Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4889

business-central shows all process instances in multi-tenancy setup

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      1. Create users user1 in group1 and user2 in group2
      2. Create two kjars with restrictions in kie-deployment-descriptor.xml:

          <required-roles>
        <required-role>view:group1</required-role>
        <required-role>execute:group1</required-role>
    </required-roles>

      3. Deploy the two kjars to distinctive kie-server instances
      4. Start a process instance for each kjar
      5. Log in as user1 in business-central and check the Process Instances view

      • Actual result: All process instances (from both kjars) are listed
      • Expected result: Only the process instance from kjar 1 should be shown
      Show
      1. Create users user1 in group1 and user2 in group2 2. Create two kjars with restrictions in kie-deployment-descriptor.xml : <required-roles> <required-role>view:group1</required-role> <required-role>execute:group1</required-role> </required-roles> 3. Deploy the two kjars to distinctive kie-server instances 4. Start a process instance for each kjar 5. Log in as user1 in business-central and check the Process Instances view Actual result: All process instances (from both kjars) are listed Expected result: Only the process instance from kjar 1 should be shown
    • ---
    • ---

    Description

      In a multi-tenancy setup, access to kjar assets is restricted through the <required-roles> element in kie-deployment-descriptor.xml. While this works for some operations (eg. a process instance can only be started by a user with the required role), the Process Instance view in business-central lists all process instances, regardless of the defined role. If a user who is not a member of the required role then clicks on a process instance, an error message is shown, but the process instance details are already exposed to the user.

      The expectation is that the process instance list only shows those instances where the currently logged in user matches the roles defined in the kjar's kie-deployment-descriptor.xml, and that the user is not able to open the detail view of such instances.

      Attachments

        Activity

          People

            abakos@redhat.com Alexandre Bakos
            martinweiler Martin Weiler
            Tomas David Tomas David
            Tomas David Tomas David
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: