Trying to understand the implications of setAuthencation of the Identity service:
consider:
engine.identityService.setAuthentication("123", listof("gA1", "gA2", "gB1", listOf("someTenant", "someOtherTenant"))
Based on how camunda is setup through the rest api, it would seem that this method is generally only used as:
setAuthentication("aSingleUser", [g1,g2], ["sSingleTenant"])
If you were to apply a second tenant, it would mean the groups’ permissions would apply to the secondary tenant. If you applied groups from two different tenants and two tenants in the setAuth, then the groups were overlap and would give permissions that are not applicable to one of the tenants.
Is this correct? @thorben , the implication seems to be that Authorization checks on a context/thread basis are assumed to be based on a single tenant. Authorization checks do not seem to have the tenant context of the specific command. Meaning that the tenant is technically injected/implied based on the supplied groups in a authorization check, and the single tenant in the setAuthentication(…).
Thanks!