How to prohibit a user from claiming a task

khoanguyen123 · October 19, 2021, 8:18pm

Apologies if this question has been answered before.
How do I restrict users from claiming a certain task? What I found out is that if the user doesn’t have TASK_ASSIGN, he/she won’t be able to claim an already assigned task. But if the task is unclaimed, he/she is still able to claim the task. Please advise.

hassang · October 19, 2021, 8:30pm

Hi @khoanguyen123,

The below post might be of help to you

khoanguyen123 · October 19, 2021, 9:14pm

Thanks, @hassang. The other post helps, but it only solves half of my problem. Any unclaimed tasks can still be claimed by the user which I would like to prevent. My goal is to allow user A to claim only a few unclaimed tasks, not every unclaimed task.

hassang · October 20, 2021, 1:48am

Hi @khoanguyen123,

Does the other user specified as candidate user for the task? If yes then this is the reason why he/she can claim the unassigned task.

For example: If both user1 and user2 are specified as candidate users for a task then both are given the permission to claim it.
camunda:candidateUsers="user1, user2"

khoanguyen123 · October 20, 2021, 3:12am

Hi @hassang,

The task has no candidate user or candidate group assigned. I also tried to set the candidate user and/or candidate group to a completely disjoint entity, and it didn’t prevent the user in question from claiming the task.

FYI, I am running the platform using Spring Boot, and below is my config:

camunda:
  bpm:
    authorization:
      enabled: true
    generic-properties:
      properties:
        default-user-permission-name-for-task: TASK_WORK

hassang · October 20, 2021, 5:41am

Hi @khoanguyen123,

Do you have permissions given explicitly to the user in question?

Can you please check from the cockpit the automatically created authorizations for the task once it gets created.

khoanguyen123 · October 20, 2021, 9:42pm

Hi @hassang,

To illustrate, I built a simple process. User Task “Say Hello” has no candidate user or group:

User Alice belongs to the ACCOUNTS group, which has READ, TASK_WORK permissions.

Alice is still able to claim the “Say Hello” task:

Authorizations snapshot:

What am I missing if I want to block Alice from claiming the task?

Thanks!

hassang · October 21, 2021, 1:58am

Hi @khoanguyen123,

This way all users of this group can claim and complete any running task. (*)

You don’t have to specify any task’s permissions.
Setting ACCOUNTS group as candidate group for this task “Say Hello” should do the job.
The system would automatically create a default authorization for this task once it gets created and remove it once task gets completed/deleted so if you have a look at this page “Task Authorizations” once the task gets created you would notice that a new authorization is created with Group set to ACCOUNTS, Permissions set to TASK_WORK and Resource ID set to task Id of the new created task “Say Hello”.

hassang · October 21, 2021, 2:02am

Hi @khoanguyen123,

Please be aware that setting Resource ID of an authorization to *, means any.

hassang · October 21, 2021, 2:10am

In the example I mentioned, any member of ACCOUNTS group can claim and complete this specific task to which group is assigned as candidate group so if members of this group shouldn’t have access to it then simply don’t assign it as a candidate group for this task and of course don’t set any task permissions manually.

khoanguyen123 · October 21, 2021, 3:49pm

Hi @hassang,

Thank you for being patient with me. My goal is the reverse actually: I DO NOT want Alice to be able to claim the task. What do I need to do to achieve that? I tried to set the candidate group of the “Say Hello” task to a group of which Alice is not a member, and it still doesn’t prevent Alice from claiming that task.

hassang · October 21, 2021, 4:23pm

Hi @khoanguyen123,

In addition to what you did, remove the task permission you added.

No need to add task permissions.

hassang · October 21, 2021, 4:26pm

Hi @khoanguyen123,

Remove below one

khoanguyen123 · October 21, 2021, 4:40pm

Hi @hassang,

Lightbulb moment for me! To recap, to prevent user Alice from claiming a task:

Set candidate user and or group to an entity that Alice is not a member of
DO NOT explicitly set any Task permissions to Alice or her groups

Thanks for the guidance.

prakash_ramalingam · July 31, 2022, 4:14pm

Hi Khoanguyen123,

Is your problem resolved. did you able to perform the user specific tasks. if yes, kindly guide me. since I am new to the camunda tool.

Even I am also having the same scenario, but it’s not working for me.

Scenario is,

Created User and Group
Assign the Read permission to the User and Assign the Update permission to the group. but user is not belongs to the group.
Assigned the user and group to the specific task
but after logged in user and group(users) can able to cliam the task

But expectation behaviour is User can able to read the task but should not claim. Group (users) can able claim.

Kindly guide me to proceed further.

Thanks & Regards,
Prakash R.

khoanguyen123 · August 1, 2022, 11:10pm

Hi @prakash_ramalingam,

It’s been a while so I don’t remember the details. The settings that work for me (adjust to meet your needs):

User Alice belongs to group ACCOUNTS
Authorization details for ACCOUNTS group:

Application Authorization:

Group Authorization:

Process Definitions Authorization:

Process Instances Authorization:

Task Authorization:

Lastly, my camunda settings in Spring boot application.yml:

camunda:
  bpm:
    authorization:
      enabled: true
    generic-properties:
      properties:
        default-user-permission-name-for-task: TASK_WORK

prakash_ramalingam · August 5, 2022, 10:52am

Thanks a lot for your response, let me proceed with your steps. will connect with if need any assitance from you. Thanks once again!

system · January 30, 2024, 1:30pm