Access control for global user task listeners
Global user task listeners are managed through the Orchestration Cluster authorization model. This page lists the permissions required to manage listeners through the Orchestration Cluster REST API and Admin UI.
When you need to configure permissions
Configure permissions for global user task listeners if all of the following apply:
- Authorizations are enabled for the cluster.
- You manage global user task listeners through one of the following:
- The Orchestration Cluster API, or
- The Admin UI.
You do not need additional Orchestration Cluster authorizations when:
- Defining listeners via Unified Configuration.
- You only execute processes that are already affected by global listeners. Execution-time behavior is not guarded by separate permissions.
Required permissions
Global user task listeners use the GLOBAL_LISTENER resource type in the Orchestration Cluster authorization model. Only the wildcard resource ID * is supported. Authorizations for specific listener IDs are not evaluated.
To allow a user, group, role, or client to manage listeners through the Orchestration Cluster API or the Admin UI, grant authorizations on GLOBAL_LISTENER with resource ID * and the following permissions:
| Operation | Required permission | Related API endpoint |
|---|---|---|
| List or search global user task listeners | READ_TASK_LISTENER | Search global user task listeners |
| View a single global user task listener | READ_TASK_LISTENER | Get global user task listener |
| Create a new global user task listener | CREATE_TASK_LISTENER | Create global user task listener |
| Update an existing global user task listener | UPDATE_TASK_LISTENER | Update global user task listener |
| Delete an existing global user task listener | DELETE_TASK_LISTENER | Delete global user task listener |