I am using external LDAP service to define Camunda Groups, Users and User Group memberships.
I can see the Groups and Users from LDAP in the Admin UI very well.
I can also use Authorisations for example to provide or revoke read access to my deployment.
But no matter what I do, any application user can see complete list of the currently running [CMMN] tasks in the /tasks REST endpoint.
I am taking an LDAP user that is a member of 2 groups.
Neither the user, nor any of his groups have any Authorizations set up in Camunda, except for ACCESS to an application (I restrict to ‘cockpit’ only)
Still, when I login with that user the GET /tasks lists complete list of all currently running tasks.
My test user cannot see any data /process-instance (even though there are some running), but at the same moment it can see all process instance variables via /variable-instace.
What’s the purpose of restricting /process-instance without restricting /variable-instance ?
What am I missing here? Can access to the /tasks and /variable-instance be restricted?
Can the reason be that the User Tasks that I try to restrict access to had been generated by a CMMN process?
Update
Yes, my unprivileged user can see all CMMN tasks but no BPMN tasks.
So the authorization is working but it doesn’t cover CMMN
If you search around the forum, you will see there are many topics with discussions about “securing” variables, and they all come back to extending the api to add your own additional security logic.
I run Camunda inside of my own Spring Boot starter.
But I did not have to add any specific code to the starter so far.
I am exposing and fully relying on the Camunda REST API.
Wrapping it in my own one seems to be much more complicated than rewriting my CMMN process definition in BPMN.
One of the difficulties when wrapping Camunda REST API in my own is authentication and authorization, since I’d need to deal with that in my service.
