Permission to open operate UI

triyan · February 22, 2024, 5:25am

Hi,

at the moment, by using camunda identity, we have some permissions such read:* and write:* to access Operate.

my question is Operate have some permission to open Operate UI, so even though user has read:* permission, it can’t open Operate UI because it need another permission e.g. operate-page permission to open Operate UI

thank you.

nathan.loding · February 22, 2024, 8:44pm

Hi @triyan - no, there is no separate permission to view the UI. Are you having issues accessing Operate?

triyan · February 23, 2024, 1:18am

Hi @nathan.loding thank you for your reply, I don’t have issue while accessing Operate, it’s only me that have case where we need separate permission to access UI, while existing permission read:* and write:* can be use for REST operation.

triyan · February 23, 2024, 10:41am

Hi @nathan.loding one more question, is Operate support data curtaining?

nathan.loding · February 23, 2024, 12:44pm

Hi @triyan - what do you mean by “data curtaining”?

I agree that the terminology is a bit confusing with the permissions. I’ll take this feedback to the product team. The user needs the Operate read:* permission to access the Operate UI; without it, they will get a “no permission” error.

triyan · February 26, 2024, 4:05am

Hi @nathan.loding thanks for your reply and sorry for confusion, maybe something like below explanation

Data Curtaining: Data curtaining focuses on controlling access to the data itself. This involves restricting user access to certain parts of data based on certain criteria, such as user role, data type, or other criteria. Data curtaining can be applied at the row, column, or even cell level in a database, allowing users to only see or access the data that is relevant to them.

RBAC (Role-Based Access Control): RBAC is an access management model that regulates user access rights based on the role or function they have in the organization. In RBAC, access rights are assigned to specific roles, and then users are assigned to those roles. Each role has a defined set of access rights, and users who own that role will have appropriate access rights. This allows managers to manage access more centrally and scalably.

I think you guys already implement the RBAC, but I want to know that if data curtaining is something on your roadmap?

nathan.loding · February 26, 2024, 4:47pm

Hi @triyan - there is nothing as granular as what you’ve described. Self-Managed supports multi-tenancy which achieves some “curtaining”, but within each tenant there is no row/column/cell-level equivalent. (Multi-tenancy is coming to a future release of the SaaS offering as well, but I don’t have a firm date on it’s release.)

Are you just exploring what is possible, or do you have some specific needs for data curtaining?

triyan · February 27, 2024, 3:16am

Hi @nathan.loding thanks for your reply, maybe I continue this discussion to enterprise camunda support.