuthentication(currentAuthentication);
}
if (assigneeEntity == null) {
throw new ProcessEngineException("Invalid assignee");
}
}