Manage access and permissions

With Management Identity, you can manage and control access to management and modeling component REST APIs and custom applications using permissions and roles.

note

This section describes how to manage access to Web Modeler, Console, and Optimize. For access control to Orchestration Cluster components and their resources, refer to the Orchestration Cluster authorizations instead.

About permissions

When using and managing permissions, it is important to understand the following key concepts:

• APIs represent the different Camunda 8 management and modeling components, such as Web Modeler, Optimize, and so on.
• Each API defines its own set of permissions that to control API access.
• Permissions are organized using roles that can be assigned to users either directly or via Groups.
• You can also assign permissions to your custom application, such as a job worker for example.

tip

For detailed instructions, see the guide about managing permissions.

Permissions

Each API (representing a component) defines its own set of permissions to control API access.

The following permissions are available:

Component	API	Permissions available
Management Identity	Camunda Identity Resource Server	read: Read access to Management Identity UI read:users: Access only the Users UI and related subpages. write: Write access to Management Identity UI.
Optimize	Optimize API	write:*: Read and Write access to Optimize UI and APIs.
Web Modeler	Web Modeler Internal API	write:*: Access to Web Modeler UI, further managed by project permissions. admin:*: Elevated access to Web Modeler UI (see super-user mode and publishing connector templates).
Web Modeler	Web Modeler API	create:*: Access to POST endpoints of the API. read:*: Access to GET endpoints of the API. update:*: Access to PATCH and PUT endpoints of the API. delete:*: Access to DELETE endpoints of the API.

note

Permissions granted to a user or M2M application are added to the permissions.{audience} claim of the access token.