I am using single camunda engine to run multiple tenants. All the process definitions deployed is having the tenant_id available. In the engine there can be multiple tenants with multiple process definitions.
I want to add users at a tenant level so that user can only see process definitions, process instances, metrics basically all the information in cockpit only specific to the tenant.
Process Definition 1 :- TENANT_ONE
Process Definition 2 :- TENANT_ONE
Process Definition 3 :- TENANT_TWO
Process Definition 4 :- TENANT_TWO
I want to create two users, User 1 and User 2
where User 1 should be able to only READ, WRITE details for TENANT_ONE.
and User 2 should be able to only READ, WRITE details for TENANT_TWO and should not be able to access any information related to TENANT_ONE.
I tried adding the TENANT_ONE as tenant in camunda cockpit and then adding a user to that but that doesn’t seem to work. I am new to camunda. Can someone please help.
The tenant identifier is specified on the deployment and is propagated to all data that is created from the deployment (e.g., process definitions, process instances, tasks, etc.)
Both users and groups are created separately and then you can add them to tenants using admin app
The Camunda Rest API and the web applications Cockpit and Tasklist support the transparent access restrictions. When a user logs in then he only sees and can only access the data (e.g., process definitions) that belongs to one of his tenants.
To have specific permissions granted within each tenant, you still need to define the proper authorizations so that adding a group to a tenant doesn’t restrict their access (READ, WRITE, …) to the various resources within the tenant itself.
Thanks for the reply @hassang.
I tried the same but was not able to access resources for the tenant. Sharing screenshots below.
I deployed a Process Instance with tenant id as abc
I am able to see this when i am using the admin credentials for cockpit.
I added a new tenant with id as abc under the Tenants and also added a user associated to that tenant.
Post that i added an authorization for the user to give access to the resources.
After this when i login to the new user i am still not able to see the process which is deployed and the process instance started related to the same.
Adding in single screenshot as it is not allowing to add multiple screenshots
@hassang @Niall Any idea about this ?
Hi @anandrpa ,
I can see that the user is only given access to the applications (tasklist, cockpit, and admin). You need to grant the user access to process definitions, instances, and other resources as per the needs.
You can try a process definition authorization similar to the below highlighted one (Notice: Resource Id can be assigned to a specific process definition key)
It worked. Thanks a lot for the help.