hi,

I have a centralized Guvnor5.5 environment where multiple applications access the Guvnor through rest api for their respective assets and BAs access Guvnor's WEB UI to create/modify process definitions. From Guvnor's WEB UI I can define "User and Permissions" and users accessing the web UI are accessing based on the permissions defined for them. E.g user A is permitted to modify Package A only so Guvnor's WEB interface is properly restricting the USER A and User A can only see Package A when he logs into Guvnor WEB UI.

My PROBLEM is that when USER A accesses guvnor through Guvnor's REST Interface then USER A can upload/modify any asset in any package (Package A, Package B, Package....). How can I apply the User Permission setup on access through REST API.

Using REST Interface I can access Package C with the user and password of User A. While USER A is only permitted to access Package A.

I have 5 applications accessing single Guvnor for their assets. Each application is getting assets from its own Package (E.g application 1 --> Package A, application 2 --> Package B ...).

I am using Guvnor's REST API for getting Task-Forms and also doing Import and Export of a package using REST API. (Doing Import/Export through REST interface as Guvnor imports or Exports only the complete repository. It is not importing exporting a single package.)

Security Breach Case: If the application developer knows the names of other packages he can point the application to get assets of other applications. This causes security issue for us. Applications should access assets assigned to them in their package only. I need to setup user and permissions for access through REST interface on the basis of packages. Applications accessing Guvnor should be allowed only to access their respective package/assets/categories only.