Hello everyone ,
May i create a group which has same privileges as camunda-admin has ?
I have create a group , and set it’s Authorizations same as camunda-admin , but i found that some deployments (those have Tenant ID setted ) cann’t be see by the user who belongs to my group .
Hi @chaofeng,
As far as I know, only the camunda-admin has access to all tenants. For self-created groups you have to authenticate the individual tenants. Or you could switch off the tenantCheck for all users (take a look at the tenantCheckEnabled property https://docs.camunda.org/manual/7.12/reference/deployment-descriptors/tags/process-engine/)
If that works for you, perfect. But I had a use case once where it was impossible to authenticate the individual tenants, but a tenant check was needed for some groups.
If that’s your case you could provide your own TenantManager and switch off the tenantCheck for selected groups. (https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/impl/persistence/entity/TenantManager.java)
You have to create your own SessionFactory (like the one here https://github.com/camunda/camunda-bpm-platform/blob/master/engine-plugins/identity-ldap/src/main/java/org/camunda/bpm/identity/impl/ldap/LdapIdentityProviderFactory.java). The SessionType should be of type TenantManger. You can then inherit the TenantManager accordingly and overwrite the isTenantCheckEnabled method.
You can register the SessionFactory in the processEngineConfiguration. This overwrites the default TenantManager.
Regards,
Dominik
thank you .