in camunda7.20.0,I want to query some history task for a user, but when i run this code ,the result is not what I need,it cantains some data not belong to this user,i do not konw why i must have the READ_HISTORY permmission for Process Definition rather than READ for Historic Task Instance!
var list = historyService.createHistoricTaskInstanceQuery().list();
Hi qi_song! This is a common point of confusion with Camunda 7’s authorization model. The reason you need READ_HISTORY permission on the Process Definition is that historic task instances are closely tied to their process definitions for authorization purposes.
Camunda’s history data access is controlled at the process definition level because historic tasks don’t have their own standalone permissions like runtime tasks do. When you query historic tasks, Camunda checks if you have READ_HISTORY permission on the process definition that created those tasks.
To filter tasks for a specific user, try adding a task assignee filter to your query:
```java
var list = historyService.createHistoricTaskInstanceQuery()
.taskAssignee("username")
.list();
```
Or if you need all tasks a user was involved with:
```java
var list = historyService.createHistoricTaskInstanceQuery()
.taskInvolvedUser("username")
.list();
```
Make sure the user has READ_HISTORY permission on the specific process definition resources they need access to.
Even though you’re querying historic task instances, Camunda requires that the user has READ_HISTORY permission on the Process Definition that created the tasks. Simply having READ permission on the Historic Task Instance is not enough. This is because the engine enforces permissions at the process definition level for historic tasks to ensure that users cannot access history for processes they are not allowed to see.