Process variables on tasks API


Its possible to get the process variables as part of tasks API using the flag includeProcessVariables=true.
However, exposing the global process variables on tasks API does not seem right from data security stand point. If we have any critical data stored as part of process variables, how do we avoid exposing this data on a task level for task users?

That API always returns all variables. Flowable doesn’t distinguish in types of variables (security-wise), that would need to be added in your own custom logic.

If you want to store variables ‘locally’ on the task, you can store variables task-local (and also copy variable task-local that should be visibile in the task only), and query these task-local variables only.

To expand on what joram said about custom logic:

When you fetch a Task (or a List if you’re getting more than one) you can also create a custom task representation. Then you can store into your custom task representation only the data you want to allow to be exposed at any given point in time (you’d do this in a foreach if using List). At that point you can do a security check to see if the data in the task/process variables is something you want to output as part of the task’s data. If you don’t store the value into your custom task representation, then the data isn’t exposed.

Of course, the simpler solution is to reconsider whether you want to store critical data in the workflow, because if you cause the workflow to tank you can lose access to the data from your application (unless you are using the Historical Task API).

1 Like