Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-12860

Documentation: Batch permissions

XMLWordPrintable

      Batch authorization documentation states that

      "The specific “Create …” permission has higher priority than the general “Create” permission."

      which is not clear enough.
      In fact, it means that

      "The specific “Create …” (of type DENY) permission has higher priority than the general “Create” (of type ALLOW) permission."

       

      Scenario 1:

      • General CREATE is set (ALLOW), so the user can create every batch operation
      • Specific CREATE_BATCH_DELETE_FINISHED_PROCESS_INSTANCES is unchecked (ALLOW)
      • Result: the user is able to create the batch operation to delete finished process instances, due to the general CREATE permission

      Scenario 2:

      • General CREATE is set (ALLOW)
      • Specific CREATE_BATCH_DELETE_FINISHED_PROCESS_INSTANCES is set (DENY)
      • Result: the user is not able to create the batch operation to delete finished process instances
        • As per documentation specific CREATE... has higher priority.

      It is clear that permissions should be set as per the whitelist and not the blacklist approach. However, the documentation could be more clear.

        This is the controller panel for Smart Panels app

          1. Allow_u_Deny.png
            27 kB
            Michał Dytko
          2. Allow.png
            118 kB
            Michał Dytko
          3. screenshot-1.png
            41 kB
            Daniel Ewing
          4. screenshot-2.png
            35 kB
            Daniel Ewing

              daniel.ewing Daniel Ewing
              michal.dytko Michał Dytko
              Tobias Metzke-Bernstein Tobias Metzke-Bernstein
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: