The creation of an authorization is not done in Optimize itself, but needs to be configured in the Camunda Platform and can be achieved on different levels with different options. If you do not know how authorization in Camunda works, please have a look at the authorization service documentation. This has the advantage that you don’t need to define the authorizations several times.

Definition related Authorizations

You can specify which user has access to certain process or decision definitions, including data related to that definition. By that we mean the user can only see, create, edit and delete reports to definitions they are authorized to.

When defining an authorization to grant or deny access to certain definitions, the most important aspect is that you grant access on the resource type “process definition” and “decision definition”. You can then relate to a specific definition by providing the definition key as resource ID or use “*” as resource ID if you want to grant the access to all definitions. To grant access to a definition, you need to set either ALL or READ_HISTORY as permission. Both permission settings are treated equally in Optimize, so there is no difference between them.

As an example, have a look how adding authorizations for process definitions could be done in Camunda Admin:

1. The first option grants global read access for the process definition invoice. With this setting all users are allowed to see, update, create and delete reports related to the process definition invoice in Optimize.
2. The second option defines an authorization for a single user. The user Kermit can now see, update, create and delete reports related to the process definition invoice in Optimize.
3. The third option provides access on group level. All users belonging to the group optimize-users can see, update, create and delete reports related to the process definition invoice in Optimize.

It is also possible to revoke the definition authorization for specific users or groups. For instance, you can define access for all process definitions on a global scale, but exclude the engineers group from access reports related to the invoice process:

Decision definitions are managed in the same manner in the Authorizations -> Decision Definition section of the Authorizations Management of the Camunda Platform.

User and Group related Authorizations

In order to allow logged in users to see other users and groups in Optimize (for example to add them to a Collection), they have to be granted read permissions for the resource type “User” as well as the resource type “Group”. Access can be granted or denied either for all users/groups or for specific user/group IDs only. This can be done in Camunda Admin as illustrated in the definitions authorization example above.