The REST API uses authorization rules to determine a user’s access control for a process instance or task.
If you are using OAuth 2 to authenticate users for SSO, see OAuth 2 SSO for more information.
If you choose to use Impersonation, you can impersonate a user with an Admin account to authenticate and set a different user for authorization. To enable this, add the activiti-user and activiti-user-value-type request headers to the REST API. Where, activiti-user should be set to the required user account identifier and activiti-user-value-type to the user account identifier type. The header activiti-user-value-type can be one of the following values:
userIdType: User’s database ID
userEmailType: User’s Email address
userExternalIdType: User’s ID in an external authentication service such as LDAP or Active Directory
For example, in the external-form-example Web application, an Admin account is used for authentication and a different user account to implement authorization.