Skip to main content
Version: 8.7

Resource authorizations

Use resource authorizations to configure resource-level access to Camunda 8 entities.

Supported resource authorizations

The following resource authorizations are currently supported:

Resource typePermissionsResource IDDescription
ProcessReadProcess ID or * (wildcard)Show Process Definition and Process instance Data in Operate UI
ProcessDeleteProcess ID or * (wildcard)Delete Process Definitions via Operate UI
ProcessUpdate process instanceProcess ID or * (wildcard)Update Process instance data via Operate UI
ProcessDelete process instanceProcess ID or * (wildcard)Delete Process instance via Operate UI
ProcessStart process instanceProcess ID or * (wildcard)Start Process instance via Tasklist UI
DecisionReadDecision ID or * (wildcard)Show Decision Definition and Decision Instance Data in Operate UI
DecisionDeleteDecision ID or * (wildcard)Delete Decision Definitions via Operate UI

Resource Authorizations are only supported when running Identity with Keycloak as an IdP.

note

Resource authorizations are disabled by default. You can enable them using environment variables. This feature must be enabled in all required components, see:

You must also configure a database for Identity to use resource authorizations.

Manage resource authorizations

Resource authorizations can be configured for an individual user or a group. Below we show you how to create authorizations for both:

  1. Log in to the Identity UI and navigate to the Groups tab. Select the group you would like to create an authorization for from the table, and click on the Authorizations tab:

create-authorization-for-group-tab

  1. Click Create resource authorization and a modal will open. Select the type of resource you are creating an authorization for, and click Next:

create-authorization-for-group-modal-1

  1. Input the ID of the resource you would like to create an authorization for, select the resource from the list, and click Next:

create-authorization-for-group-modal-2

tip

Want to apply an authorization to a wide range of resources? We support a wildcard character * to match any resource.

Partial matching, for example my-resource*, is not supported.

  1. Select the permissions you would like to assign, and click Create:

create-authorization-for-group-modal-3

On confirmation, the modal closes, the table updates, and your authorization is shown:

create-authorization-for-group-refreshed-modal