Admin: Identity as Code
This page explains how to configure Identity as Code in the Camunda 8 Self-Managed Orchestration Cluster. Use Identity as Code to create users, roles, groups, authorizations, mapping rules, and tenants at application start.
Use cases
Identity as Code simplifies configuring Self-Managed orchestration clusters across multiple stages. You can create all identity-related entities on one stage and then deploy them to other stages without further interaction, reducing the chance of error.
Another use case is local development, where a cluster might be recreated regularly.
After Admin creates an entity, changing its configuration does not update the existing entity. Admin checks only the ID to decide whether an entity already exists.
When you deploy with Helm, the most reliable approach is to provide Identity as Code settings through application configs using orchestration.extraConfiguration. The Helm examples below use this pattern so you can apply the same approach consistently across all entity types.
Configure authorizations
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_TYPE=USER
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_OWNER_ID=john.doe
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_TYPE=RESOURCE
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_RESOURCE_ID=*
CAMUNDA_SECURITY_INITIALIZATION_AUTHORIZATIONS_0_PERMISSIONS=CREATE,READ
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
authorizations:
- ownerType: USER
ownerId: john.doe
resourceType: RESOURCE
resourceId: "*"
permissions:
- CREATE
- READ
Configure groups
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_GROUP_ID=test-group
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_NAME="Test Group"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_DESCRIPTION="A cool test group!"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_CLIENTS="ClientA,ClientB,ClientC"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_MAPPING_RULES="RuleA,RuleB,RuleC"
CAMUNDA_SECURITY_INITIALIZATION_GROUPS_0_USERS="UserA,UserB,UserC"
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
groups:
- groupId: test-group
name: Test Group
description: A cool test group!
clients:
- ClientA
- ClientB
- ClientC
mappingRules:
- RuleA
- RuleB
- RuleC
users:
- UserA
- UserB
- UserC
Configure mapping rules
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMNAME=isAllowedToDoStuff
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMVALUE=true
CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_MAPPINGRULEID=my-mapping-rule
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
mappingRules:
- claimName: isAllowedToDoStuff
claimValue: "true"
mappingRuleId: my-mapping-rule
Configure Roles
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_ROLE_ID=test-role
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_NAME="Test Role"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_DESCRIPTION="A cool test role!"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_CLIENTS="client1,client2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_GROUPS="group1,group2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_MAPPING_RULES="m1,m2"
CAMUNDA_SECURITY_INITIALIZATION_ROLES_0_USERS="UserA,UserB,UserC"
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
roles:
- roleId: test-role
name: Test Role
description: A cool test role!
clients:
- client1
- client2
groups:
- group1
- group2
mappingRules:
- m1
- m2
users:
- UserA
- UserB
- UserC
Configure tenants
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_TENANT_ID=tenantId
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_NAME="test tenant"
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_DESCRIPTION="test tenant description"
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_CLIENTS='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_GROUPS='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_MAPPING_RULES='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_ROLES='R1,R2,R3,R4'
CAMUNDA_SECURITY_INITIALIZATION_TENANTS_0_USERS='UserA,UserB,UserC'
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
tenants:
- tenantId: tenantId
name: test tenant
description: test tenant description
clients:
- R1
- R2
- R3
- R4
groups:
- R1
- R2
- R3
- R4
mappingRules:
- R1
- R2
- R3
- R4
roles:
- R1
- R2
- R3
- R4
users:
- UserA
- UserB
- UserC
Configure users
When configuring users, never hardcode the password. Resolve it from a vault instead.
- Environment variables
- Helm values
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_EMAIL=john.doe@example.com
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_NAME="john doe"
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_PASSWORD=*****
CAMUNDA_SECURITY_INITIALIZATION_USERS_0_USERNAME=john.doe
orchestration:
extraConfiguration:
- file: identity-as-code.yaml
content: |
camunda:
security:
initialization:
users:
- email: john.doe@example.com
name: John Doe
password: "*****"
username: john.doe