REST API dont chek Actor configuration?

Hi,

When managing the authorization on the REST API, the important thing to do is to configure the permissions checks.
Please have a look at is the following documentation page: https://documentation.bonitasoft.com/bonita/7.11/rest-api-authorization

In your case, if you want to restrict the permission on the following REST APIs access, you need to activate the Dynamic authorization checking, here's how to do it:

1. run setup.sh pull.

2. Edit security-config.properties : ./setup/platform_conf/current/tenant_template_portal/security-config.properties

3. Make sure this line is at true:
security.rest.api.authorizations.check.enabled true

4. Then edit the file: platform_conf/current/tenants/1/tenant_portal/dynamic-permissions-checks-custom.properties

5. Uncomment the following lines:
GET|bpm/process/*/instantiation=[profile|Administrator, check|org.bonitasoft.permissions.ProcessInstantiationPermissionRule]
POST|bpm/process/*/instantiation=[profile|Administrator, check|org.bonitasoft.permissions.ProcessInstantiationPermissionRule]
And:
GET|bpm/humanTask=[profile|Administrator, check|org.bonitasoft.permissions.TaskPermissionRule]
PUT|bpm/humanTask=[profile|Administrator, check|org.bonitasoft.permissions.TaskPermissionRule]

6. Then save the changes and run setup.sh push.

This will restrict the following API accesses, to only users that are allowed to them (i.e. assigned or pending to, or processes they deployed or that they supervised ):
API/bpm/humanTask
API/bpm/process/*/instantiation

Most of Bonita users will uncomment the entire file on Production environments, so that the permissions are way more restrictive. It's up to you to decide what API the users can access or not.

Feel free to consult this documentation page ( https://documentation.bonitasoft.com/bonita/7.11/rest-api-authorization), I know it very dense but it's full of very useful information on how to manage the permissions on your platform.

I hope this helps,