You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/components/concepts/access-control/access-control-overview.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,10 +41,10 @@ Understanding which identity is required for a given action helps you apply the
41
41
42
42
In production setups, both the Orchestration Cluster Admin and the Management Identity can integrate with an external OIDC IdP (such as Entra ID) for unified user management, single sign-on (SSO), and consistent security policies.
43
43
44
-
| Identity type | Description | Default IdP | External IdP support |
| Orchestration Cluster Admin | Built-in user management with support for external IdP integration via OIDC. Connects to enterprise IdPs such as Microsoft Entra ID, Okta, and more. | Built-in user management | OIDC integration with enterprise IdPs |
47
-
| Management Identity | Uses Keycloak by default, but can be configured with an external IdP via OIDC. | Keycloak | OIDC integration with external IdPs |
47
+
| Management Identity | Uses Keycloak by default, but can be configured with an external IdP via OIDC. | Keycloak | OIDC integration with external IdPs |
48
48
49
49
## Authentication vs. authorization
50
50
@@ -61,10 +61,10 @@ Authorization determines what an authenticated user or client is allowed to acce
61
61
62
62
For example, a user's authorizations allow them to access Operate, view running or completed process instances, start new process instances, or claim and complete user tasks in Tasklist and through the Orchestration Cluster REST API.
63
63
64
-
| Identity type | Authorization model | Description | Management interface |
| Orchestration Cluster Admin | Fine-grained permissions | Controls access to applications, APIs, and runtime resources through specific permissions for each resource type and action (for example, `PROCESS_DEFINITION` and `USER_TASK`). | Camunda Admin UI or API |
67
-
| Management Identity | Role-based access control (RBAC) | Uses predefined roles and permissions for users and groups to manage Console, Web Modeler, and Optimize. | Keycloak admin console or external IdP |
64
+
| Identity type | Authorization model | Description | Management interface |
| Orchestration Cluster Admin | Fine-grained permissions | Controls access to applications, APIs, and runtime resources through specific permissions for each resource type and action (for example, `PROCESS_DEFINITION` and `USER_TASK`). | Camunda Admin UI or API |
67
+
| Management Identity | Role-based access control (RBAC) | Uses predefined roles and permissions for users and groups to manage Console, Web Modeler, and Optimize. | Keycloak admin console or external IdP |
68
68
69
69
### How authentication and authorization work together
Copy file name to clipboardExpand all lines: docs/self-managed/components/modeler/web-modeler/configuration/configuration.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ The available configuration options depend on the version of the cluster:
51
51
|`CAMUNDA_MODELER_CLUSTERS_0_URL_GRPC`|[Internal or external](#notes-on-host-names-and-port-numbers) address where the [Zeebe gRPC API](/apis-tools/zeebe-api/grpc.md) can be reached. |`grpc://camunda:26500`,<br/>`grpcs://camunda.example.com:26500`|
52
52
|`CAMUNDA_MODELER_CLUSTERS_0_URL_REST`|[Internal or external](#notes-on-host-names-and-port-numbers) address where the cluster's REST APIs can be reached. Used as the base URL for requests to the [Orchestration Cluster API](/apis-tools/orchestration-cluster-api-rest/orchestration-cluster-api-rest-overview.md) (`/v2` endpoints) as well as the [Operate](/apis-tools/operate-api/overview.md) and [Tasklist](/apis-tools/tasklist-api-rest/tasklist-api-rest-overview.md) APIs (`/v1` endpoints). |`http://camunda:8080`,<br/>`https://camunda.example.com`|
53
53
|`CAMUNDA_MODELER_CLUSTERS_0_URL_WEBAPP`|[External](#notes-on-host-names-and-port-numbers) address where the cluster's web applications can be reached in a browser. |`https://camunda.example.com`|
54
-
|`CAMUNDA_MODELER_CLUSTERS_0_AUTHORIZATIONS_ENABLED`| Indicates if [authorizations are enabled](/self-managed/components/orchestration-cluster/admin/overview.md#enable-api-authentication-and-authorizations) for the cluster. If `true`, users will see a hint when they deploy from Web Modeler. |`true`|
54
+
|`CAMUNDA_MODELER_CLUSTERS_0_AUTHORIZATIONS_ENABLED`| Indicates if [authorizations are enabled](/self-managed/components/orchestration-cluster/admin/overview.md#enable-api-authentication-and-authorizations) for the cluster. If `true`, users will see a hint when they deploy from Web Modeler. |`true`|
55
55
56
56
#### Additional configuration for cluster versions < 8.8
57
57
@@ -64,11 +64,11 @@ The available configuration options depend on the version of the cluster:
| `BEARER_TOKEN` | Web Modeler sends the authenticated user's token in the `Authorization` header with every request to the cluster. | **Cluster version >= 8.8**<br/>The cluster uses [OIDC authentication](/self-managed/components/orchestration-cluster/admin/connect-external-identity-provider.md) with the same identity provider as Web Modeler.<br/>_Note_: You need to ensure that the cluster [accepts Web Modeler's token audience](/self-managed/components/orchestration-cluster/admin/connect-external-identity-provider.md#step-4-configure-the-oidc-connection-details).<br/><br/>**Cluster version < 8.8**<br/>The cluster uses [Camunda Identity-based authentication](/versioned_docs/version-8.7/self-managed/zeebe-deployment/security/client-authorization.md#camunda-identity-authorization) and the external identity provider supports access tokens with multiple audiences (example provider: Keycloak).<br/>_Note_: For the token to be accepted by the different cluster components, it must contain each component's audience. |
70
-
| `BASIC` | Web Modeler sends a username and password with every request to the cluster. The credentials have to be provided by the user in the UI. | **Cluster version >= 8.8**<br/>The cluster uses basic authentication.<br/><br/>**Cluster version < 8.8**<br/>not supported |
71
-
| `NONE` | Web Modeler does not send any authentication information. | **Cluster version >= 8.8**<br/>The cluster API is [configured as unprotected](/self-managed/components/orchestration-cluster/admin/overview.md#enable-api-authentication-and-authorizations) and can be used without authentication.<br/><br/>**Cluster version < 8.8**<br/>The authentication / token validation in the Zeebe Gateway is [disabled](/versioned_docs/version-8.7/self-managed/zeebe-deployment/security/client-authorization.md#camunda-identity-authorization). |
70
+
| `BASIC` | Web Modeler sends a username and password with every request to the cluster. The credentials have to be provided by the user in the UI. | **Cluster version >= 8.8**<br/>The cluster uses basic authentication.<br/><br/>**Cluster version < 8.8**<br/>not supported |
71
+
| `NONE` | Web Modeler does not send any authentication information. | **Cluster version >= 8.8**<br/>The cluster API is [configured as unprotected](/self-managed/components/orchestration-cluster/admin/overview.md#enable-api-authentication-and-authorizations) and can be used without authentication.<br/><br/>**Cluster version < 8.8**<br/>The authentication / token validation in the Zeebe Gateway is [disabled](/versioned_docs/version-8.7/self-managed/zeebe-deployment/security/client-authorization.md#camunda-identity-authorization). |
0 commit comments