Permission to open operate UI


at the moment, by using camunda identity, we have some permissions such read:* and write:* to access Operate.

my question is Operate have some permission to open Operate UI, so even though user has read:* permission, it can’t open Operate UI because it need another permission e.g. operate-page permission to open Operate UI

thank you.

Hi @triyan - no, there is no separate permission to view the UI. Are you having issues accessing Operate?

Hi @nathan.loding thank you for your reply, I don’t have issue while accessing Operate, it’s only me that have case where we need separate permission to access UI, while existing permission read:* and write:* can be use for REST operation.

Hi @nathan.loding one more question, is Operate support data curtaining?

Hi @triyan - what do you mean by “data curtaining”?

I agree that the terminology is a bit confusing with the permissions. I’ll take this feedback to the product team. The user needs the Operate read:* permission to access the Operate UI; without it, they will get a “no permission” error.

Hi @nathan.loding thanks for your reply and sorry for confusion, maybe something like below explanation

Data Curtaining: Data curtaining focuses on controlling access to the data itself. This involves restricting user access to certain parts of data based on certain criteria, such as user role, data type, or other criteria. Data curtaining can be applied at the row, column, or even cell level in a database, allowing users to only see or access the data that is relevant to them.

RBAC (Role-Based Access Control): RBAC is an access management model that regulates user access rights based on the role or function they have in the organization. In RBAC, access rights are assigned to specific roles, and then users are assigned to those roles. Each role has a defined set of access rights, and users who own that role will have appropriate access rights. This allows managers to manage access more centrally and scalably.

I think you guys already implement the RBAC, but I want to know that if data curtaining is something on your roadmap?

Hi @triyan - there is nothing as granular as what you’ve described. Self-Managed supports multi-tenancy which achieves some “curtaining”, but within each tenant there is no row/column/cell-level equivalent. (Multi-tenancy is coming to a future release of the SaaS offering as well, but I don’t have a firm date on it’s release.)

Are you just exploring what is possible, or do you have some specific needs for data curtaining?

Hi @nathan.loding thanks for your reply, maybe I continue this discussion to enterprise camunda support.