How to use the resourceId for authorization?

[Ingo Richtsmeier]

Hi,

as a question of the customer I try to understand how authorization can be configured to allow only certain users to start process instances of process definition ABC or complete tasks of process definition ABC.

I played around with the authorizationService and created a new resource for processdefinition ABC:

    Resource processDefinitionABCAuth = new Resource() {     

   

      @Override

      public int resourceType() {

        return 10;

      }

   

      @Override

      public String resourceName() {

        return PROCESS_DEFINITION_KEY;

      }

    }; 

    Authorization auth1 = authorizationService().createNewAuthorization(Authorization.AUTH_TYPE_GRANT);

    auth1.setGroupId("management");

    auth1.setPermissions(new Permissions[] { Permissions.ACCESS, Permissions.CREATE });

    auth1.setResource(processDefinitionABCAuth);

 //   auth1.setResourceId("*"); // What to type here?

    authorizationService().saveAuthorization(auth1);

Then I did some tests against my authorization:

    identityService().setAuthenticatedUserId("john");

    assertThat(authorizationService().isUserAuthorized("john", null, Permissions.ACCESS, processDefinitionABCAuth)).isFalse();

    

    assertThat(authorizationService().isUserAuthorized("peter", Arrays.asList(new String[] {"management"}), Permissions.ACCESS, processDefinitionABCAuth)).isTrue();

The first assert is fine, the second assert fails.

Looking in the sample data, I see that each entry in ACT_RU_AUTHORIZATION has a resource_id_. Some entries have resource ID '*'. And the query will fill in '*' as parameter for resource_id_ in some cases.

Which resource id should I choose in my case? For what is resource_id_ = '*' intended?

Kind Regards, Ingo

[Sebastian Menski]

Hi Ingo,

the resource id specifies which resource instances you want to restrict and the '*' is a wildcard any resource placeholder. So if you create a

authorization for the user peter on the resource filter with GRANT, CREATE and resource id '*', you allow peter to create filter.

If you create an authorization for mary with REVOKE, READ and resource id 'filter-1', you forbid mary to read the filter with

the id 'filter-1'. Please not the the resource id is not sensible for all permissions, for example the a resource id is normally not used with

the CREATE permission. Also not that an constant for the '*' exists org.camunda.bpm.engine.authorization.Authorization#ANY.

So for your test you should uncomment the setResourceId line.

If this wasn't really understandable or your test still fails you can provide a test case so we can help you.

Cheers,

Sebastian

[Ingo Richtsmeier]

Hi Sebastian,

thanks for clarification. The next step for us is now to identify all resources that we have to check against for permission and find the spots either in the tasklist application or an engine plugin to check the permission with a call to:

authorizationService().isUserAuthorized(...)

I will post more details from our progress.

Kind Regards, Ingo

[Bernd Rücker (camunda)]

Hi Ingo.

 

From the vision the resource id could be anything – especially process definition keys, ids, activity ids and so on. So in next steps when we might extend the permission features of the engine we already have the data structure and infrastructure in place. So in the current state “only” (haha) the checking of other ressources is not yet implemented.

 

Somebody from the core-dev might correct me if that vision from the beginning has changed.

 

Cheers

Bernd

--
You received this message because you are subscribed to the Google Groups "camunda BPM users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to camunda-bpm-us...@googlegroups.com.
To post to this group, send email to camunda-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/camunda-bpm-users/5b9bd26d-a6cc-481d-aca2-218004ed079b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniel Meyer]

Hi Bernd,

yes, that is still the Idea / vision.

Daniel

[Ingo Richtsmeier]

From the project request I setup an example application to get a base on the discussion how to handle custom resources: https://github.com/camunda/camunda-consulting/tree/master/snippets/authorization-demo

Kind Regards, Ingo

[Sebastian Menski]

Hi Ingo,

a comment on your demo. Why do you use multiple resources? Wouldn't it be sufficient to use a single resource like 'process-definition-authorization'

with your generated ids as resource id. This way you don't have to dynamically generate resources.

Although this is just a demo please note that userTask.getCamundaCandidateGroups() will return a string with a comma-separated list of candidate groups if

there are multiple. You could use the method  userTask.getCamundaCandidateGroupsList() instead.

Cheers,

Sebastian

[Ingo Richtsmeier]

Hi Sebastian, thanks for the hint. 

I changed my example according to your suggestion. 

Kind Regards, Ingo

[mojtaba shayegh]

Hi,
is it possible to post your example I have the same requirement
 and one thing more how to enable camunda engine authorization?

[Ingo Richtsmeier]

Hi, the link to the github repository is in my post from Nov. 24th and here:  https://github.com/camunda/camunda-consulting/tree/master/snippets/authorization-demo.

Kind Regards,

Ingo