15.12.2022
11:40
Hi,
Adding new rest api user context in adminpanle , we can choose permissions to applications.
When can chooses ReadWrite, but still it's giving possibility to overwrite element after creations. I think that good idea will be give new to of access like CreateOnly.
To start only new element in Webcon, but not possible to overwrite by api.
09.01.2023
18:09
Hi,
To start a new workflow instance or edit one via API, granting application permission (scope) in the admin panel is not enough. The user/application account must also have appropriate permissions at the Process or workflow instance level.
Could you provide your scenario? Below is a broader explanation of how these scopes and permissions work.
There are three types of Application permissions (scopes) that you can grant to API applications. They can be distinguished by the prefix:
First is Admin.*.
All application permissions (scopes) of this type are sufficient to perform the operation on a given endpoint. No additional permissions granted in Designer Studio are required.
All operations are performed in the context of the API application account.
The Second is App.*
These application permissions (scopes) are combined with the privileges granted in Designer Studio at the Application, Process, or Workflow-Form level. Privileges must be granted for the API application account. In addition, application permissions of the App.Element.* type can be combined with privileges directly to a workflow instance (for example, they are assigned each time a user receives a task).
Effective permission is the intersection of these two permission levels (scopes and privileges).
All operations are performed in the context of the API application account.
An example of how these effective permissions work:
Let's say that we granted the application permission (scope) App.Elements.ReadWrite.All for the API application named MyApiClient.
This MyApiClient application will be able to edit elements via the API, but only those to which it has at least Edit privileges directly on the instance, or at the Workflow-Form or Process level.
Similarly, the MyApiClient application will only be able to start new instances in those workflows where its account has been granted StartNew privileges in Designer Studio (on the workflow or process level).
The Third is User.*
These application permissions work almost the same as App.*.
Effective permission is the intersection of two permission levels (scopes and privileges).
The only difference is that privileges at the level of application, process, workflow, or instance are verified for the user account in the context the application is running, and not for the application account. API applications of type User context do not have their own accounts in the system.
