There are two new (authorization) resources:

• ProcessDefinition
• Task

It is possible to define the following permissions on a Task resource:

• CREATE
• READ
• UPDATE
• DELETE

and on a ProcessDefinition resource:

• READ_TASK
• UPDATE_TASK

The following authorization checks must be done regarding to the context of the task in which it exists:

Part of a running process instance:
(1) READ on Task or READ_TASK on ProcessDefinition to be able to read a task
(2) UPDATE on Task or UPDATE_TASK on ProcessDefinition to be a able to update a task (e.g. to set an assignee or to complete a task using the TaskService)
(3) In such a case a DELETE permission defined on a Task resource does not have any effect. (It is not possible to delete a task which is part of a running process instance using TaskService#deleteTask())

Part of a running case instance:
It is not necessary to do an authorization check. It is always able to read or to update a task which is part of a running case instance.

Standalone task:
(1) READ on Task to be able to read a task
(2) UPDATE on Task to be a able to update a task (e.g. to set an assignee or to complete a task using the TaskService)
(3) DELETE on Task to be able to delete a task using the TaskService#deleteTask())