Prevent access to Camunda Admin Webapplication using Application Authorization
413 views
Skip to first unread message
Klaus Ruehl
Jan 6, 2015, 1:59:05 AM1/6/15
to camunda-...@googlegroups.com
Hi folks,
quick question regarding the application authorizations: the documentation describes how to limit access to the camunda cockpit and tasklist webapplication for certain users/groups. This is simple enough and straightforward. However, testing things on camunda v 7.2.1-ee I am bit puzzled that there seems no impact on accessing the camunda admin webapplication.
To make it clear: I define an application authorization for a certain user group that gives access to the tasklist webapplication only. The expected behavior is that that a user of this group can access the tasklist, but not the camunda cockpit and also not the admin webapplication. However, the current behavior is that the cockpit application is indeed not offered, but the admin web application is still visible to the user. Most parts of the admin application are read-only though (users and groups), but it is still possible for the user to enter a new license key (system tab). Okay, it is arguable how much harm is done with the current behavior, but to avoid confusion on the user side, I would like to prevent that users of this group get access to the admin web application at all.
Is it possible to prevent access/hide the camunda admin webapplication using an application authorization? As stated my initial expectation was that the admin web application is not different here to the cockpit and tasklist webapplication authorization, but maybe I am missing here some background/motivation for the current behavior. Anyway, any hints or workarounds to achieve the desired behavior would be appreciated.
Thanks in advance,
Klaus
quick question regarding the application authorizations: the documentation describes how to limit access to the camunda cockpit and tasklist webapplication for certain users/groups. This is simple enough and straightforward. However, testing things on camunda v 7.2.1-ee I am bit puzzled that there seems no impact on accessing the camunda admin webapplication.
To make it clear: I define an application authorization for a certain user group that gives access to the tasklist webapplication only. The expected behavior is that that a user of this group can access the tasklist, but not the camunda cockpit and also not the admin webapplication. However, the current behavior is that the cockpit application is indeed not offered, but the admin web application is still visible to the user. Most parts of the admin application are read-only though (users and groups), but it is still possible for the user to enter a new license key (system tab). Okay, it is arguable how much harm is done with the current behavior, but to avoid confusion on the user side, I would like to prevent that users of this group get access to the admin web application at all.
Is it possible to prevent access/hide the camunda admin webapplication using an application authorization? As stated my initial expectation was that the admin web application is not different here to the cockpit and tasklist webapplication authorization, but maybe I am missing here some background/motivation for the current behavior. Anyway, any hints or workarounds to achieve the desired behavior would be appreciated.
Thanks in advance,
Klaus
Daniel Meyer
Jan 6, 2015, 3:35:59 AM1/6/15
to camunda-...@googlegroups.com
Hi Klaus,
The idea is that everybody is authorized to log into the admin application. Users can only see and change the kind of data they are authorized to see and change. As you discovered yourself, users can only see and change those other users and groups that they are authorized to see and change. So yes, that is the idea.
I agree that the "license key" page is kind of a margin call. The license key page has kind of "built in security": a user can only enter a valid licence key. But it could also be argued that this section of the admin application should not be displayed to all users, only those users which have "system" authorizations (or some similar authorization that we would introduce)
Cheers,
Daniel
Klaus Ruehl
Jan 7, 2015, 2:17:54 AM1/7/15
to camunda-...@googlegroups.com
Okay, thanks Daniel,
not exactly the answer I was hoping for ;-), but at least I understand now the background. From the user experience point of view I am still thinking that it would be desirable to allow completely disabling/hiding the admin web application for certain user groups. Some of our novice users got completely lost once they accidently switched to the admin view, but okay that is something that we can handle via training/documentation (and there is obviously always the fallback to provide our own custom UI for these people). I just mention this for the record so that this may be taken into account for the further development of the camunda webapps.
Cheers, Klaus
not exactly the answer I was hoping for ;-), but at least I understand now the background. From the user experience point of view I am still thinking that it would be desirable to allow completely disabling/hiding the admin web application for certain user groups. Some of our novice users got completely lost once they accidently switched to the admin view, but okay that is something that we can handle via training/documentation (and there is obviously always the fallback to provide our own custom UI for these people). I just mention this for the record so that this may be taken into account for the further development of the camunda webapps.
Cheers, Klaus
Daniel Meyer
Jan 7, 2015, 3:12:09 AM1/7/15
to camunda-...@googlegroups.com
Hi Klaus,
thank you. Feedback is always highly appreciated!
Cheers,
Daniel
Reply all
Reply to author
Forward
0 new messages