Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4889

business-central shows all process instances in multi-tenancy setup

XMLWordPrintable

    • False
    • None
    • False
    • Hide

      1. Create users user1 in group1 and user2 in group2
      2. Create two kjars with restrictions in kie-deployment-descriptor.xml:

          <required-roles>
        <required-role>view:group1</required-role>
        <required-role>execute:group1</required-role>
    </required-roles>

      3. Deploy the two kjars to distinctive kie-server instances
      4. Start a process instance for each kjar
      5. Log in as user1 in business-central and check the Process Instances view

      • Actual result: All process instances (from both kjars) are listed
      • Expected result: Only the process instance from kjar 1 should be shown
      Show
      1. Create users user1 in group1 and user2 in group2 2. Create two kjars with restrictions in kie-deployment-descriptor.xml : <required-roles> <required-role>view:group1</required-role> <required-role>execute:group1</required-role> </required-roles> 3. Deploy the two kjars to distinctive kie-server instances 4. Start a process instance for each kjar 5. Log in as user1 in business-central and check the Process Instances view Actual result: All process instances (from both kjars) are listed Expected result: Only the process instance from kjar 1 should be shown
    • ---
    • ---

      In a multi-tenancy setup, access to kjar assets is restricted through the <required-roles> element in kie-deployment-descriptor.xml. While this works for some operations (eg. a process instance can only be started by a user with the required role), the Process Instance view in business-central lists all process instances, regardless of the defined role. If a user who is not a member of the required role then clicks on a process instance, an error message is shown, but the process instance details are already exposed to the user.

      The expectation is that the process instance list only shows those instances where the currently logged in user matches the roles defined in the kjar's kie-deployment-descriptor.xml, and that the user is not able to open the detail view of such instances.

              abakos@redhat.com Alexandre Porcelli
              martinweiler Martin Weiler (Inactive)
              Tomas David Tomas David
              Tomas David Tomas David
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: