Issue with Task Assignment

Milan_Apegaonkar · August 12, 2022, 9:44am

Hi,
I used camunda modeler and created a user task with assignee as ‘USER1’ . Then I went to task list I can see a task assigned to USER1. Then I logged in as ‘USER2’ and in the task list I am able to remove that assignment and claim that task as ‘USER2’. How can I restrict ‘USER2’ from reassigning any task in tasklist

StephanHaarmann · August 12, 2022, 9:57am

Hi,
you can use the authorization service to set the permissions for your users and groups (i.e., using the Camunda Admin Webapp). In particular, the “Task Assign” permission, which allows users to change the assignment of tasks.

Milan_Apegaonkar · August 12, 2022, 10:43am

Hi Stephan,
This is the list of users:

I made the change to Task Authorization, logged out as demo user and logged in as ‘USER2’ and went to task list

there is a task assigned to USER1 but i am still able to reassign it

please guide me what I am doing wrong. I am not able to upload more than 1 screen shot as I am a new user

StephanHaarmann · August 12, 2022, 10:50am

Can you show me a screenshot of the “Task Authorization”?

Milan_Apegaonkar · August 12, 2022, 10:53am

StephanHaarmann · August 12, 2022, 11:08am

Sorry, my bad: I forgot to mention an important detail.
By default Camunda ignores any authorization setting.
Go to your config file (i.e., confg/default.yml for Camunda Run) and add the following

camunda.bpm:
  authorization:
    enabled: true
    [... rest of your config...]

Note your users cannot sign in if you have not given them access rights to the Webapps yet:

Milan_Apegaonkar · August 12, 2022, 11:21am

Thanks dude .

Milan_Apegaonkar · August 12, 2022, 12:30pm

The user task in camunda modeler has an option of User Assignment - in that I specified candidate group as GROUP1 instead of specifying Assigne . With the above settings in Authorization I logged in as ‘USER2’ . I can claim a task that belongs to GROUP1. But USER2 is not part of GROUP1 .How to restrict this ?

StephanHaarmann · August 12, 2022, 12:48pm

So you have four users

demo
USER1
USER2
noob

and two groups

camundaAdmin = [ demo ]
GROUP1 = [ USER1 ]

Now you have a process with a user task, for which you set the candidate group to GROUP1. Is that right?

If so, only demo and USER1 should be able to claim the task (if USER2 does not have the Task Assign permission).
Could you provide a minimal BPMN example that is not working as expected?

Milan_Apegaonkar · August 12, 2022, 1:03pm

recon_poc.bpmn (5.5 KB)

Milan_Apegaonkar · August 12, 2022, 1:14pm

Note: Filter Authorization I have given full access to both USER1 and USER2 . I can restrict the task list and resolve this issue , but I want to know why the USER2 is able to claim GROUP1 tasks

StephanHaarmann · August 12, 2022, 1:19pm

Thanks. I did the following steps

Too your example
Deployed it to Camunda Run v. 7.17
Started an instance with Instructor=Kiran
Logged in as USER2
I cannot see the user task nor perform it
Logged in as USER1: The user task is there
Claimed it
Completed it.

In my setting

USER1 is in GROUP1
USER2 is in GROUP2
USER2’s Task Authorization is set as detailed above.
So, everything works as expected.

If you do not have the restriction, USER2 is entitled to overwrite the configuration of the model because the Task Assign privilege includes the right to alter the candidate group.

Milan_Apegaonkar · August 12, 2022, 1:56pm

I added USER1 to filter authorization, and have attached Task Authorization as well. The first ss , I claimed the GROUP2 task as USER1

StephanHaarmann · August 12, 2022, 2:09pm

Can you double-check the group assignment for USER1?
I cannot replicate the issue you’re describing.

Milan_Apegaonkar · August 12, 2022, 2:12pm

StephanHaarmann · August 12, 2022, 2:45pm

Unfortunately, I fail to replicate your situation — is the authorization working in general?
For example, if you limit the access of a user to a single Application, does it work?

Milan_Apegaonkar · August 13, 2022, 10:09am

Hi Stephan,
The authorization are working for me. I had to add user1 and user2 to application authorizaztion for them to able to login

prakash_ramalingam · August 21, 2022, 10:35am

Dear @Milan_Apegaonkar / @StephanHaarmann,

I am also facing the same problem, User1 is able to cliam User2 task, which should not be. so I have tried with all the combination of authorizations, but no luck. Is this above problem resolved. if yes, kindly share the details.

Thanks & Regards,
Prakash R.

Milan_Apegaonkar · August 21, 2022, 10:52am

I found a work-around. By creating filter type for a particular user and using filter authorization to not allow the user to see other task

prakash_ramalingam · August 21, 2022, 11:06am

Dear @Milan_Apegaonkar ,

Thanks for your quick response.
Yes, This scenario is working fine for me as well after enabling the authorization filter.
But my scenario here is,

Created User1, User2 , Group1, Group2
Assigned User1 to Group1, Assigned User2 to Group2
Assigned the Group1 to Task1 and Group2 to Task2
after assigned, I can able to login as User1 and able to cliam Task1 (it’s working as expected)
Also I can able to cliam User2 tasks as well as logged in User1
(it’s not working as expected)
Question is, How to restrict the User level task cliam?

Note: I have assigned the Candidate Groups to the task but not assigned any assinee.

Kindly suggest me if you have any solutions.

Thanks & Regards,
Prakash R.