I am using external LDAP service to define Camunda Groups, Users and User Group memberships. I can see the Groups and Users from LDAP in the Admin UI very well. I can also use Authorisations for example to provide or revoke read access to my deployment.
But no matter what I do, any application user can see complete list of the currently running [CMMN] tasks in the /tasks REST endpoint.
I am taking an LDAP user that is a member of 2 groups. Neither the user, nor any of his groups have any Authorizations set up in Camunda, except for ACCESS to an application (I restrict to 'cockpit' only). Still, when I login with that user the GET /tasks lists complete list of all currently running tasks.
My test user cannot see any data /process-instance (even though there are some running), but at the same moment it can see all process instance variables via /variable-instace. What's the purpose of restricting /process-instance without restricting /variable-instance ?
What am I missing here? Can access to the /tasks and /variable-instance be restricted?
Can the reason be that the User Tasks that I try to restrict access to had been generated by a CMMN process?
Update
Yes, my unprivileged user can see all CMMN tasks but no BPMN tasks. So the authorization is working but it doesn't cover CMMN :(
