Manage access and permissions

Manage and control access to Camunda 8 APIs and custom applications using permissions and roles.

About permissions

When using and managing permissions, it is important to understand the following key concepts:

• APIs represent the different Camunda 8 components, such as Operate, Tasklist, and so on.
• Each API defines its own set of permissions that to control API access.
• Permissions are organized using roles that can be assigned to users either directly or via Groups.
• You can also assign permissions to your custom application, such as a job worker for example.

note

You can also use resource authorizations to grant more fine-grained access control to Camunda 8 resources to users and groups.

Permissions

Each API (representing a component) defines its own set of permissions to control API access.

The following permissions are available:

Component	API	Permissions available
Identity	Camunda Identity Resource Server	read: Read access to entire UI read:users: Access only the Users UI and related subpages. write: Write access entire UI.
Operate	Operate API	read:*: (Read access to APIs is not controlled by permissions). Read access to the UI. write:*: Write access to the UI and API.
Optimize	Optimize API	write:*: Read and Write access to entire UI and all APIs.
Tasklist	Tasklist API	read:*: (Read access to APIs is not controlled by permissions). Read access to the UI. write:*: Write access to the UI and API.
Web Modeler	Web Modeler Internal API	write:*: Access to the UI, further managed by project permissions. admin:*: Elevated access to the UI (see super-user mode and publishing connector templates).
Web Modeler	Web Modeler API	create:*: Access to POST endpoints of the API. read:*: Access to GET endpoints of the API. update:*: Access to PATCH and PUT endpoints of the API. delete:*: Access to DELETE endpoints of the API.

note

Permissions granted to a user or M2M application are added to the permissions.{audience} claim of the access token.