Is it possible to secure access to sending process events in A12 Workflows?
When sending a process event I would like UAA to step in based on authorizationDefinitions and allow / deny the request based on process / event / user attributes. Just like we do with task update / complete and so forth.
It seems there is no ‘scope’ for process events:
- there is no scope mentioned in Workflows > Custom Authorization Definition
- there is no @PreAuthorize("hasUAAPermission('..-annotation on com.mgmtp.a12.workflows.service.SecuredWorkflowService#triggerProcessEvent (checking in 8.0.9 and 8.1.6)
Is there any (other) way to achieve this? Thanks!
Hi @alexander-rugged-module,
thank you for your post within A12 discourse! We’ve forwarded your request to our workflows team. As they are currently very busy, there may be delays in processing. We apologize for this and hope to be able to provide an answer in a timely manner.
Your discourse team
Hi @alexander-rugged-module,
Thanks a lot for the report! You’re right, there’s no UAA scope on this endpoint and no Spring events either that you could hook into.
We will fix this for 2022.06, 2023.02, and 2023.06 by introducing UAA authorization on this endpoint and keep you updated.
Hi @alexander-rugged-module,
The fix has been released in 10.0.1, 9.5.3, and 8.1.9.
There is now a new UAA scope SendMessage which by default allows all access to stay non-breaking. But, as with any other UAA scope, you can override the rules for this scope in your child authorization definition.
Best,
Peter