How only Candidate Users can Claim and Complete the Task?

Hello Everyone!

I have a User task, and have assigned 2 Candidate Groups and 2 Candidate Users to that user task in modeler,
also i have made the groups and users in Camunda Identity Service using rest APIs, and have also assigned the users to specific groups.
The issue i am facing is that when i try to claim the task using wrong userId ( users which are not created and assigned to specific candidate groups ) is still claiming the task, but i want is that only candidate users can access the task not anyone else,

Can someone help me to solve this problem?

Hi @ScouseR.
Have a look at the following page:

If you set the correct task permissions only users related to the task will be allowed to work with it (e.g. claiming and completing).
You can also decide what permission those users get by default. For that to work you will have to remove the permission to update tasks from all users, that should not be allowed to claim or complete the task.

Can you provide an example of Task Authorization ? that how to create a permission only valid for candidate users which can claim and complete the task

Do you have the authorization enabled?

      enabled: true

Then you should not have any users or groups authorized to update tasks.

Now if a task is created all users from the groupA and groupB can see the task, but not claim it. Only those users who are candidate users, owner, assignee or part of a candidate group, should now get the authorization to update that specific task.

Yes, I have the authorization enabled, should i disable it?

No you should have it enabled.
Once a task is created, special authorizations will be created to allow users who are related to the task to update it.
If you don’t have any further authorization, that allows other users to update tasks, no other user should be able to claim the task.

Thank you for your reply!
I have made “Task Authorization” for a specific task that only group/users can claim and complete the task.
The permission/authorization is
Group: group1
Permission: READ
Resource ID: b6cdc5f9-5602-1567-ab14-7e2a31e4adbd

I have tried to enter * in place of task ID in Resource ID but didn’t work, is something else i am missing?

Hi @ScouseR

Could you please share your model and a screenshot from the Task Authorizations page.

Yeah sure here you go

Hi @ScouseR

I see that two groups (group1 and group2) are set as candidate groups so if you are trying with a user who is member of any of these groups or with a user who is set as candidate user then he/she definitely should be able to claim the task.

Notice: The process engine automatically creates authorizations resources with the default task permission granted to each group set as candidate group and to each user set as candidate user.

Thank you for the reply!
But the issue is i am trying to claim with “userId” : “Henry”, and its still able to claim the task. why?

Henry is not a member of any of the two groups and not a member of camunda-admin group?

Henry is neither a member of any of the two groups nor a member of camunda-admin group, only John and Defoe are members of those two groups, and demo is the member of camunda-admin group

Could you please share a screenshot from the Process Definition Authorizations page.

Is there any of the task related permissions set?

The only Task Related Permission that is set is this

@hassang Can you please tell the solution to solve this problem?

Apparently authorization is not enabled.

Are you testing using Rest API?
What is the distribution used?

Which file to look for authorization enabling? I have looked into production.yml and there its


Security Instructions |

HTTP Header Security |

enable-same-site-cookie: true
same-site-cookie-option: STRICT
hsts-disabled: false

Security Instructions |

Authorization Service |

authorization.enabled: true

And yes I am testing using Rest API. And what do you mean by distribution used? If its about model, then i am using BPMN along with Rest API, Cockpit and tasklist