3 Replies Latest reply on May 13, 2009 5:59 AM by tom.baeyens

    Task assignment privileges

    heiko.braun

      Who is privileged to assign (not claim) or re-asign a task?
      How does this relate to "candidate-group" or "candidate-user" declarations?

        • 1. Re: Task assignment privileges
          tom.baeyens

          authorization is out of scope for GA. for now we can just let anyone reassign.

          • 2. Re: Task assignment privileges
            heiko.braun

            I am not asking for the scope. I am asking for an explanation of the concepts in place and their relation to each other. Regardless if we put into GA or not.

            • 3. Re: Task assignment privileges
              tom.baeyens

              i think that can depend on a lot of factors.

              some determine this by static authorization role. e.g. if you are an 'manager' then you can do that.

              in other scenarios it might depend on the identity component group membership. e.g. reassignment is only allowed within your team

              i don't see a single way on how we'll be able to tell who is allowed to assign/reassign a task. so our strategy then is typically to make it pluggable.

              pluggable authorization is already a part of the command based service methods. the idea is that an authorization interceptor would delegate to some custom configured AuthenticationSession like this:

              public class AuthorizationInterceptor extends Interceptor {
              
               public <T> T execute(Command<T> command) {
               Environment environment = Environment.getCurrent();
               if (environment==null) {
               throw new JbpmException("no environment for verifying authorization");
               }
               AuthorizationSession authorizationSession = environment.get(AuthorizationSession.class);
               if (authorizationSession==null) {
               throw new JbpmException("no AuthorizationSession in environment for verifying authorization");
               }
               authorizationSession.checkPermission(command, environment);
               // if the authorization check succeeded, proceed
               return next.execute(command);
               }
              
              }
              


              but i don't think we have a binding or documentation for this yet. don't think that is a priority.

              does that answer your question ?