We’ve build a custom claim mapper (all custom) and a customized authorizer (uses much of the default authorizer), and it’s a bit unclear what permissions are actually required by the worker service.
I initially thought restricting the worker service to the temporal-system namespace would be sufficient, but now I’m seeing errors where the worker service is failing auth checks on the default namespace against the temporal-sys-per-ns-tq task queue.
Is there some documentation regarding minimal permissions for the worker service or even other services for that matter?
Worker service would require System: RoleAdmin claim.
Note that since release 1.20 you can set up internal-frontend service where worker service can bypass your custom claims mapper and treat it as an internode service, see release notes Release v1.20.0 · temporalio/temporal · GitHub
@Aaron_Huntress What all environments needs to be set on worker service for Authentication with frontend service? I am also facing the same issue since I have added the auth: