You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/apis-tools/orchestration-cluster-api-rest/orchestration-cluster-api-rest-authentication.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ This page explains how to authenticate requests to the Orchestration Cluster RES
19
19
| SaaS | OIDC-based Auth | ❌ | ❌ | ✅ (required) |
20
20
21
21
:::info Authentication vs. authorization
22
-
Authentication establishes who is calling the Orchestration Cluster REST API (for example, using basic authentication or an OIDC access token). Authorization determines what that caller can do, based on authorizations configured in Identity.
22
+
Authentication establishes who is calling the Orchestration Cluster REST API (for example, using basic authentication or an OIDC access token). Authorization determines what that caller can do, based on authorizations configured in Admin.
23
23
24
24
To learn more about authorization resources, permissions, and precedence (including user task permissions), see [Orchestration Cluster authorization](../../components/concepts/access-control/authorizations.md).
Copy file name to clipboardExpand all lines: docs/components/concepts/access-control/access-control-overview.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,10 +41,10 @@ Understanding which identity is required for a given action helps you apply the
41
41
42
42
In production setups, both the Orchestration Cluster Admin and the Management Identity can integrate with an external OIDC IdP (such as Entra ID) for unified user management, single sign-on (SSO), and consistent security policies.
43
43
44
-
| Identity type | Description | Default IdP | External IdP support |
| Orchestration Cluster Admin | Built-in user management with support for external IdP integration via OIDC. Connects to enterprise IdPs such as Microsoft Entra ID, Okta, and more. | Built-in user management | OIDC integration with enterprise IdPs |
47
-
| Management Identity | Uses Keycloak by default, but can be configured with an external IdP via OIDC. | Keycloak | OIDC integration with external IdPs |
47
+
| Management Identity | Uses Keycloak by default, but can be configured with an external IdP via OIDC. | Keycloak | OIDC integration with external IdPs |
48
48
49
49
## Authentication vs. authorization
50
50
@@ -61,10 +61,10 @@ Authorization determines what an authenticated user or client is allowed to acce
61
61
62
62
For example, a user's authorizations allow them to access Operate, view running or completed process instances, start new process instances, or claim and complete user tasks in Tasklist and through the Orchestration Cluster REST API.
63
63
64
-
| Identity type | Authorization model | Description | Management interface |
| Orchestration Cluster Admin | Fine-grained permissions | Controls access to applications, APIs, and runtime resources through specific permissions for each resource type and action (for example, `PROCESS_DEFINITION` and `USER_TASK`). | Camunda Admin UI or API |
67
-
| Management Identity | Role-based access control (RBAC) | Uses predefined roles and permissions for users and groups to manage Console, Web Modeler, and Optimize. | Keycloak admin console or external IdP |
64
+
| Identity type | Authorization model | Description | Management interface |
| Orchestration Cluster Admin | Fine-grained permissions | Controls access to applications, APIs, and runtime resources through specific permissions for each resource type and action (for example, `PROCESS_DEFINITION` and `USER_TASK`). | Camunda Admin UI or API |
67
+
| Management Identity | Role-based access control (RBAC) | Uses predefined roles and permissions for users and groups to manage Console, Web Modeler, and Optimize. | Keycloak admin console or external IdP |
68
68
69
69
### How authentication and authorization work together
Copy file name to clipboardExpand all lines: docs/components/concepts/access-control/authorizations.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -229,7 +229,8 @@ Users need specific permissions to access Orchestration Cluster web components:
229
229
- UI access: Resource type `Component` and a resource key identifying the component:
230
230
-`operate` for Operate access
231
231
-`tasklist` for Tasklist access
232
-
-`identity` for Admin access
232
+
-`admin` for Admin access
233
+
-`identity` for Admin access (deprecated - please use `admin` instead)
233
234
-`*` for access to all components
234
235
- Without these permissions, users cannot access the components.
235
236
@@ -251,6 +252,7 @@ After switching from Tasklist V1 to Tasklist V2, user task access restrictions n
251
252
This section describes authorization for domain resources (such as process and decision definitions), not access to UI components or APIs. Users need additional permissions to access specific resources within web components:
252
253
253
254
- Process-related: Resource type `Process Definition`
255
+
254
256
-`READ_PROCESS_DEFINITION` to view process models
255
257
-`CREATE_PROCESS_INSTANCE` to start new processes
256
258
-`UPDATE_PROCESS_INSTANCE` to update running instances
Copy file name to clipboardExpand all lines: docs/components/concepts/access-control/connect-to-identity-provider.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ Connecting Camunda 8 to an external IdP allows you to:
19
19
20
20
Self-Managed deployments only support external IdP integration using **OpenID Connect (OIDC)** (for example, Keycloak, Auth0, Okta, EntraID via OIDC).
21
21
22
-
You can integrate an IdP with both the Identity (for the Orchestration Cluster) and Management Identity (for Web Modeler, Console, and Optimize).
22
+
You can integrate an IdP with both Admin (for the Orchestration Cluster) and Management Identity (for Web Modeler, Console, and Optimize).
23
23
24
24
-[Connect Orchestration Cluster Admin to an identity provider](/self-managed/components/orchestration-cluster/admin/connect-external-identity-provider.md)
25
25
-[Connect Management Identity to an identity provider](../../../../self-managed/components/management-identity/configuration/connect-to-an-oidc-provider/)
Copy file name to clipboardExpand all lines: docs/components/concepts/batch-operations.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -72,7 +72,7 @@ To suspend, resume, or cancel an operation, you only need the relevant batch ope
72
72
The system stores authorization claims with the batch operation and uses them throughout its lifecycle.
73
73
74
74
:::info
75
-
Read more about [authorizations](/components/concepts/access-control/authorizations.md) and [how to create them in the Identity UI](/components/admin/authorization.md).
75
+
Read more about [authorizations](/components/concepts/access-control/authorizations.md) and [how to create them in the Admin UI](/components/admin/authorization.md).
Copy file name to clipboardExpand all lines: docs/components/concepts/multi-tenancy.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ Multi-tenancy provides cost efficiency by allowing multiple tenants to share the
24
24
25
25
## Efficient administration
26
26
27
-
Administrators can manage all tenants centrally using [Identity](../admin/tenant.md).
27
+
Administrators can manage all tenants centrally using [Admin](../admin/tenant.md).
28
28
This unified management interface simplifies monitoring, configuration, and maintenance tasks across tenant environments.
29
29
30
30
:::note
@@ -43,6 +43,7 @@ When a user deploys a process model or starts a process instance, the system val
43
43
For example, assume a user belongs to `Tenant A` but not `Tenant B`:
44
44
45
45
1.**Deploying a process model**
46
+
46
47
- If the user deploys to `Tenant A`, the Orchestration Cluster verifies the assignment. If valid, the model is deployed and all related process instances belong to `Tenant A`.
47
48
- If the user deploys to `Tenant B`, the deployment fails because the user lacks access to that tenant.
Copy file name to clipboardExpand all lines: docs/components/console/manage-organization/manage-users.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ The following roles are additionally available, providing dedicated rights for s
23
23
-**Modeler**: Access to Web Modeler for creating and collaborating on projects, except permissions to deploy and run processes. Read-only access to Console.
24
24
-**Analyst**: Includes Modeler permissions and has full access to Optimize to build process dashboards and reports.
25
25
26
-
Starting with version 8.8, user access to clusters is managed independently. To control what a user can access, define their authorizations in the cluster's Identity. Learn more [here](/components/admin/authorization.md).
26
+
Starting with version 8.8, user access to clusters is managed independently. To control what a user can access, define their authorizations in the cluster's Admin. Learn more [here](/components/admin/authorization.md).
27
27
28
28
If cluster authorizations are disabled, the user will have full access to the cluster and its components.
29
29
@@ -37,7 +37,7 @@ People who do not yet have a Camunda 8 account can also be invited to an organiz
37
37
38
38
Resource authorizations control a user's access to specific resources. To create, update, or delete a user's resource authorizations, select the user's row in the users table.
39
39
40
-
As of 8.8, authorizations for Orchestration Cluster applications (Zeebe, Operate, and Tasklist) are managed as part of the Orchestration Cluster and configured in [Identity](/self-managed/components/orchestration-cluster/admin/overview.md).
40
+
As of 8.8, authorizations for Orchestration Cluster applications (Zeebe, Operate, and Tasklist) are managed as part of the Orchestration Cluster and configured in [Admin](/self-managed/components/orchestration-cluster/admin/overview.md).
Copy file name to clipboardExpand all lines: docs/components/operate/overview/access-control.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ description: "Grant users access to work with Operate."
7
7
If authorization control is enabled for your Orchestration Cluster, users require the following authorizations to work with Operate.
8
8
9
9
:::note
10
-
You can assign these [in the Identity UI](components/admin/authorization.md#create-an-authorization). See [the introduction to authorizations](components/concepts/access-control/authorizations.md#available-resources) for a list of all available authorizations.
10
+
You can assign these [in the Admin UI](components/admin/authorization.md#create-an-authorization). See [the introduction to authorizations](components/concepts/access-control/authorizations.md#available-resources) for a list of all available authorizations.
Copy file name to clipboardExpand all lines: docs/components/tasklist/userguide/access-control.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ description: "Grant users access to work with Tasklist."
7
7
If authorization control is enabled for your Orchestration Cluster, users require the following authorizations to work with Tasklist.
8
8
9
9
:::note
10
-
You can assign these [in the Identity UI](components/admin/authorization.md#create-an-authorization). See [the introduction to authorizations](components/concepts/access-control/authorizations.md#available-resources) for a list of all available authorizations.
10
+
You can assign these [in the Admin UI](components/admin/authorization.md#create-an-authorization). See [the introduction to authorizations](components/concepts/access-control/authorizations.md#available-resources) for a list of all available authorizations.
0 commit comments