Purpose of `adminGroups` field in ProcessEngineConfigurationImpl

fml2 · July 20, 2020, 3:05pm

Hello,

could somebody please explain the purpose of the field org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl#adminGroups?

Is it so that, when I add a group id into this list at process engine start, all members of this group will automatically get all the possible permissions without having to explicitly grant them?

Thanks!

Ingo_Richtsmeier · July 21, 2020, 9:13am

Hi @fml2,

have a look at the docs here: https://docs.camunda.org/manual/latest/user-guide/process-engine/authorization-service/#administrators.

Yes, it creates a group of/for super users.

Hope this helps, Ingo

fml2 · July 21, 2020, 10:27am

Hello Ingo,

thank you for the quick reply. I asked because we use an LDAP for user management. I then added a group id into the list stored in adminGroups (created a small process engine plugin) but still the members of the group did not get all permissions, i.e. I could not execute all actions in the camunda GUI. The permissions had to be explicitly granted using the authorization service. That’s why I asked about what this list is good for.

Ingo_Richtsmeier · July 21, 2020, 11:34am

Hi @fml2,

with LDAP you usually use the Administrator Authorization Plugin to set the group name with a configuration. I think, you rebuild this plugin. It adds the authorizations explicitly: https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/impl/plugin/AdministratorAuthorizationPlugin.java#L66

Cheers, Ingo

fml2 · July 21, 2020, 11:41am

I think, you rebuild this plugin.

Yes, kind of like, as I see now. But then, my question still remains unanswered: what is the purpose of the variable adminGroups if adding values to that list does not effectively allow members of those groups do anything?

I’d expect a logic of kind “Look into the list. If the user is there then allow the action; otherwise consult granted permissions.” But it is apparently not the case.

I try to implement this logic (see this thread: How to replace the AuthorizationService? - #7 by fml2) but have not succeed 100% so far.

Ingo_Richtsmeier · July 21, 2020, 11:46am

I can’t remember exactly, but it could be that the purpose was as you guessed in the early days and Camunda got a fine grained autorization system later on.