How tenant is used in the context of Authorization?
I can see a User can be associated with a Tenant and to a Group.
A Group can be associated with a Tenant.
A process deployment can be attached to a Tenant.
Now considering the Authorization is enabled, what is must for a user to act upon a process or user task in the process?
Should the user acting upon such a process/task belong to the same tenant?
As per my readings and experiments with Camunda
A user can be associated with one or more tenants
Similarly a group can be associated with one or more tenants.
A user can be associated with one or more groups. A user will get the combined access based on the authorization assigned directly to the user or to any one of his associated group.
A process can be deployed for a tenant and then it will be a unique a process definition related to one tenant. Instantiating this process will create process instance for the associated tenant and if Authorization is enabled then users associated with the tenant and having right permissions will be allowed to access, execute the process.
There is a Shared process model too, where you can deploy a process without specifying the tenant. But you can provide a CustomTenantProvider, so that the tenant of the authenticated user will be assigned to the process instance. It means you will have only one definition of the process and do not attach it to any tenant, but while executing the process the tenant will be associated. Now once a tenant is associated with process instance the same tenant boundary will be used for authorization purpose.
I have observed that if CustomTenantProvider is provided then tenant of the authenticated user will be assigned to the process instance evenif you start a process actually deployed with some other tenant.
Suppose you deployed a process for tenant1, CustomTenantProvider is provided in your spring boot service, you start the process using user associated with tenant2 then the process instance will be assigned with tenant2 and not tenant1. So add CustomTenantProvider judiciously. Better if you use shared process for all tenant pattern then do not deploy any process with a tenant. Kepp all deployments without tenant.