Introduction
Camunda 8 (C8) is provided as a SaaS or as Self-Managed.
This article will only cover different aspects of setting up C8 SaaS, namely:
- the onboarding process;
- how to add users to the Organisation
- User Roles and Permissions
- How to connect the company's IdP with Camunda
This article won't cover anything related to Pricing assuming you are planning to be under a C8 SaaS Starter or Enterprise Plan.
For more information about Pricing options on Camunda, please contact us and inquire about quotes.
Onboarding
When a company enrolls with Camunda it must assign one user, which will become the owner of the company's Organisation, in C8 SaaS.
This Owner will be responsible for managing the Organisation:
- can manage Clusters;
- can manage Users;
- can manage Usage of Camunda in the scope of the Organisation, in a holistic perspective.
In the next sections, it's described how Users are managed within an Organisation.
Adding Users to the Organisation
There's a separation between a User within a company's User Repository (such as LDAP) and in a C8 SaaS Organisation.
Despite users belong to a company, it doesn't mean that they are automatically entitled to use C8 SaaS.
The Owner (or an Admin) can manage Users in C8's Organisation inviting them, through their email address and assigning them a specific Role (or Roles) in that Organisation.
After accepting the invitation, each User will be able to work with Process Instances or access given C8 Components, depending on the Roles they have been assigned to.
Owner is the very first and foremost Role in the Organisation and it can start creating other users, which can help her/him in their job, namely if assigned them the Admin role.
Admins can perform themselves most of the functions as an Owner.
Roles and Permissions Table:
Console | Web Modeler | Tasklist | Operate | Optimize | |
Operations Engineer | Full Access, can't delete | Full Access, can't deploy | - | Full Access | - |
Analyst | - | Full Access, can't deploy | - | - | Full Access |
Task User | - | Full Access, can't deploy | Full Access | - | - |
Developer | Full Access, can't delete | Full Access | Full Access | Full Access | - |
Visitor | Read-only Acess | Full Access, can't deploy | Read-only Acess | Read-only Acess | - |
Users can be assigned multiple Roles. In this case, the resulting access to Camunda components, depends on the acces of each assigned Role.
User authorization with Camunda
Users have different ways of getting their access authorized in C8 SaaS:
- login with a Camunda Account;
- SSO with Google Account;
- SSO with GitHub Account;
- SSO with the company's IdP.
Since, currently using SSO with Google, GitHub or other websites is a common pratice and having a local account with Camunda is a no-brainer, we will describe the company's IdP approach.
Camunda currently supports both SAML and Azure Active Directory, in order to connect a company's IdP with their C8 SaaS.
This approach doesn't rule out, however, the need to invite Users into the C8 SaaS Organisation for the given company.
In order to complete this task, one needs to open a ticket with Camunda, through this link.
This option is available for both Enterprise and Started plans.
Things to keep in mind
When on an Organisation, a User will have the same Role in the whole Organisation namely the Organisation's Clusters.
This situation may not be desirable under certain circumstances.
For instance, a Developer has full access to Operate and is able to do deployments*
As we speak, the predefined Roles in C8 SaaS and the lack of granularity in control over Clusters doesn't allow enough segregation on who can perform what, if access to Clusters, given their specific usage is needed, like who is allowed to deploy in Production, for instance.
For these situations, we recommend the use of different Organisations (which will imply new invitations and eventually new IdP setups, if a company wants to use their own IdP to authorize their Users), to make sure that there's the level of isolation needed, in the different environments.
* Starting on Camunda 8.5, Developers will only be able to deploy to lower environment clusters. To be able to deploy in Production clusters, the user must have Owner or Admin roles.
References:
Organization Management (Camunda Docs)
Comments
0 comments
Please sign in to leave a comment.