Fallback identity assignments or flags for when deleting users and groups?

Is there a way to set a fallback assignment of a group or user (or multiple) when the group and/or user is deleted?

Scenario:

  1. Task 1 is assigned to Peter.
  2. User ‘Peter’ is deleted.
  3. Task 1 is now unclaimed and/or set into a special state/flag or have a fallback assignment.

Edit: scenario could also apply to groups.

Is there a way to set a fallback so that these tasks are placed in a special state, has a flag, or set a “fallback” assignment ?

Interesting scenario.
I’m not 100% sure but that seems like a new feature to me.

To my knowledge, it is currently not possible to distinguish between “Task was never assigned” and “Task was assigned, but the assigned user was deleted”.

If you just want the unassigned tasks, you can create a Filter in the Tasklist for them. Otherwise, maybe you can hook into the user deletion and set a flag for every task that this user is assigned to (e.g. as a local task variable).

Hi @StephenOTT,

What @vale and @sebastian.stamm write is correct.

In order to implement reassignment, you would have to hook into user deletion. This can be done by implementing the interface WritableIdentityProvider (e.g. wrapping teh default DbIdentityServiceProvider) and extending the #deleteUser logic.

Note that by default, tasks do not get unassigned when a user is deleted.

Cheers,
Thorben

2 Likes

@thorben @sebastian.stamm thanks for the detailed responses! Have you seen anyone do this before? Was thinking groups that have implemented LDAP for larger organizations must have dealt with users and groups being deleted and wanting to handle the reassignments?

Hi @StephenOTT,

I am not aware of any real-world solutions to this problem.

Cheers,
Thorben

@thorben what are your thoughts on whether this should be a function of camunda engine or the clients?

The engine does not enforce any existence check on users and groups during assignment, and deletion would not be a impact as well (given your points above).

I can see benefit on the engine side. But this seems to feel like more of a client issue to resolve, as the scenarios may be quite different depending on the use case.

Thoughts?

Hi @StephenOTT,

I also have the feeling that this should not be engine core functionality. In the context of a pull request that did not get completed, we discussed adding an API for managing relationships between users and groups, see https://github.com/camunda/camunda-bpm-platform/pull/183#issuecomment-173503422. This plus a callback on user deletion could be sufficient for users to build such a thing themselves. Note that for LDAP, deletion is not triggered by the engine but done externally. In that case, we cannot provide such a callback.

Cheers,
Thorben