Manage access and permissions

Manage and control access to Orchestration cluster APIs and custom applications using permissions and roles.

About permissions

When using and managing permissions, it is important to understand the following key concepts:

• APIs represent the different Camunda 8 components, such as Operate, Tasklist, and so on.
• Each API defines its own set of permissions that to control API access.
• Permissions are organized using roles that can be assigned to users either directly or via Groups.
• You can also assign permissions to your custom application, such as a job worker for example.

note

You can also use resource authorizations to grant more fine-grained access control to Camunda 8 resources to users and groups.

Permissions

Each API (representing a component) defines its own set of permissions to control API access.

The following permissions are available:

Component	API	Permissions available
Identity	Camunda Identity Resource Server	read: Read access to entire UI read:users: Access only the Users UI and related subpages. write: Write access entire UI.
Operate	Operate API	read:*: (Read access to APIs is not controlled by permissions). Read access to the UI. write:*: Write access to the UI and API.
Optimize	Optimize API	write:*: Read and Write access to entire UI and all APIs.
Tasklist	Tasklist API	read:*: (Read access to APIs is not controlled by permissions). Read access to the UI. write:*: Write access to the UI and API.
Web Modeler	Web Modeler Internal API	write:*: Access to the UI, further managed by project permissions. admin:*: Elevated access to the UI (see super-user mode and publishing connector templates).
Web Modeler	Web Modeler API	create:*: Access to POST endpoints of the API. read:*: Access to GET endpoints of the API. update:*: Access to PATCH and PUT endpoints of the API. delete:*: Access to DELETE endpoints of the API.

note

Permissions granted to a user or M2M application are added to the permissions.{audience} claim of the access token.