How only Candidate Users can Claim and Complete the Task?

ScouseR · October 19, 2023, 10:20am

Hello Everyone!

I have a User task, and have assigned 2 Candidate Groups and 2 Candidate Users to that user task in modeler,
also i have made the groups and users in Camunda Identity Service using rest APIs, and have also assigned the users to specific groups.
The issue i am facing is that when i try to claim the task using wrong userId ( users which are not created and assigned to specific candidate groups ) is still claiming the task, but i want is that only candidate users can access the task not anyone else,

Can someone help me to solve this problem?
Thanks!

rohwerj · October 19, 2023, 7:13pm

Hi @ScouseR.
Have a look at the following page:

If you set the correct task permissions only users related to the task will be allowed to work with it (e.g. claiming and completing).
You can also decide what permission those users get by default. For that to work you will have to remove the permission to update tasks from all users, that should not be allowed to claim or complete the task.

ScouseR · October 20, 2023, 4:43am

Can you provide an example of Task Authorization ? that how to create a permission only valid for candidate users which can claim and complete the task

rohwerj · October 20, 2023, 9:57am

Do you have the authorization enabled?

camunda:
  bpm:
    authorization:
      enabled: true

Then you should not have any users or groups authorized to update tasks.

Now if a task is created all users from the groupA and groupB can see the task, but not claim it. Only those users who are candidate users, owner, assignee or part of a candidate group, should now get the authorization to update that specific task.

ScouseR · October 22, 2023, 8:28am

Yes, I have the authorization enabled, should i disable it?

rohwerj · October 22, 2023, 2:14pm

No you should have it enabled.
Once a task is created, special authorizations will be created to allow users who are related to the task to update it.
If you don’t have any further authorization, that allows other users to update tasks, no other user should be able to claim the task.

ScouseR · October 23, 2023, 4:43am

Thank you for your reply!
I have made “Task Authorization” for a specific task that only group/users can claim and complete the task.
The permission/authorization is
Type: ALLOW
Group: group1
Permission: READ
Resource ID: b6cdc5f9-5602-1567-ab14-7e2a31e4adbd

I have tried to enter * in place of task ID in Resource ID but didn’t work, is something else i am missing?

hassang · October 23, 2023, 5:18am

Hi @ScouseR

Could you please share your model and a screenshot from the Task Authorizations page.

ScouseR · October 23, 2023, 5:31am

Yeah sure here you go

ScouseR · October 23, 2023, 5:31am

hassang · October 23, 2023, 5:40am

Hi @ScouseR

I see that two groups (group1 and group2) are set as candidate groups so if you are trying with a user who is member of any of these groups or with a user who is set as candidate user then he/she definitely should be able to claim the task.

Notice: The process engine automatically creates authorizations resources with the default task permission granted to each group set as candidate group and to each user set as candidate user.

ScouseR · October 23, 2023, 5:42am

Thank you for the reply!
But the issue is i am trying to claim with “userId” : “Henry”, and its still able to claim the task. why?

hassang · October 23, 2023, 5:44am

Henry is not a member of any of the two groups and not a member of camunda-admin group?

ScouseR · October 23, 2023, 5:47am

Henry is neither a member of any of the two groups nor a member of camunda-admin group, only John and Defoe are members of those two groups, and demo is the member of camunda-admin group

hassang · October 23, 2023, 5:48am

Could you please share a screenshot from the Process Definition Authorizations page.

Is there any of the task related permissions set?

ScouseR · October 23, 2023, 5:50am

ScouseR · October 23, 2023, 5:51am

The only Task Related Permission that is set is this

ScouseR · October 24, 2023, 9:55am

@hassang Can you please tell the solution to solve this problem?

hassang · October 24, 2023, 10:00am

Apparently authorization is not enabled.

Are you testing using Rest API?
What is the distribution used?

ScouseR · October 24, 2023, 10:33am

Which file to look for authorization enabling? I have looked into production.yml and there its
enabled

camunda.bpm:

Security Instructions | docs.camunda.org

HTTP Header Security | docs.camunda.org

webapp:
csrf:
enable-same-site-cookie: true
same-site-cookie-option: STRICT
header-security:
hsts-disabled: false

Security Instructions | docs.camunda.org

Authorization Service | docs.camunda.org

authorization.enabled: true

And yes I am testing using Rest API. And what do you mean by distribution used? If its about model, then i am using BPMN along with Rest API, Cockpit and tasklist