Securing access to process based on process variable value

Camunda 7 Topics Discussion & Questions
1

I have a situation where a process is available to multiple branches for a certain business. However each branch users should only be able to see processes relating to their branch. I have a process variable deciding with the branch identifier in it.

What is the best way to hide disability to active processes. I would ideally like to manage this through creating a group for each branch and assigning users to the branches, however I cant find a way to enforce it based on a process variable.

Any ideas on an approach to take?

2

Hello @SlappyAUS ,

in Camunda Platform 7, there is the ability to use Tenants. This sounds like a valid use case.

The process definition does not need to have a tenant, so it can be seen by every user. When a process instance is started, it can then live in the tenant of the department that started the process instance.

I hope this helps

Jonathan

3

@jonathan.lukas Thank you for the reply. Yes I did look at the Tennant stuff, however I have a few question I was wandering if you could help.

  1. How do I start a process under a Tennant?
  2. Is it possible to shift the process to a Tennant after it has started, since I only determine the branch one or two tasks into the process.
  3. Will messages sent to the process (via REST) require the tenant id in the correlation key, or will the message correlate on business key and process variable as before, this may be a deal breaker since the caller does not know about tenancy.

Thank you.

4

Hello @SlappyAUS ,

thank you for these very concrete questions:

  1. The command to start a process has an optional field tenantId.
  2. This is something worth trying but I would bet this is not possible.
  3. Also worth trying.

Would it be ok to answer after August 1st?

Jonathan

5

Yeah sure, I’m not going anywhere. :wink:

6

Ok I think I have found a workable solution.

  1. In the first step of the process the branch name is resolved to a string
  2. I run this through a DMN table that maps the branch name to a security group name
  3. I store the security group name in a process variable called “securityGroup”
  4. For each task in the BPMN I then set the User Assignment → Candidate Group to ${securityGroup}
  5. In Admin I create the relevant groups as type “Organisational Unit” and assign users to them
  6. I create a group of type SYSTEM called “allUsers” and assign all the users to it.
  7. In Admin → Authorisations → Tasks I add: (“allUsers” DENY, READ)
  8. In Admin → Authorisations → Tasks I add: (“allUsers” ALLOW, UPDATE, CREATE, DELETE, TASK_WORK, TASK_ASSIGN, UPDATE_VARIABLE, READ_VARIABLE)
1 Like