The IDM makes a one-to-one mapping between
BPMN groups (a mechanism to assign potential owners to a task based on a user being a member of a certain group, https://flowable.com/open-source/docs/bpmn/ch07b-BPMN-Constructs/#user-assignment) to
Spring Security Groups (a way of grouping the authorities a user has to make it easy to administer user authorities https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#authority-groups)
It seems more natural to me that the IDM should consider
BPMN Group membership as a
Spring Security Authority that a user can have (the ability to claim and complete a set of tasks marked with that authority) rather than a
Spring Security Group.
In particular, I would like to be able to use the current natural way of administering authorities in the IDM (such as the ability to use the resp API, to administer users of the system, etc.) by assigning them to Spring Security Groups, to also assign BPMN group memberships to a given Spring group. In particular I have found that in my applications the Spring groups map naturally one-to-one to the organization job titles and roles, but don’t map one to one to BPMN groups.
The goal of this comment is to initiate a discussion about whether other people share the thought that BPMN group membership would be better treated in the IDM and flowable as a Spring Security Authority rather than a Spring Security Group and if so whether it might make sense to change/extend the way the IDM works in this respect. In particular I am wondering what the core developers think about this and whether there would be any interest in providing such functionality as part of the open source code. I plan to work on this task, and would be happy to open source my code into flowable if it was of value to the community.