Context:

Forum Post:

https://forum.camunda.org/t/global-authorization-allows-non-authenticated-users-on-the-process-engine-to-read-defintions/27962 

Summary:

Authorizations in the engine are independent of whether the user exists on that engine (/the identity provider), this is because the engine also supports setups where user management is not integrated within the engine. This means that any global authorizations will be given to any user, even if that user does not exist in the engine/is not authenticated on that engine.

Optimize mirrors this behaviour, it can be reproduced as follows (can use MultiEngineDefinitionAuthorizationIT to easily replicate the below):

1. Given two engines and Kermit user who is added to engine 1 and granted Optimize access on that engine 
2. Deploy two definitions: one on engine 1 and one on engine 2
3. Grant global resource authorizations for all definitions on engine 1 and engine 2
4. Retrieve all definitions as Kermit
5. Result will return both definitions, including the definition on engine 2. From a user perspective, this is unexpected. Users would expect the result to only include the definition on engine 1.

While this behaviour is "correct" in that Optimize grants access to all definitions that the user is authorized to based on which authorizations the engine returns for this user, it is unexpected.
We should consider whether it makes sense to adjust the authorization service in Optimize to add an additional authentication check and then only apply those authorizations which exist on the engines that the given user has access to.