I have trouble finding documentation how Flowable access model works.
Via REST API and for Case and process instances themselves.
What are the privileges of identitylink types :
And are those even enforced at all by Flowable engine/REST. Assignee and candidate are fairly clear: there can only be one! (-Highlander) assignee and candidate are people or groups that can claim item for themselves making themselves assignee. And assignee can complete tasks. I would think Owner is god privilege for the item. They can do what ever they want ?
But then what is starter’s rights ?
Tasks identitylinks are fairly well documented, but what about the Case and Process instances ? who can edit the identity links of a process/case instance ? Is that even controlled by the engine / REST ?
If the rights are
R =Read all instance data
W =Write instance data, excluding grants
G =Grant idenity links to the instance
D = Delete the instance
Is the matrix something like:
|candidate||RG(as assignee)?||RG(as assignee)?||RG(as assignee)?|
And maybe all other types are also duplicated as participants ?