control which processes can be started by a user

201 views
Skip to first unread message

Jan Galinski

unread,
Nov 27, 2013, 5:02:50 PM11/27/13
to camunda-...@googlegroups.com
Hello

we need to restrict starting new process instances to certain user groups. I noticed that the ProcessDefinitionQuery has a method "startableByUser(userId)", but I cant see how I configure the mapping group->process to use this method.

Can someone please point me in the right direction, documentation or example? Thank you!

Jan

Daniel Meyer

unread,
Nov 29, 2013, 1:10:39 AM11/29/13
to camunda-...@googlegroups.com
I Jan,

There is a good chance that we will deprecate the Method ProcessDefinitionQuery.startableByUser(String) in the future. That is the reason why it is not documented at the moment. 

It is a hacky feature that was introduced by a community member in activiti at a certain point in time and I remember that I strongly objected against adding it but wasn't heard. The usecase "who is allowed to create instances of this process definition?" is an authorization usecase and as such belongs to a whole class of usecases around process-level authorization. I thought back than - and still think today - that adding some dedicated methods for one single aspect of this in a non-structured and inconsistent way is not the way to go.

In camunda 7.0 we introduced the AuthorizationService and the infrastructure behind it and we will use that API and infrastructure for implementing these usecase properly and in a structured way. Then you will have more fine-grained Permissions both at a process definition and a process instance level.

So at the moment you can use this feature knowing that it will probably be deprecated in the future.

Cheers,
Daniel Meyer

Daniel Meyer

unread,
Nov 29, 2013, 1:26:36 AM11/29/13
to camunda-...@googlegroups.com
Hi Jan,

this is how the feature works. Add this information to your process definition:

   <process ...>
     <extensionElements>
       <camunda:potentialStarter>
         <resourceAssignmentExpression>
           <formalExpression>group(management), user(jonny)</formalExpression>
         </resourceAssignmentExpression>
       </camunda:potentialStarter>
     </extensionElements>

   ...

   </process>


Now you can query it using the reporsitoryService 

repositoryService.createProcessDefinitionQuery()
  .startableByUser("jonny")
  .list();

Or even the IdentityService (Yäy!! :) ) 

identityService().createUserQuery()
  .potentialStarter("myProcessDefinitionId")
  .list();


Unless of you are using the Ldap Identity Service. In that case it does not work (Damn!! ;( ) 

Cheers,
Daniel

Jan Galinski

unread,
Nov 29, 2013, 9:42:05 AM11/29/13
to camunda-...@googlegroups.com
Thanks for the info, Daniel.

How would I solve this use case "the right way"? Can you give an example on how to use the authorization concept regarding startable services?

Thanks
Jan

Daniel Meyer

unread,
Dec 2, 2013, 9:07:25 AM12/2/13
to camunda-...@googlegroups.com
Hi Jan,

sorry for not making this more clear in my initial answer: We have not implemented this feature yet based on the Authorization Service infrastructure.

Cheers,
Daniel

Jan Galinski

unread,
Dec 2, 2013, 9:35:50 AM12/2/13
to camunda-...@googlegroups.com
Hi Daniel,

ah, ok. Then please: do not deprecate it :-) 
We need this use case since we have to filter processes by groups. And I believe the use case is common enough.

regards
Jan

Daniel Meyer

unread,
Oct 22, 2014, 3:04:48 AM10/22/14
to camunda-...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages