startableBy issue when Canidate Starter Groups is set

Hello,
We have implemented our own custom identity provider and so far, thankfully, everything has been working as intended. except a weird behavior caused by /process-definition?startableBy=group1

Consider the two scenarios:

  1. if using the modeler we set Candidate Starter Users equals to user1 and using the rest api we call /process-definition?startableBy=user1 everything work as expected
  2. if using the modeler we set Candidate Starter Groups to group1 and we set user1 as a member of group1 and call /process-definition?startableBy=user1 no data is returned

Using the provided admin webapp we can verify that user1 is a member of group1

Are we missing something? does startableBy work only for users and not for groups (we read somewhere that it’s supposed to work)?
Any resource on how startableBy filter work would be very helpful.
We also tried to do the same using the java api using ProcessDefinitionQuery.startableByUser() but we got the same results.

Thanks in advance.

We were able to track the cause of the issue,

it’s in this line

Apparently camunda is trying to query the user-group membership table from the database directly to link the user to the process definition which defeats the purpose of the custom identity provider in our case where users, groups and memberships are stored in an external datasource.

Any help or ideas to solve this are very much appreciated.

Thanks in advance.

2 Likes

We were unable to solve this bug, can anyone provide a workaround over it?

Hi @tarekajaj,

thak you for reporting the issue. This is definitely the bug, I created a JIRA issue for it: https://app.camunda.com/jira/browse/CAM-9286

And I can’t actually imaging any suitable workaround for it now:( I will come back to you if something comes to my mind.

1 Like

@sdorokhova any update on this?

Hi,

Currently, this is not in the road map, it’s still in the backlog.
Do you want to rise a PR for it?

@Yana this appears to me to be a larger incomplete issue related to the deprecation of identity links being used for startable-by functionality as documented here When does Starter Groups and Starter Users of a BPMN get generated as authorizations?

The same issue even exists in the case when using Camunda provided LDAP Identity Service. I read the docs and recognize there are some limitations in Multi-Tenancy if using the service, but I cannot find anything about the limitations of user-group mappings. If the the issue is still in the backlog, would you please add some notices about the limitation in docs first?

I got into same trouble. it makes serious challenge when you want to use camunda with custom identity provider
can you set high priority for this issue in jira

1 Like