Chapter 11. Case management security

Cases are configured at the case definition level with case roles. These are generic participants that are involved in case handling. These roles can be assigned to user tasks or used as contact references. Roles are not hard-coded to specific users or groups to keep the case definition independent of the actual actors involved in any given case instance. You can modify case role assignments at any time as long as case instance is active, though modifying a role assignment does not affect tasks already created based on the previous role assignment.

Case instance security is enabled by default. The case definition prevents case data from being accessed by users who do not belong to the case. Unless a user has a case role assignment (either assigned as user or a group member) then they are not able to access the case instance.

Case security is one of the reasons why it is recommended that you assign case roles when starting a case instance, as this will prevent tasks being assigned to users who should not have access to the case.

11.1. Configuring security for case management

You can turn off case instance authorization by setting the following system property to false:

org.jbpm.cases.auth.enabled

This system property is just one of the security components for case instances. In addition, you can configure case operations at the execution server level using the case-authorization.properties file, available at the root of the class path of the execution server application (kie-server.war/WEB-INF/classes).

Using a simple configuration file for all possible case definitions encourages you to think about case management as domain-specific. AuthorizationManager for case security is pluggable, which allows you to include custom code for specific security handling.

You can restrict the following case instance operations to case roles:

  • CANCEL_CASE
  • DESTROY_CASE
  • REOPEN_CASE
  • ADD_TASK_TO_CASE
  • ADD_PROCESS_TO_CASE
  • ADD_DATA
  • REMOVE_DATA
  • MODIFY_ROLE_ASSIGNMENT
  • MODIFY_COMMENT

Prerequisites

  • The Red Hat Process Automation Manager Process Server is not running.

Procedure

  1. Open JBOSS_HOME/standalone/deployments/kie-server.war/WEB-INF/classes/case-authorization.properties file in your preferred editor.

    By default, the file contains the following operation restrictions:

    CLOSE_CASE=owner,admin
    CANCEL_CASE=owner,admin
    DESTROY_CASE=owner,admin
    REOPEN_CASE=owner,admin
  2. You can add or remove role permissions for these operations.

    1. To remove permission for a role to perform an operation, remove it from the list of authorized roles for that operation in the case-authorization.properties file. For example, removing the admin role from the CLOSE_CASE operation restricts permission to close a case to the case owner for all cases.
    2. To give a role permission to perform a case operation, add it to the list of authorized roles for that operation in the case-authorization.properties file. For example, to allow anyone with the manager role to perform a CLOSE_CASE operation, add it to the list of roles, separated by a comma:

      CLOSE_CASE=owner,admin,manager

  3. To add role restrictions to other case operations listed in the file, remove the # from the line and list the role names in the following format:

    OPERATION=role1,role2,roleN

    Operations in the file that begin with # have restrictions ignored and can be performed by anyone involved in the case.

  4. When you have finished assigning role permissions, save and close the case-authorization.properties file.
  5. Start the execution server.

    The case authorization settings apply to all cases on the execution server.