How to assign tenant specific resources to a user

when deploying a workflow I am setting the tenantId.

But, how do I create authorization rules such that ‘tenant-A’ processes/tasks etc are allowed for user-1 and different tenant resources are assigned to a different user.

The authrozation create API is not accepting tenantId.

To address a specific resource we can use the id.
To address all resources of a type, we can use *.
But, how do we address all resources of a tenant ?

please let me know
thanks

Hi @damunda

Below camunda docs may be of help to you

"When a user logs in then he only sees and can only access the data (e.g., process definitions) that belongs to one of his tenants.

Tenants and their memberships can be managed in the Admin web application"

thank you @hassang

to enable multi tenancy, I did the following:

  1. when I create authentication, I am setting up the tenantlist.
    identityService.setAuthentication(“user-1”, empty List, asList(“tenant-1”));
  2. when deploying, I am setting tenantId,
    repositoryService.createDeployment()
    .tenantId(“tenant-1”)

With the above changes, I am expecting user-1 to see the tenant-1 data without explicitly adding any authorizations for this user. But, this user is not seeing any data.
(At this time, I have entries for ‘camunda-admin’ group in the authorization table. No other entries at all)

just to verify, I added this user to ‘camunda-admin’ group and now this user is seeing all data.
Can you please clarify whether there is more to be done apart from 1 and 2 I specified above ?

thank you

Hi @damunda,

Yes, in addition to what you already have done, user should be granted the required permissions on the different resources.

For example:

Permissions required to start a process are: CREATE_INSTANCE and READ permissions on Process definition level, and CREATE permission for all Process instances

Ok.

We want our ‘TENANT-ADMINs’ to have access to all tenant resources.
I think the following are the choices.

  1. Put the tenant admins in ‘camunda-admin’ group.
    or
  2. Create authorization records whenever new deployment/process defs happen.

Option 1 is very uncomfortable to even think of.
Option 2 is workable but whenever a shared resource is added to the system , we need to visit
all the users who need access to that resource and create authorization records for them.

Is my understanding correct ? Do you suggest any particular approach ?

Thanks

  • Create tenants --> act_id_tenant table
  • Create groups --> act_id_group
    Each group can have different set of authorizations. For example an admin group on that tenant can have all access to resources like Process definition, deployment etc. A read only user can have only read access on various resources.
  • Groups to tenant relation --> act_id_tenant_member
  • Add authorizations for each group --> act_ru_authorization table
    Authorizations are for a group and not for individual users.
  • Add users --> act_id_user table
  • Add users to groups --> act_id_membership table

In the process engine configuration set true values for -> setAuthorizationEnabled, setTenantCheckEnabled

This is what we follow for different access levels for users. Please check if this helps.

Hi @damunda,

@deepu.v87 described it in details showing corresponding database tables.

Rest APIs or Admin app could be used.
For example:

Below the Rest API resource for Tenant Group Membership

hi @hassang,

I got the apis, tables etc.

In our implementation, I have created custom IdentityProvider, GroupQuery, TenantQuery etc.
Since we have users, groups, tenancy maintained in our core application, I am not storing these details in Camunda database.

But, what I want to know is, between the two options I specified, which one is the preferred one.
Perhaps you and @deepu.v87 are hinting option 2 is the way to go, but, then, you did not discuss my concern there.

thank you @deepu.v87

In our implementation, I have created custom IdentityProvider, GroupQuery, TenantQuery etc.
Since we have users, groups, tenancy maintained in our core application, I am not storing these details in Camunda database.

You can create authorizations for a group. So you can assign group for a tenant, right? For you, it would be tenant, but for Camunda, it would be a group.

ok. thank you