ENV: Camunda 7.6
Approach: Single Process Engine With Tenant-Identifiers, Database Identity Service
Given: Application users may belong to more than 1 tenant. Authentication and authorization are done by a service that will be calling Camunda REST API to start the process instance. The service knows which tenant the process instance will belong to, and Camunda does not.
Hello members of Camunda forum!
When starting a shared process definition (pro. def. with tenantId of null
), I would like to provide the tenantId for the process instance. The process instance creation request will be made via HTTP request, through the Camunda Rest API. Below is couple of approaches that I have in mind at the moment.
-
Creating a new rest endpoint on
/process-definition
that requires a tenantId as one of the required parameters. Using the passed tenantId and leveraging Transparent Access Restrictions for Tenants, assign tenantId to the process instance -
Create a custom TenantIdProvider that will retrieve
tenantId
from the process variables; this means every process start request will have to include ‘tenantId’ variable. Code snippet for this approach:
@Override
public String provideTenantIdForProcessInstance(TenantIdProviderProcessInstanceContext ctx) {
return getTenantIdForProcessInstance(ctx);
}
protected String getTenantIdForProcessInstance(TenantIdProviderProcessInstanceContext ctx) {
String tenantId = (String) ctx.getVariables().get("tenantId");
if (tenantId == null) {
throw new IllegalArgumentException("tenantId was not provided");
}
return tenantId;
}
Of the two approaches, is there an approach that is preferred? If so, are there any caveats that I should be aware of, when moving forward with the approach? If there is any other preferred way to achieve this, I would sincerely appreciate if you could share them here. I’m pretty new to Camunda and I’m sorry if my question is too rudimentary or confusing to understand.
Thank you so much for your help in advance!
Paul