CIB Seven WebApp does not recognize permissions

[bbshb]

Description

When I grant the user John permission for the cockpit in the demo and restrict him to a specific process definition, he can still view all process definitions. In the old Camunda frontend, this does not happen. There, he only sees the process definitions for which he is actually authorized.

Did I misconfigure something?

Example

Configuration

There are three processes. User Demo (Processview):

John (Sales Team) is provisioned to read and start the process "payment_process":

CIB Seven Webapp

In the CIB Seven Web App, John can see all three processes:

When he clicks on the "payment_process" he can't see anything:

Old Camunda App / Cockpit

In the Camunda Cockpit everything is showing up as expected. John can only see the "payment_process":

John can read the "payment_process":

[OlegCIB]

Hi @bbshb ,

thank you for pointing out this problem to us.

First of all, I assume you are using the tomcat distribution of 2.1.0-alpha version, am I right?

But generally for 2.0.0 or 2.1.0-SNAPSHOT the question should be similar.

Next, old Camunda UI was accessing the database directly, through the java libraries. In the distributed K8s setup in CIB flow, we've been using CIB seven through engine-rest, and as we've made some parts of it's frontend open source, at first we've preserved that paradigm for now. But we will try to support the old way also by having another implementation of our BpmProvider interface, with the next 2.1.0 Community Edition, planned to be released at the beginning of November this year.

Camunda has been creating the distributions with the unsecured engine-rest per default, by securing it only in production configuration. For now, our distributions (e.g. tomcat) follows the same logic, with the remark "not for production".
If you want to have full authentication - you should turn on the "CompositeAuthenticationProvider" security filter, that combines our JWT-authentification from the new UI and Basic Auth possibility to deploy the processes from Camunda Desktop Modeler.

If you will turn it on, with john (from sales) you will see only "invoice" process in the list, in the fresh distribution.

Another change, that we've done - we are showing not only Runtime process instances, but also the Finished ones in our Cockpit, even in the Community Edition (in Camunda it is EE-only feature). In order to do that, we need another authorization: "Historic Process Instance".

So if you will allow through READ and READ_HISTORY in "Process Definition" for "payment_process" Resource ID,

and allow for group "sales" to READ the "Historic Process Instance",

you should have the same setup as in old Camunda UI.

And one more important thing at the end, when you secure the engine-rest, you should provide the READ permission for all users to be able to access their own authorisations, otherwise, they will not be able to get the permissions.

So here is the result in my setup: