In our application, we instantiate the process via REST API. In the process configuration, an actor is set as ‘initiator’ configured with actor mapping. But these settings does not seem to apply the authorization to instantiate the process and any Bonita user(though not qualifying for the actor mapping filter) belonging to the installed organization was able to instantiate the process.
Thanks in advance,
Raji Malla
Hi Raji,
Which users have you mapped to start the process? By default, Actor mapping to to everybody in the organization.
Right, using the REST API anybody can start a process. You’ll need to get the actor id from the process definition (REST call …/API/bpm/process) and then search for the actorMembers (REST call … /API/bpm/actorMemberEntry) using the actor id. Then for each actorMember find the associated users. For more information on those REST APIs see:
https://documentation.bonitasoft.com/bonita/7.6/bpm-api#toc19
Hi Joe,
I have configured a membership for the actor(set as the initiator) in the “Actor Mapping” for the process. My expectation was only the users having the membership will be able to start the process via REST API.
**NOTE: **In the Bonita portal, the process is visible only to the users having the membership as defined in the actor mapping, but via REST API, any user in the organization was able to instantiate the process.
Thanks Joe.
Yes, that’s the workaround I have considered too but I wanted to know if Bonita offers any other settings or configurations so that the instantiation call would throw unauthorized error.