Bug 1259981 - Does jBPM6 really authorize the Initiator,Stakeholder,Potential people to "Release" a Task ?
Does jBPM6 really authorize the Initiator,Stakeholder,Potential people to "Re...
Status: NEW
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: brms-docs@redhat.com
Lukáš Petrovický
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-03 23:00 EDT by Hiroko Miura
Modified: 2016-01-08 16:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hiroko Miura 2015-09-03 23:00:08 EDT
Title: Task Permissions Matrix

Describe the issue:
- As per the "Table 12.2. Main Operations Permissions Matrix" from our BPMS 6.1 Development Guide [1] the people like "Initiator,Stakeholder,Potential" can perform "release" operation on a Task. (i.e. all roles are marked as "+")

- As per the WS-HT 1.1 specification [2] this is what it says about who can perform "release".

~~~
4.10.2 Releasing a Human Task

The current actual owner of a human task can release a task to again make 
it available for all potential owners. A task can be released from active
states that have an actual owner (Reserved, InProgress), 
transitioning it into the Ready state
~~~
and
~~~
7.1.5 Operation Authorization

In the table in Page 91,

only Actual Owner is marks as "+".
Initiator and Administrator are marked as "MAY".
Potential Owner is marked as "n/a"
~~~

- our jBPM6 code allows only Owner and BusinessAdministrator to perform "release" operation.

./jbpm-6.2.0.Final-redhat-4/jbpm-human-task/jbpm-human-task-core/src/main/resources/operations-dsl.mvel
~~~
...
    Operation.Release
        : [ new OperationCommand().{
                status = [ Status.Reserved, Status.InProgress ],
                allowed = [Allowed.Owner, Allowed.BusinessAdministrator ],
                setNewOwnerToNull = true,
                newStatus = Status.Ready
            } ],
...
~~~

[1] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BPM_Suite/6.1/html/Development_Guide/sect-Task_Permissions.html#Task_Permissions_Matrix
[2] http://docs.oasis-open.org/bpel4people/ws-humantask-1.1-spec-cs-01.pdf

Suggestions for improvement:
- Please check it from respective SME and correct the statement in our document.

Additional information:

Note You need to log in before you can comment on or make changes to this bug.