I am currently trying to create a group that has UPDATE and READ permissions, but should not be able to update process variables. I am doing this programmatically with the following code:
setPermissions(
"user",
List.of(
Permissions.READ,
Permissions.UPDATE,
ProcessInstancePermissions.RETRY_JOB,
ProcessInstancePermissions.SUSPEND),
Resources.PROCESS_INSTANCE);
where the setPermissions function is defined like this:
private void setPermissions(
final String groupId, final List<Permission> permission, final Resource... resources) {
for (Resource resource : resources) {
Authorization authorization =
authorizationService.createNewAuthorization(Authorization.AUTH_TYPE_GRANT);
authorization.setGroupId(groupId);
authorization.setResource(resource);
authorization.setResourceId("*");
authorization.setPermissions(permission.toArray(new Permission[0]));
authorizationService.saveAuthorization(authorization);
}
}
As you can see, I left out the UPDATE_VARIABLE permission, but I’m still able to update process variables if I login with a user in group “user”.
Another thing that I tried is to revoke the UPDATE_VARIABLE permission. If I do that programmatically, it creates an entry in the act_ru_authorization table that revokes all permissions. I then tried to insert an entry for that in the database manually with the following data:
id_ | rev_ | type_ | group_id_ | user_id_ | resource_type_ | resource_id_ | perms_ | removal_time_ | root_proc_inst_id_
--------------------------------------+------+-------+-----------+----------+----------------+--------------+--------+---------------+--------------------
571d1f6f-3439-11ed-9dc0-22d15b1a0765 | 1 | 2 | user | | 8 | * | 128 | |
This should revoke the UPDATE_VARIABLE permission, but does not have any effect. I can still modify process variables.
So my question is, if this is possible at all and if yes, how I can do it.
Thanks in advance for your support!