Details
-
Feature Request
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
Description
There are two new (authorization) resources:
- ProcessDefinition
- Task
It is possible to define the following permissions on a Task resource:
- CREATE
- READ
- UPDATE
- DELETE
and on a ProcessDefinition resource:
- READ_TASK
- UPDATE_TASK
The following authorization checks must be done regarding to the context of the task in which it exists:
Part of a running process instance:
(1) READ on Task or READ_TASK on ProcessDefinition to be able to read a task
(2) UPDATE on Task or UPDATE_TASK on ProcessDefinition to be a able to update a task (e.g. to set an assignee or to complete a task using the TaskService)
(3) In such a case a DELETE permission defined on a Task resource does not have any effect. (It is not possible to delete a task which is part of a running process instance using TaskService#deleteTask())
Part of a running case instance:
It is not necessary to do an authorization check. It is always able to read or to update a task which is part of a running case instance.
Standalone task:
(1) READ on Task to be able to read a task
(2) UPDATE on Task to be a able to update a task (e.g. to set an assignee or to complete a task using the TaskService)
(3) DELETE on Task to be able to delete a task using the TaskService#deleteTask())
