Required Claim Mapper Permissions for Worker Service

We’ve build a custom claim mapper (all custom) and a customized authorizer (uses much of the default authorizer), and it’s a bit unclear what permissions are actually required by the worker service.

I initially thought restricting the worker service to the temporal-system namespace would be sufficient, but now I’m seeing errors where the worker service is failing auth checks on the default namespace against the temporal-sys-per-ns-tq task queue.

Is there some documentation regarding minimal permissions for the worker service or even other services for that matter?

Worker service would require System: RoleAdmin claim.
Note that since release 1.20 you can set up internal-frontend service where worker service can bypass your custom claims mapper and treat it as an internode service, see release notes Release v1.20.0 · temporalio/temporal · GitHub

Thank you, @tihomir!

Is the same true for application workers?

1 Like