How to authorize all processes except one

Hi,
I need to let a user-group all permissions on all the processes except one specific one.

I created the following:

  1. grant
    res-type: processes_definition
    res-id: *
    group: group1
    permissions:ALL
  2. revoke
    res-type: processes_definition
    res-id: proc-1
    group: group1
    permissions:ALL

When invoke the rest api to list the process_definitions I am expecting the user to not see ‘proc-1’, but, he/she is seeing all. It is as if the ‘revoke rule’ is not considered.

what could be wrong ?
thank you
ps

Hi @damunda,

Have you enabled the authorization? It’s disabled by default: https://docs.camunda.org/manual/7.13/user-guide/process-engine/authorization-service/#enable-authorization-checks.

Hope this helps, Ingo

Also, IIRC, revokes must be enabled on top of enabling the authorization as such.

Thank you. This could be the issue.

I found the following in our configuration:
config.setAuthorizationCheckRevokes(ProcessEngineConfiguration.AUTHORIZATION_CHECK_REVOKE_NEVER);
return config;
I will change it to ALWAYS and see.