-
Bug Report
-
Resolution: Cannot Reproduce
-
L3 - Default
-
None
-
7.12.0
-
None
-
Windows 1024h
I am using Camunda Spring boot community edition 7.12
In a workflow process when I assign a human task to a Candidate Group only people in that Candidate Group should be able to claim and complete the task.
I tried two different ways to test this but it does not work.
I have camunda:
bpm:
authorization:
enabled: true
in my application.yml and also explicitely set using Defaults.INSTANCE.setAuthorizationEnabled(true); in my code.
(1) From user administration created custom Candidate Groups and assign them to users and them mapped Human tasks. Then I try to claim and complete tasks.
(2) Create a Beare token Authentication provider which reads a JWT token from out authentication server and based on what is in the token it sets the groups (Candidate Groups) to the user using AuthenticationResults.setGroups() method.
Irrespective of what way I follow, anybody can claim anything and complete anything. No access control is enforced. This is a key requirement in any workflow application.
If I am doing anything wrong, please let me know how to make this work? If this is not working, please give us a quick fix because this is a critical functionality.
This is the controller panel for Smart Panels app
[CAM-11823] Enabling Authorization does not enable Role Based Acces Control with Candidate Groups
| Assignee | New: Yana Vasileva [ yana.vasileva ] |
| Labels | Original: SUPPORT |
| Link | New: This issue is related to CAMTEAM-88 [ CAMTEAM-88 ] |
| Mentioned Roles |
| Mentioned Groups |
Hi,
I am mostly using REST API and the JWT token sets groups to the user.
But it protects only REST end point.
But you can recreate easily by using tasklist and admin application. Just build a Sprinboot version 2.2.1 jar with Camunda 2.2.1. You need to enable security as described in the application.yml. Create a process with two Candidate groups called Group A and Grup B. Put two User tasks I mean the box that has a bust of a human. Assign group A to task 1. Assign group B to task 2. Deploy the process. Go to User Administration and create Group A and Group B user groups. Create user 1 and give access to task list (no camunda_admin) and also assign Group A to user 1 . Assign Group B to user 2. Now login as user 1 when task is in task one and claim and complete. The user1 should be able to do that. Then after it moves to task 2, as user 1 try to claim the task. The user should not be able to claim the task, because the user is not in Role B.
But that does not seem to work. User 1 can complete any task. If I apply REST Api same issue. At least I want to make this work in REST API.
We want a non camunda_admin user to be able to access tasks only in their candidate group and then claim them only to the ones that they are permitted to via candidate groups. Otherwise what is the use of the Candidate groups?
Can you make sure the Candidate groups functionality works ?
Unfortunately I may not be allowed to share configuration files due to company policy.
We use spring boot 2.2.1 camunda 7.12.0 and camunda- camel.
| Mentioned Roles |
| Mentioned Groups |
Hi dulshand@yahoo.com,
Thank you for raising this issue.
We will need more details in order to understand the scenario better.
1. Which API do you use to claim and complete the tasks?
2. Could you please attach the following files as well:
Best regards,
Yana