I have a query regarding process definition and access control.
Consider a scenario: I have created a user="admin" and role="admin_custom". Using this admin user i have created a new process definition and deployed the same. By default this process definition is accessible to all users. For example when i login using gonzo/gonzo i can see this process even if the access role is different and can simply start the process.
So the question is, how can we set access control at process definition level so that it can be deployed/started my specific set of users only?
Looking forward for your support. Thanks in advance.
There are several possibilities in order to achieve this, which I'll call "Multi-tenancy" henceforth. Check out this blog post by Joram Borraz, which highlights a couple of potential methods to partition data by tenants - which, if you treat the tenant structure like a 'roles' structure, then you can partition the data in very similar ways with little to know additional customization overhead.
However, if these options don't fit your desires:
Note: When you see 'tenant', feel free to substitute whatever phrasing you'd prefer, perhaps "role".
To get this functionality you're going to need to modify the existing DB structure and the corresponding object structures that are used to maintain the communication with the database. You could create a user_tenant_mapping table that would check that a user is tied to the data being pulled from the database, or just add a tenant_id column to the act_id_users/act_id_groups table. Both of those have their own difficulties, but could function to do the job you're looking for. You could also extract out the tenant information into its own table and correlate the IDs to the data and the users.
The difficult thing here is that Activiti Community doesn't support any OOTB methods to enforce multi-tenancy rules; it just provides the ability to 'partition' data into different tenants, but the ability to implement privacy if necessary is on the developer.