Access rights & Identitylinks

I have trouble finding documentation how Flowable access model works.
Via REST API and for Case and process instances themselves.
What are the privileges of identitylink types :

  • owner
  • starter
  • assignee
  • candidate
  • participant

And are those even enforced at all by Flowable engine/REST. Assignee and candidate are fairly clear: there can only be one! (-Highlander) assignee and candidate are people or groups that can claim item for themselves making themselves assignee. And assignee can complete tasks. I would think Owner is god privilege for the item. They can do what ever they want ?
But then what is starter’s rights ?

Tasks identitylinks are fairly well documented, but what about the Case and Process instances ? who can edit the identity links of a process/case instance ? Is that even controlled by the engine / REST ?

If the rights are
R =Read all instance data
W =Write instance data, excluding grants
G =Grant idenity links to the instance
D = Delete the instance

Is the matrix something like:

type case process task
owner RWGD RWGD RWGD
starter ? ? ?
assignee RW? RW? RW?
candidate RG(as assignee)? RG(as assignee)? RG(as assignee)?
participant R? R? R?

And maybe all other types are also duplicated as participants ?

The Flowable engine itself only stores this information, it doesn’t do any enforcing. That’s because Flowable is an embeddable engine and you need to do these things on the layer above it.

As such, it’s not possible to say RWGD at all, as the engines don’t validate these.

(This is different in Flowable Work, where these things are checked, by the way).