AT:

• on login the user is authorized against each engine configured and the permissions per user & engine are stored
• on listing process/decision definitions a user only sees the definitions & tenants from engines he is authorized to access
• in multi engine scenario the following holds for user authorizations:
  • once a users logs in, we try to authenticate him on each configured engine. For each engine the user is authenticated successfully with we fetch Optimize application authorization and resource authorizations (definition & tenant authorizations)
  • a user can access Optimize as soon as one engine grants Optimize Application Access
  • if there are several engines with the same definitions (same key + version) a different `defaultTenantId` needs to be configured for each of those engines
    • then the user can only see the data of the definition+tenant combinations he has been granted access to by each of the engines
  • the case that there are several engines with the same definitions (same key + version) and no `defaultTenantId` is configured is not supported and leads to inconsistent behavior (e.g. if same key exists on multiple engines, multiple process definitions are listed for the same key etc.) => needs to be highlighted in the documentation
    • the same limitation applies if the same tenant and definition key pair is present on multiple engines
• the multi-engine documentation is updated to reflect the new behavior