Details
-
Feature Request
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
Description
There are two (authorization) resources:
- ProcessInstance
- ProcessDefinition
It is possible to define the following permissions on a ProcessInstance resource:
- CREATE
- READ
- UPDATE
- DELETE
and on a ProcessDefinition resource:
- CREATE_INSTANCE
- READ_INSTANCE
- UPDATE_INSTANCE
- DELETE_INSTANCE
To execute some actions using the RuntimeService the following authorization checks are necessary:
(1) Start process instance:
- CREATE on ProcessInstance and
- CREATE_INSTANCE on ProcessDefinition
(2) Read a process instance (or execution)
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
(3) Update a process instance (or execution) (eg. signal, correlate message, modify instance etc.)
- UPDATE on ProcessInstance or
- UPDATE_INSTANCE on ProcessDefinition
(4) Delete a process instance
- DELETE on ProcessInstance or
- DELETE_INSTANCE on ProcessDefinition
To execute the queries the following authorization checks are necessary to fetch an element:
(1) ProcessInstanceQuery
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
(2) ExecutionQuery
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
(3) IncidentQuery
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
(4) EventSubscriptionQuery
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
(5) VariableInstanceQuery
- variable instance is part of a running process instance (VariableInstance#executionId is not null)
- READ on ProcessInstance or
- READ_INSTANCE on ProcessDefinition
- variable instance is part of a running case instance (VariableInstance#caseExecutionId is not null)
- No authorization check necessary
- variable instance is not part of a running process nor case instance (VariableInstance#executionId and VariableInstance#caseExecutionId is null)
- READ on TASK