I have trouble finding documentation how Flowable access model works.
Via REST API and for Case and process instances themselves.
What are the privileges of identitylink types :
- owner
- starter
- assignee
- candidate
- participant
And are those even enforced at all by Flowable engine/REST. Assignee and candidate are fairly clear: there can only be one! (-Highlander) assignee and candidate are people or groups that can claim item for themselves making themselves assignee. And assignee can complete tasks. I would think Owner is god privilege for the item. They can do what ever they want ?
But then what is starter’s rights ?
Tasks identitylinks are fairly well documented, but what about the Case and Process instances ? who can edit the identity links of a process/case instance ? Is that even controlled by the engine / REST ?
If the rights are
R =Read all instance data
W =Write instance data, excluding grants
G =Grant idenity links to the instance
D = Delete the instance
Is the matrix something like:
type | case | process | task |
---|---|---|---|
owner | RWGD | RWGD | RWGD |
starter | ? | ? | ? |
assignee | RW? | RW? | RW? |
candidate | RG(as assignee)? | RG(as assignee)? | RG(as assignee)? |
participant | R? | R? | R? |
And maybe all other types are also duplicated as participants ?