Grant task-read-permission on process-instance-level

timostolz · August 10, 2019, 11:31am

According to the docs, I can grant the permission to read tasks on a specific process definition.
In my application, I’d like to grant this permission for specific process instances only, and not for all instances of a definition. Is this possible—or does this require some custom queries to be added in my spring boot application?

Niall · August 12, 2019, 9:03am

That shouldn’t be a problem, it’s detailed here.

timostolz · August 12, 2019, 12:24pm

According to this section, there are only 3 extra permissions, that can be assigned to process instances, namely Retry Job, Suspend, and Update Variable. I would need the Task Read permission, but it is not listed. Would it work anyway?

Yana · August 16, 2019, 9:12am

Hi Timo,

Is it sufficient to assign READ permission to specific Process instance?
Or you want to be restricted to the Tasks only?

timostolz · August 16, 2019, 9:23am

Probably, I should bring up an example. Let’s say I have a process with pupils and teachers. (In fact, it’s an e-learning setting.)

The pupils should see all tasks that they candidate for or are assigned to (no matter the process instance.)
The teachers should be able to see all tasks of their pupils (all tasks, but only within certain process instances – because each process instances can belong to another teacher, and each teacher should only see her or his own instances.)
As a plus: The teachers should be able to spawn new instances – and for these instances, they should have again the permission to supervise their pupils.

How can I achieve, that

The pupils see all assigned-or-candidate tasks?
The teachers see all tasks within their own instances?
As a plus: Each teachers “owns” all instances created by her- or himself?

Thank you very much,
Timo

Yana · August 16, 2019, 10:54am

Hi Timo,

Your explanation helped a lot to get the whole picture.
I think you can achieve your requirements easily.

Create a two task filters (one for teachers and one for students (only assigned tasks)). [1]
Once a task is assigned to a user, this user has all of the needed permissions so that this user can read and work on the task, so this will work out of the box for the students.
Create READ permission for specific process instances for each of the teachers.
Further you can think of using tenants for teachers. [2]

prakash_ramalingam · September 22, 2022, 8:42am

Dear @timostolz,

Do we have any possiblity to enable the task level user permission.

Scenario is,

Created Manager and Sales group and Created User1, User2 linked with Manager. User3, User3 linked with Sales group.
Created two task, Task1 candidate group assigned with Manager. Task2 candidate group assigned with Sales.
Manager associated user can be able to cliam and complete their task
Sales associated user can be able to cliam and complete their task

Note:- Task Id (GUID) is generated one by one only, once completed first task then only second task id is generated. so I am not able to enable the configuration in Task Authorization page.

Any suggestion on this queries.

Thanks & Regards,
Prakash R.