cancel
Showing results for 
Search instead for 
Did you mean: 

Activiti 6 Identity Management Customization

mdtabrezmca
Star Contributor
Star Contributor

1. Activit 6 comes with Identity management since i am trying to give some permission for users like (a user or group of user can only view the task data or process data and should not edit).So i want include some permissions to group of users like(u1 can only fill the form and send the data,u2 have read and write permission).

2.How can integrate activiti Identity management to be used by other Authentication providers.(Ex how can i implement SSO feature in activit 6). So that it can use other identity provider users also.

3. how can make the same activiti application to be used by multiple tenants.

6 REPLIES 6

ryandawson
Elite Collaborator
Elite Collaborator

Is this a question specifically about the Activiti 6 community edition? I ask because I can see from your previous posts that you've looked at the enterprise edition (Alfresco Process Services) and the character of features you're talking about sound more enterprise-oriented.

mdtabrezmca
Star Contributor
Star Contributor

Hi Ryan,

   Thanks for your reply.Yes i was evaluating the enterprise edition but i think from activit 6 has good amount of feature with angular support and form support that was enough for us with some more code customization we can achieve many things on process building side.

    our major concern is if activiti community edition is bieng used by exising identity provider then how i should integrate it with that. I think this is must needed feature if any existing application wants to integrate with activiti community edition.

    We are using uaa from cloud foundry as oauth2 server and i want activiti to use the existing users of oauth2 server.

    Any help on community edition is greatfull to me. as this is one of the very important integration point

Presumably you're proposing to undertake an integration? How much would be involved would depend upon what you're integrating with. If you're embedding the engine in an application then your application would be handling authentication and you could just not use the identity service within activiti and set the DbIdentityUsed flag to false. The engine task service just treats users and groups as strings so you can work in this way - just note that the lookups won't automatically use the groups for a user and you have to include them in the queries. (This link may be useful - TaskQuery (Activiti - Engine 5.22.0 API) ). And for Activiti to know which user is logged in you'd have to call Authentication.setAuthenticatedUserId().

There is the possibility to override classes so as to supply your own identity management following the pattern of the Activiti identity service. You could have a look at Activiti/modules/activiti-ldap/src/main/java/org/activiti/ldap at 6.0-release · Activiti/Activiti · ... . But that might be overkill for your purposes.

Or are you using the provided UI?

I should say that the enterprise edition comes with Oath2 integration - Configuring OAuth 2 for the Alfresco Process Services | Alfresco Documentation 

Hi Ryan,

   Thanks for your valuaebale reply as i am looking to integrate the activiti app along with activiti ui and not only activiti engine alone.I will evaluate your given options above as i am new to activiti source code my question as using activiti along with ui and not engine might not hold good but still asking  wether DbIdentityUsed flag to false holds good for entire activiti_app as i was seeing errors in the console when i set this property to false.

  I will still evaluate further but thanks for giving me some start.

It's possible that switching the flag alone isn't enough when using the UI. It depends what errors you're seeing but I wouldn't be surprised if there are calls to query candidateUsers without specifying their groups, which would hit calls like this - Activiti/HistoricTaskInstanceQueryImpl.java at 6.0-release · Activiti/Activiti · GitHub  (that one is on historic tasks but same on tasks). That might need changing for your purposes. 

Thanks Ryan,

   Yes you are right i was getting the same exceptions on the console where group id query was getting fired.

    As of now i will try the option of making DbIdentityUsed to false.  As i can see in the Roadmap of activiti 7 you are already moving to micro service architecture which would be best suited for oauth2 integration where we can have AuthServer and ResourceServer seperated with micro services.We also are currently developing our custom application on Spring microService architecture with uaa as authServer.

  So in order to make solution simpler i have the following approach for bypassing activti application login, please correct me if i am wrong.

1. insert the username and password along with group in activiti db while creating user in our custom application.

2. pass username and password to login page of activti without displaying login page(This would require some changes in activiti login page where submit form event should be called from our custom application How to do this i need to check).

   Any help on this would be very help ful at this point of time.