MLC Authorization mechanisms

MLC-service provides an additional mechanism for authorization.

The next actions can be protected through MLC configurations:

Deploying BPMNs.
Sending Signals.

Sample configurations:

mlc:
  camunda:
    access:
      enabled: true
      rest:
        deploy:
          groups: group1
        signal:
          groups: group2
        signal-responsive:
          groups: group3,group1

The above configurations will only allow:

Able to Deploy: Only authenticated requests arriving from admins or requests belonging to group: group1
Able to call signal: Only authenticated requests arriving from admins or requests belonging to group: group2
Able to call signal-responsive: Only authenticated requests arriving from admins or requests belonging to group: group3 and group1

Camunda WebApp

Starting with ModelOp Center 3.3

When secured mode is enabled and OAuth 2 with OIDC is used for authentication and authorization, the basic Camunda WebApp login is replaced with a new security filter. This filter allows only users in the ADMIN group to access the Camunda WebApp.

Additionally, the Camunda WebApp is only accessible through the Gateway. Direct access from the mlc-service is indirectly disabled, as a valid token issued to an admin group user is now required.