Unable to get tasks assigned to different users than the authenticated

Solution Verified - Updated -

Environment

  • Red Hat JBoss BPM Suite (BPMS) 6.2+
  • Red Hat Process Automation Manager
    • 7.0.x

Issue

  • Unable to get tasks for another users by Remote JAVA API;
  • Unable to get tasks for another users by Intelligent Process Server API or endpoints;
  • The following error messages are thrown when trying to use different users for Task operation and for REST authentication:
org.kie.remote.client.api.exception.RemoteApiException: The user id used
when retrieving task information (user1) must match the authenticating
user (user2)!

or

ERROR [org.kie.server.remote.rest.jbpm.UserTaskResource] (default task-55) Unexpected error during processing id to load is required for loading: java.lang.IllegalArgumentException: id to load is required for loading

Resolution

It is the expected behavior designed for security reasons. By default authenticated users are supposed to see and perform actions only over its own tasks.
Below is described how to change this default behavior:

For Remote JAVA API

The security check can be disabled by setting the system property org.kie.task.insecure=true for the server where Business Central is running.
E.g for JBoss EAP:

    <system-properties>
        <property name="org.kie.task.insecure" value="true"/>

In the client side the same system property should be also set or the method "disableTaskSecurity()" in the RemoteRuntimeEngineFactory should be used as follows:

RuntimeEngine engine = RemoteRuntimeEngineFactory.newRestBuilder()
                        .addUrl(new URL(APP_URL)).addUserName(USER)
                        .addPassword(PASSWORD)
                        .addDeploymentId(DEPLOYMENT_ID).disableTaskSecurity().build();

For Intelligent Process Server

The system property org.kie.server.bypass.auth.user=true should be set for the server where kie-server.war is running.
E.g for JBoss EAP:

    <system-properties>
        <property name="org.kie.server.bypass.auth.user" value="true"/>

If Intelligent Process Server Java Client API (kie-server client) is used for interaction with the server, that property has to be configured on the client site too. Then the user param is added to the rest url (i.e. kie-server/services/rest/server/queries/tasks/instances/pot-owners?user=redhat_user&page=0&pageSize=200&sort=&sortOrder=true'). However if it is not used, then append ?user=SOME_USERNAME to the related Task REST endpoints.

Listing User Tasks Assigned As Potential Owner

If your User Task is assigned to a group, you would need to use getTasksAssignedAsPotentialOwner(String userId, List groupIds, List status, QueryFilter filter) method to get tasks assigned to a specific group of roles. getTasksAssignedAsPotentialOwner(String userId, QueryFilter filter) will retrieve tasks only from group assigned to the user authenticated against kie-server, or User Tasks which set that specific userId as actorId. It will be fixed in BxMS Update 5.

Claiming tasks

Most of operations can be done following the steps above like list, initiate and complete tasks. However claiming tasks on behalf of another user will not be possible if you are using the default Human Task callback JAASUserGroupCallback. See our knowledge base article about this Unable to claim tasks on behalf of another user.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments