1 Reply Latest reply on Feb 13, 2017 5:09 PM by Donato Marrazzo

    User '[UserImpl:'XXXX']' does not have permissions to execute operation 'XXXX' on task id #

    Fernando Pena Cantu Newbie

      Hello, I have put some of my projects in a container and run by using Rest-api calls

      look at https://access.redhat.com/webassets/avalon/d/Red_Hat_JBoss_BPM_Suite-6.4-Development_Guide-en-US/Red_Hat_JBoss_BPM_Suite…  page 295 if you don't know what I am talking about.


      so I start the process and and try to claim a user task by using http://localhost:8080/kie-server/services/rest/server/containers/SignalExample/tasks/2/states/claimed and I get this error.

      User '[UserImpl:'kieuser']' does not have permissions to execute operation 'Claim' on task id 2.

      I understand why I get this error because the user who is making the api calls (kieuser) does not have the permissions to execute task id 2.

      For example task id 2 can only be access by admin and kieuser is a user.

      However, is there away I can let know that xxxx user is sending the api call instead of kieuser?


      I know I can also use the the property org.kie.server.bypass.auth.user to make it so anybody can claim the task but I don't want to do that.

        • 1. Re: User '[UserImpl:'XXXX']' does not have permissions to execute operation 'XXXX' on task id #
          Donato Marrazzo Newbie

          Hello Fernando, your question is not really clear to me.



          Let me try to explain with my words:


          - you want to use a single system user/pwd to interact with the kieserver

          - you want to impersonate a user to perform Task management action (so the user "XXXX" claim the task)


          If I understood correctly, the way to achieve this is described in the paragraph 16.4 of Development Guide:


          1) disable the security settings by using the org.kie.server.bypass.auth.user property.

          2) provide a user with sufficient permissions to execute the operation using the query parameter ?user=$USER_NAME. This works, but it's highly discouraged for the security implications. It's better to configure the front-end and the back-end in a SSO domain.