Created attachment 572703 [details] repo with the process used Description of problem: Assigning a human task to a group should result in the task being available to users from that group only. It is now available to anyone. It was tested with a process made in the Designer, using the GroupID property of a human task. The roles.properties file contains: admin=admin,manager krisv=sales mary=HR john=PM Version-Release number of selected component (if applicable): BRMS 5.3.0 ER5 Steps to Reproduce: 1. Import the provided repo into Guvnor. 2. In the jBPM Console, log in as krisv, start Evaluation process, fill in 'krisv' and some reason. 3. Go to Personal tasks and finish your task. 4. Look at the diagram in the Process overview section - it shows it's now waiting for completion of PM and HR evaluation. 5. Go to Group tasks. Optionally hit the refresh button there. Actual results: Two group tasks available, one should be for HR only, the other for PM only. But the user krisv is member of neither of those. Expected results: No group tasks visible. Additional info: You won't see this with the sample repo, Evaluation process in that repo does not use group assignment.
Created attachment 572704 [details] console shows group tasks to everyone Looks like the console knows nothing about the user groups...?
There's also brms-roles.properties in conf/props folder, which contains the following: admin=JBossAdmin,HttpInvoker,user,admin,manager krisv=user,sales mailman=JBossAdmin,readwrite mary=user,HR john=user,PM ad=user,sales
Looks like DefaultUserGroupCallbackImpl is responsible for this. It takes all existing groups and merges them with the list of groups the user has. Why...?
Confirm that it is part of DefaultUserGroupCallbackImpl as it was introduced more for demostration purpose and to ease development to do not switch between users while developing. Another issue that partialy relates to this provides a way to overcome this issue, please have a look at #769931. It introduces a property to disable all groups being merged in DefaultUserGroupCallbackImpl.
jBPM console is now using a JAAS callback and should be able to pick up the users / groups as they are configured on the application server, using one of the possible configuration mechanisms (like property files).
Update status to ON_QA. Please verify them against ER6.