Skip to main content
Version: 8.6

Authentication and authorization

Operate provides three ways to authenticate:

  1. User information stored in Elasticsearch
  2. Lightweight Directory Access Protocol (LDAP)
  3. Identity Authentication and Authorization

By default, user storage in Elasticsearch is enabled.

In this mode, the user authenticates with a username and password stored in Elasticsearch.

The Userid, displayName, password, and roles for one user may be set in application.yml:

camunda.operate:
userId: anUserId
displayName: nameShownInWebpage
password: aPassword
roles:
- OWNER
- USER

Currently, OPERATOR, OWNER, and USER roles are available.

Roles for users

NameDescription
OWNERFull access
OPERATORRead and write access
USERRead only access

On startup of Operate, the user is created if they did not exist before.

By default, three users are created:

  • Role OWNER with userId/displayName/password demo/demo/demo.
  • Role OPERATOR with userId/displayName/password act/act/act.
  • Role USER with userId/displayName/password view/view/view.

Add more users directly to Elasticsearch via the index operate-user-<version>_. The password must be encoded with a strong bcrypt hashing function.