AuthorizationExceptions are part of the engine API. They offer methods to cleanly determine which permission is missing, see https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/AuthorizationException.java

However, this is only used when there is exactly one missing permission. In case of more than one permission (of which the user must have any), only the error message is populated but not the properties. See https://github.com/camunda/camunda-bpm-platform/blob/master/engine/src/main/java/org/camunda/bpm/engine/impl/persistence/entity/AuthorizationManager.java#L163-L188

Impact for us: Our authorization tests rely on strings present in the error message whereas a structured exception would improve assertions.

Solution idea:

• AuthorizationException should contain a list of missing permissions of which the user must have at least one for the engine to proceed beyond the point where it threw the exception
• deprecate the current getter methods in the exception class