Process Engine REST API - runtime/process-instances

In my application I am using the Process Engine REST API to start a process instance:

I would like the process instances my application starts to be functional (e.g., show details, show form, show diagram, cancel process) in Flowable Task.

I can get the process instances to be visible in Flowable Task by setting the initiator variable:

    const processModel = {
      'name' :,
      'processDefinitionId' :,
      'variables': [
          'name': 'initiator',
          'type' : 'string',
          'value': 'flowable',
          'scope' : 'local'

Where ‘flowable’ is the Flowable Admin User’s user id.

# Default Flowable Admin Accounts - see: flowable.ldif


# Flowable (UI Applications) Admin User

dn: sn=Admin, ou=users,dc=flowable,dc=org
changetype: add
objectclass: inetOrgPerson
cn: Flowable
sn: Admin
uid: flowable
userPassword: test

However, the ‘Cancel process’ button isn’t visible?

It seems that Flowable Task is also setting the startedBy variable:

startedBy: {id: "flowable", firstName: "Flowable", lastName: "Admin", email: "",…}

Is this supported by the Process Engine REST API?

The startedBy is set by the following code:

So, it takes the authenticated user from that moment. Are you doing the REST call with a user, as that user should be used?

The server component of my application leverages Spring Security’s support for OAuth 2.0 and Jason Web Tokens (JWTs) and embeds Flowable’s BPMN engine and exposes the BPMN engine’s RESTful API (by utilising the Flowable Spring Boot Starters). As per this post.

All requests must be authenticated as per the DefaultSecurityConfig (extends WebSecurityConfigurerAdapter):

@Profile({"dev", "test", "prod"})
public class DefaultSecurityConfig extends WebSecurityConfigurerAdapter {

  private String jwkSetUri;

  protected void configure(HttpSecurity http) throws Exception {"DefaultSecurityConfig: configure()");




  JwtDecoder jwtDecoder() {
    return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();

  CorsConfigurationSource corsConfigurationSource() {

    CorsConfiguration configuration = new CorsConfiguration();

    configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PATCH", "PUT", "DELETE"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);

    return source;


The Bearer token is included in all requests from the client component of my application:


export class AuthInterceptor implements HttpInterceptor {

  constructor(private authService: AuthService,
              private logger: LoggerService) {

  intercept(req: HttpRequest<any>, next: HttpHandler) {

    const accessToken = this.authService.getAccessToken();

    if (accessToken) {

      const authReq = req.clone({ setHeaders: { Authorization: 'Bearer ' + accessToken } });
      return next.handle(authReq);

    return next.handle(req);


For example,


  public ResponseEntity<PagedModel<IndividualModel>> findAll(
    Pageable pageable) throws ResponseStatusException {"IndividualController GET /individuals");

    try {

      Page<Individual> entities = repository.findAll(pageable);
      PagedModel<IndividualModel> models = pagedResourcesAssembler.toModel(entities, assembler);

      return ResponseEntity.ok(models);

    } catch (Exception e) {

      log.error("{}", e.getLocalizedMessage());

      throw new ResponseStatusException(HttpStatus.BAD_REQUEST);