Tasklist Filters - Permissions Filter -> Enforced by Authorization?

How are Tasklist Filters for the Permission Filters enforced? In the Tasklist for the default Rest API configuration, are the enforcement purely on the client side?

If you are using just the rest API and no authentication/authorization on the API, are the permission filters useless from the API standpoint and up to the parent system to enforce?


edit: I am assuming auth is required to be turned on. But just clarifying as i could not find a lot of dev docs on how it actually functions.

Hi @StephenOTT,

Each permission added for a specific filter is actually a new created authorization where Read permission is assigned and resource Id is the filter Id (You could see that newly created authorization on camunda Admin)

See below link

Permissions - Specify which users or groups can see the filter. You can set the filter as globally accessible by selecting the checkbox Accessible by all users. A permission that is set here is equivalent to a READ permission which can also be set in Camunda Admin

OH!!! That makes sense… I read that part of the the docs, but for whatever reason it did not “click”. I think the word “equivalent” made me think it was not actually a permission, but some sort “thing” that was going on.

Thanks @hassang