Resource authorizations
Use resource authorizations to configure resource-level access to Camunda 8 entities.
Supported resource authorizations
The following resource authorizations are currently supported:
| Resource type | Permissions | Resource ID | Description |
|---|---|---|---|
| Process | Read | Process ID or * (wildcard) | Show Process Definition and Process instance Data in Operate UI |
| Process | Delete | Process ID or * (wildcard) | Delete Process Definitions via Operate UI |
| Process | Update process instance | Process ID or * (wildcard) | Update Process instance data via Operate UI |
| Process | Delete process instance | Process ID or * (wildcard) | Delete Process instance via Operate UI |
| Process | Start process instance | Process ID or * (wildcard) | Start Process instance via Tasklist UI |
| Decision | Read | Decision ID or * (wildcard) | Show Decision Definition and Decision Instance Data in Operate UI |
| Decision | Delete | Decision ID or * (wildcard) | Delete Decision Definitions via Operate UI |
Resource Authorizations are only supported when running Identity with Keycloak as an IdP.
Resource authorizations are disabled by default. You can enable them using environment variables. This feature must be enabled in all required components, see:
You must also configure a database for Identity to use resource authorizations.
Manage resource authorizations
Resource authorizations can be configured for an individual user or a group. Below we show you how to create authorizations for both:
- Groups
- Users
- Log in to the Identity UI and navigate to the Groups tab. Select the group you would like to create an authorization for from the table, and click on the Authorizations tab:
- Click Create resource authorization and a modal will open. Select the type of resource you are creating an authorization for, and click Next:
- Input the ID of the resource you would like to create an authorization for, select the resource from the list, and click Next:
Want to apply an authorization to a wide range of resources? We support a wildcard character * to match any resource.
Partial matching, for example my-resource*, is not supported.
- Select the permissions you would like to assign, and click Create:
On confirmation, the modal closes, the table updates, and your authorization is shown:
- Log in to the Identity UI and navigate to the Users tab. Select the user you would like to create an authorization for from the table, and click on the Authorizations tab:
- Click Create resource authorization and a modal will open. Select the type of resource you are creating an authorization for, and click Next:
- Input the ID of the resource you would like to create an authorization for, select the resource from the list, and click Next:
Want to apply an authorization to a wide range of resources? We support a wildcard character * to match any resource.
Partial matching, for example my-resource*, is not supported.
- Select the permissions you would like to assign, and click Create:
On confirmation, the modal closes, the table updates, and your authorization is shown:
