Unable to Have correct Dynamic Security Check "check|org.bonitasoft.permissions.ProcessInstantiationPermissionRule"

Q&A
1

Hi,

I'm trying to set Dynamic Security Check for REST API in dynamic-permissions-checks-custom.properties but it don't works! 

I've configured: 

GET|bpm/humanTask=[profile|Administrator, user|jmd, check|org.bonitasoft.permissions.TaskPermissionRule]  
PUT|bpm/humanTask=[profile|Administrator, user|jmd, check|org.bonitasoft.permissions.TaskPermissionRule]

Security is OK for user jmd if I especially insert it into the file, but Lane Actors doesn't have correct Access. 

In the Lane I've defined an Actor "User Manager"  

I've configured an Actor Association between "User Manager" Actor" and Members of the Group "/bonita/user_user"  

Users jmd and ppa are members of the group "/bonita/user_user"  

Only jmd have correct access to humanTasks, ppa cannot see any Task! 

The "check|org.bonitasoft.permissions.TaskPermissionRule" don't give acces to jmd and ppa, only direct configuration like "user|jmd" is working. 

 

I can see the error in the log but without the reason:  

[2020-09-14 14:42:55.300] [FINEST ] Unauthorized access to GET bpm/humanTask attempted by ppa Permission script: org.bonitasoft.permissions.TaskPermissionRule     (logger: org.bonitasoft.console.common.server.login.filter.AbstractAuthorizationFilter)

 

How can I analyze an solve this problem?

Best regards

 

2

Hello,

there are 2 distinct concepts:

  • authorization to access a specific api, that you want to manage directly through dynamic-permissions, 
  • task assignment (aka actor mapping )

When you run the process and your example task is activated, it will be available to all the users of the /bonita/user_user group (actor mapping), so also to ppa.

from your configuration of  dynamic-permissions-checks-custom.properties you are giving access to your human tasks API (GET and PUT) to all users having Administrator profile, to the user jmd and to the result of the script TaskPermissionRule.

Can you try to add ppa to the profile "Administrator" and see what happens?

 

Hope it helps,

cheers

 

3

Hi Enrico,

If I add ppa to Administrator Profile he can access the Task List (via REST) but I don't understand why I have to add it to Administator Profile or add it as user in dynamic-permissions-checks-custom.properties to give it access to Tasks.

He is member of /bonita/user_user group but cant read Task List.

If ppa use Bonita Portal, he can  view the Tasks, but not via REST!

Best regards