I am working on the Self Hosted Camunda Cloud setup and have created users and roles using IAM. In the process model, I have configured a user task to assign the task to a role. But when I start the instance, I am seeing that all users outside of the role are able to view and claim the task. I have mapped the role to the “Candidate Group” of the user task in the modeller. Is there any other configuration that is needed to assign the task to a role? Separately, from the operator, how do I know which user or role the task has been assigned to for an instance?
Hi @PrashanthB 
and welcome to our forums!
Are you using Tasklist? If so, the candidateGroups value of the user task is not yet used to block other users from viewing and claiming tasks. AFAIK, Tasklist does not yet have knowledge of user roles. At this time, Tasklist only auto claims tasks for users based on the assignee. See User Task Assignments for more details.
If you use the Tasklist GraphQL API to build your own Tasklist UI, you can access the candidateGroups value of a user task (see task object).
Thank you for your reply. I have a follow up question.
When building the custom Tasklist UI, how can I know whether the logged in user belongs to the candidateGroups value of a user task, as the mapping of the user groups to users resides in IAM. Do we have any API which gives us the groups that the user belongs to?
Hi @PrashanthB, sorry for the late reply. I didn’t know the answer and hoped someone else might answer it. In the meantime, I’ve asked someone that knows the answer 
IAM does not have such an API, but the JWT that is provided by IAM contains claims that you could use for this. Sadly, none of that is documented, so if you want to use this I recommend to just give it a try to extract these claims and look at what is in there.
I hope it helps 