Identity and access management in Camunda 8
Use Identity access control to provide secure access for authorized users and systems in Camunda 8.
Identity types in Camunda 8
There are two types of Identity in Camunda 8.
| Orchestration Cluster Identity | Used for authenticating and authorizing users and systems that interact with the Orchestration Cluster (such as Zeebe, Operate, Tasklist, and the Orchestration Cluster REST API). Identity governs access to process execution, task management, and related runtime resources. |
| Management Identity | Used for managing the components Web Modeler, Console, and Optimize. Management Identity is typically required for platform administrators and developers, and is separate from the Identities used for process orchestration. |
Understanding which Identity is required for a given action helps you apply the correct access control policies.
Identity provider (IdP) integration
In a typical production setup, both the Orchestration Cluster Identity and the Management Identity are integrated with an external OIDC IdP (such as Entra ID). This approach enables unified user management, single sign-on (SSO), and consistent security policies across all Camunda components.
| Identity type | Description | Default IdP | External IdP support |
|---|---|---|---|
| Orchestration Cluster Identity | Provides built-in user management, allowing you to manage users and groups directly within Camunda. Supports integration with external identity providers (IdPs) via OpenID Connect (OIDC). This allows you to connect Camunda to enterprise IdPs such as Microsoft Entra ID (Azure AD), Okta, and more for centralized authentication and user management. | Built-in user management | OIDC integration with enterprise IdPs (Microsoft Entra ID, Okta, and more) |
| Management Identity | Uses Keycloak as the default IdP, but can also be configured to use an external IdP via OIDC. This flexibility allows your organization to align Camunda's management interfaces with your existing identity and access management strategies. | Keycloak | OIDC integration with external IdPs |
Authentication vs. authorization
The two fundamental concepts involved with access control in Camunda 8 are authentication and authorization.
Authentication
Authentication is the process of verifying the Identity of a user or system.
It answers the question: Who are you?
For example, logging in with a username and password, or using single sign-on (SSO).
Authorization
Authorization determines what an authenticated user or system is allowed to do.
It answers the question: What are you allowed to do?
For example, viewing process data, starting a process instance, or accessing the Operate application.
| Identity type | Authorization model | Description | Management interface |
|---|---|---|---|
| Orchestration Cluster Identity | Fine-grained permission system | Controls access to applications, APIs, and resources through specific permissions for each resource type and action. | Camunda Identity UI or API |
| Management Identity | Role-based access control (RBAC) | Uses predefined roles and permissions that can be assigned to users and groups. | Keycloak admin console or external IdP |
How authentication and authorization work together
- Authentication is implemented first: The system checks your Identity.
- Authorization comes after: The system checks your permissions for the requested action or resource.
A user must be both authenticated and authorized to access protected resources in Camunda 8.
To learn more about authorization and how to configure permissions, see Orchestration Cluster authorization.