Deny access to process definition but allow create instance

Hi,

How would one deny access to a process definition but in the same time allow the user to start an instance of the said process definition and allow the user to complete given tasks ?

I have tried (camunda 7.4) to revoke READ permission from ‘Process Definition Authorization’ for the target users (they still have CREATE_INSTANCE and READ_HISTORY permissions) but in this case the ‘Start Process’ does not list any process they should be able to start.

The main reason for such a request is that for a certain type of users the process definition and hence the diagram from the tasklist app should not be available. Even better, an idea about how to hide the diagram tab entirely from the tasklist would be most welcomed.

KR

Hi,

I am no expert in how the Authorizations work, but I can tell you how to hide the diagram tab:

Just include this code in the app/tasklist/styles/user-styles.css file:

.task-card .nav-tabs > li:nth-child(3) {
  display: none;
}

Please note that with this solution the user still has access to the diagram, e.g. if he manually overrides the style or uses the REST API to get the information.

Does this help you?

Cheers
Sebastian

Hi,

It’s great that I can hide the diagram but I want to let the question pending because it’s important to control the REST access point.

Thank you for the solution regarding hiding the diagram.

KR

Hi @horiavmuntean,

To list any processes to start in the taslist the user need the READ permission for them, otherwise the processes are not listed in the start process dialog. This is the current expected behavior.
In order to achieve your use case you could exclude the existing “Start Process” plugin and write your own plugin which list only the processes the user is allowed to start. How to write a plugin is documented here 1 and how to exclude existing plugins 2.

Alternatively you could just exclude the Diagram-Tab (which is also a plugin) with the consequence, that all user do not see the diagram.

Cheers,
Roman

1 Like

Thank you Roman, your answer clears up my choices.