Setting tenant id at the start of a shared process definition

ENV: Camunda 7.6

Approach: Single Process Engine With Tenant-Identifiers, Database Identity Service

Given: Application users may belong to more than 1 tenant. Authentication and authorization are done by a service that will be calling Camunda REST API to start the process instance. The service knows which tenant the process instance will belong to, and Camunda does not.

Hello members of Camunda forum!

When starting a shared process definition (pro. def. with tenantId of null), I would like to provide the tenantId for the process instance. The process instance creation request will be made via HTTP request, through the Camunda Rest API. Below is couple of approaches that I have in mind at the moment.

  1. Creating a new rest endpoint on /process-definition that requires a tenantId as one of the required parameters. Using the passed tenantId and leveraging Transparent Access Restrictions for Tenants, assign tenantId to the process instance

  2. Create a custom TenantIdProvider that will retrieve tenantId from the process variables; this means every process start request will have to include ‘tenantId’ variable. Code snippet for this approach:

@Override
public String provideTenantIdForProcessInstance(TenantIdProviderProcessInstanceContext ctx) {
	return getTenantIdForProcessInstance(ctx);
}
protected String getTenantIdForProcessInstance(TenantIdProviderProcessInstanceContext ctx) {
	String tenantId = (String) ctx.getVariables().get("tenantId");
	if (tenantId == null) {
		throw new IllegalArgumentException("tenantId was not provided");
	}
	return tenantId;
}

Of the two approaches, is there an approach that is preferred? If so, are there any caveats that I should be aware of, when moving forward with the approach? If there is any other preferred way to achieve this, I would sincerely appreciate if you could share them here. I’m pretty new to Camunda and I’m sorry if my question is too rudimentary or confusing to understand.

Thank you so much for your help in advance!

Paul

1 Like

Hi Paul,

only the second approach should work. If you have a shared process definition then you need a TenantIdProvider to assign the process instance to a tenant. Using the transparent access restrictions, you can only restrict the access of tenant data but you cannot assign a tenant id to an instance.

Best regards,
Philipp

Nice Solution @mochifore.

Did you find a way to configure your custom Tenant provider for a Shared Process Engine without affecting other applications? (Obviously if you are using a shared process engine).