L3 - Default User Story (Required on creation):
In LDAP it is possible to create a hierarchy of groups: Group B can be contained in Group A, so that all members of B are also members of A without being directly assigned. Currently, the Java APIs do not take this hierarchical membership into account, e.g. in the following cases:
- A user U is a member of group B, a task candidate group is set to A: The filter TaskQuery#candidateUser("U") does not return the task
- UserQuery#memberOfGroup("A") does not return U (TODO: needs clarification)
Functional Requirements (Required before implementation):
- Transitive group membership is transparent in the Java APIs (i.e. being a member in a "transitive" group behaves the same as being a direct member in a group)
Technical Requirements (Required before implementation):
- OPEN questions:
- What does a group hierarchy in LDAP really represent? If a group is contained within another group, does that mean that users are treated as members of both, or is it rather that this represents an organizational hierarchy, where users of the lower group are not meant to be users of the higher group => this can for example influence if the resolution of hierarchical groups should be the default or if it must be configurable
- Is this technically feasible?
This ticket was migrated to github: https://github.com/camunda/camunda-bpm-platform/issues/2635. Please use this link for any future references and continue any discussion there.