The current implementation of the activiti-admin application is not multi-schema multi-tenany (MSMT) aware and one cannot isolate the data for seperate tenant administrators, but every person being able to login to activiti-admin could in theory retrieve data for all tenants.
Steps to reproduce
1) Setup a vanilla Activiti 1.5.2 instance in MSMT mode:
a) Set the activiti-app property tenancy.model=isolated
b) Apply a multi tenancy license
2) Create an empty tenant database schema "tenant-alfresco" accessible by user "alfresco" with password "alfresco"
3) Post the related database schema information to Activiti, like in the following example where the tenant database was created in PostgreSql:
with basic authentication and firstname.lastname@example.org credentials and JSON body
The result will be
a) A tenant named alfresco is created.
b) Any future data of this tenant is stored in the database schema tenant-alfresco.
c) A default tenant administrator user with the user name email@example.com is created, with the default password admin.
4) Login as firstname.lastname@example.org to activiti-app and create some tenant data
a) Via kickstart model a simple BPMN process, e.g. start event -> user task (assigned to initiator) -> end event
b) Make this process available via a published app
c) Start a process via the landing page and complete the user task
5) Login with user admin/admin to activiti-admin and make sure endpoint is configured with email@example.com
6) Review the "Tasks" tab
As firstname.lastname@example.org is by default setup as tenant manager, one should see the completed task data for the tenant Alfresco.
The "Tasks" tab is not displaying any non default schema tenant related data
- Reproduced in latest Activiti 1.5.2 release
- From within activiti-admin, one can indeed create a cluster named "Alfresco Tenant" and for this cluster, one can configure the endpoint to use the related tenant admin credentials, i.e. user email@example.com with the default password admin. Then the Tasks tab and other tabs for this cluster are showing the tenant relevant data. The downsides here are, that
1) everyone who is loging in to activiti-admin will see all the clusters and all tenants´ data
2) while entering endpoint credentials we are assuming default admin password, but the tenant admin might have changed the password and the person administering with activiti-admin does not know that password
- Best approach might be, to link activiti-admin to the users table of the activiti-app db schema and create an account for every tenant admin. When they login, they will see only the data relevant for their tenant.