Dynamic permission doesn't work in community version


I want to use Dynamic permission to restrict access to users. Actually, I wand to let the user access and modify only himself.
I added below codes in dynamic-permissions-checks-custom.properties.

GET|identity/user=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
POST|identity/user=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
PUT|identity/user=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
GET|identity/personalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
POST|identity/personalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
PUT|identity/personalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
GET|identity/professionalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
POST|identity/professionalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]
PUT|identity/professionalcontactdata=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]

My problem dynamic permission doesn't work. Is there exists in community version? I'm using Bonita Community 7.7.4.

1 answer


Hi nasrin788_1384620,

Dynamic permissions exist in the Community version all right.

Instead, I believe your problem comes from a misunderstanding of the syntax used in the dynamic-permissions-checks-custom.properties file.

As the documentation explains, once a dynamic permission is defined for a given resource, the permissions granted in the dynamic-permissions-checks-custom.properties file override all other static permission rules:

If the static authorization checks are not suitable for your applications, you can override the rules as you want using dynamic checks. A user is then granted a permission only if the dynamic check authorizes it. A dynamic check is implemented as sequence of conditions, including a Groovy script. This enables you to tailor the permissions needed to access a resource using dynamic information related to processes.

Then, this is how the syntax of each dynamic permission rule works:

A dynamic authorization check for a resource is specified by a line in the file dynamic-permissions-checks-custom.properties. The line specifies the checks to be made for a request type for a method. There can be several terms in the line. Checking stops when the system returns success, indicating that the user is authorized. For example:
POST|bpm/case=[user|william.jobs, user|walter.bates, profile|Administrator, profile|User, check|org.bonitasoft.permissions.CasePermissionRule]

This specifies that a POST action can be done for a case resource if the user is william.jobs or walter.bates, or any user with the Administrator profile, or any user with the User profile, or if the CasePermissionRule grants authorization.

So taking one of the dynamic rules you defined as an example:
GET|identity/user=[profile|User, check|org.bonitasoft.permissions.UserPermissionRule]

  • The first term to be evaluated is: profile|User. This means that all the users with a User profile will satisfy this clause, and will therefore be granted full permission regardless, whether the information accessed is their own or another user's.
  • Thus the second term (check|org.bonitasoft.permissions.UserPermissionRule) will only be evaluated for the users without a User profile, and those users will only be granted the permission to access their very own information.


  • If you seek to apply the "only grant permission to access one's own information" restriction to the users with a User profile but grant full permission to users with either Administrator or Process manager profile, you should merely uncomment the line:
    GET|identity/user=[profile|Administrator, profile|Process manager, check|org.bonitasoft.permissions.UserPermissionRule]
  • If you seed to apply the "only grant permission to access one's own information" restriction to everybody, you should define instead:

I hope this helps.