how can I replace the authorization service used by the engine? My goal is to implement some custom logics when deciding whether the permission is granted. If the custom logics can’t decide I’d fall back to the “standard” service. But I could not find a setter for the auth service.
you would need to override the authorizationManager. Its part of the SessionManager. It is not a small task. There is lots of “internal” code mix in. It would likely be easier for you to build wrappers around camunda’s api that implement your controls
I’d like to use the custom auth service within the camunda GUI. I think it’s tightly integrated into it. Hence I need really the auth service and not a wrapper. But thank you for the hint about the authorizationManager.
Know that camunda ~“hardcode” the authoeization logic at the database level. So many of the authorization checks are done with SQL: Example: In the Query APIs authorization is done on the items being queried, but these are not auth checked at the app level, they are run through a ~complex sql lookup / filtering. There was lots of variation of code with little code comments explaining the logic flow. So the authorization logic on a command is different than the authorization logic that occurs during a query.