Configure Cockpit: Full Admin=LDAP-Group, ReadOnly = Single User

Hi,

I have a request from one of our departments. Currently we are using C7 community edition included in a Spring Boot application.

Right now, we have configured the Camunda GUI (Cockpit, Tasklist ect.) only accessable for the members of one special admin group.

    @Bean
    AdministratorAuthorizationPlugin administratorAuthorizationPlugin(LdapProperties ldapProperties) {
        AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
        plugin.setAdministratorGroupName(ldapProperties.getAdministratorGroupName());
        return plugin;
    }

All users of this group are able to modify processes ect (Full-access).

Now one departement want to have read-only-access for the cockpit to verify what processes are still running.
Is there any way to setup the security chain (or anything else), so one LDAP group ist full admin and one (or more LDAP users) have read-only access to the cockpit?

I tried to add users using the Camund admin section, but Camunda tries to add theses users to our LDAP and this is not possible because I only have a read-only-user for the LDAP access.

Best regards,

Rainer

Is department have a specific group in LDAP?

If there is, you can access “Admin” application > “Authorizations” > “Application” > “Create new authorization” with type ALLOW, in User/Group if is selected for user, click on user icon to change to group, on input text put the departament group name, and Resource ID put cockpit and save.

If LDAP is configured correctly, it should work giving access to group to cockpit
And for process definitions/instances if needed, almost same process

https://github.com/camunda/camunda-docs-manual/blob/master/content/user-guide/process-engine/authorization-service.md

Thank you very much,

adding a special user / group in the admin area works.

Best regards,

Rainer