Please advise to novice how the hell to authorize!

Greeting,

Please direct me!

I gotto implement AD identification with authorization against DB config(not camunda’s).
More or less i broke through LDAP authentication via LdapIdentityProviderPlugin. But how do i make a custom authorization for a user?

simple example i need to achieve.
In AD i have a user t.migly.
Somewhere far away in DB i’ve got table: xxfi_user_roles (user_id, user_role) (t.migly.‘admin’);

so when t.migly is authenticated he/she should be able to act as camunda’s admin, meaning be able to login to admin/tasks/cockpit, be able to execute all rest calls and so on.
this source of user roles is managed by other application, and role can be revoked/applied there. So every time users try to login i gotta check if the role still there.

appreciate all hints!

Hi @Tigly_Migly,

when you use LdapIdentityProviderPlugin, it is supposed, that you will also store the groups/roles on the same LDAP server.

If you have username/password on LDAP server and roles in another system/database, I would say, that you need to implement your own custom identity provider (extending ReadOnlyIdentityProvider), where you will get the data from two sources.

Also be aware that this is an internal API, which can change in newer versions of Camunda.

Thank you a bunch for the quick reply!