orchestrator-core 3.1.2rc3__py3-none-any.whl → 3.2.0__py3-none-any.whl

orchestrator/domain/subscription_instance_transform.py

@@ -0,0 +1,114 @@
+# Copyright 2019-2025 SURF.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Functions to transform result of query SubscriptionInstanceAsJsonFunction to match the ProductBlockModel."""
+
+from functools import partial
+from typing import TYPE_CHECKING, Any, Callable, Iterable
+
+from more_itertools import first, only
+
+from orchestrator.types import is_list_type, is_optional_type
+
+if TYPE_CHECKING:
+    from orchestrator.domain.base import ProductBlockModel
+
+
+def _ensure_list(instance_or_value_list: Any) -> Any:
+    if instance_or_value_list is None:
+        return []
+
+    return instance_or_value_list
+
+
+def _instance_list_to_dict(product_block_field_type: type, instance_list: Any) -> Any:
+    if instance_list is None:
+        return None
+
+    match instance_list:
+        case list():
+            if instance := only(instance_list):
+                return instance
+
+            if not is_optional_type(product_block_field_type):
+                raise ValueError("Required subscription instance is missing in database")
+
+            return None  # Set the optional product block field to None
+        case _:
+            raise ValueError(f"All subscription instances should be returned as list, found {type(instance_list)}")  #
+
+
+def _value_list_to_value(field_type: type, value_list: Any) -> Any:
+    if value_list is None:
+        return None
+
+    match value_list:
+        case list():
+            if (value := only(value_list)) is not None:
+                return value
+
+            if not is_optional_type(field_type):
+                raise ValueError("Required subscription value is missing in database")
+
+            return None  # Set the optional resource type field to None
+        case _:
+            raise ValueError(f"All instance values should be returned as list, found {type(value_list)}")
+
+
+def field_transformation_rules(klass: type["ProductBlockModel"]) -> dict[str, Callable]:
+    """Create mapping of transformation rules for the given product block type."""
+
+    def create_rules() -> Iterable[tuple[str, Callable]]:
+        for field_name, product_block_field_type in klass._product_block_fields_.items():
+            if is_list_type(product_block_field_type):
+                yield field_name, _ensure_list
+            else:
+                yield field_name, partial(_instance_list_to_dict, product_block_field_type)
+
+        for field_name, field_type in klass._non_product_block_fields_.items():
+            if is_list_type(field_type):
+                yield field_name, _ensure_list
+            else:
+                yield field_name, partial(_value_list_to_value, field_type)
+
+    return dict(create_rules())
+
+
+def transform_instance_fields(all_rules: dict[str, dict[str, Callable]], instance: dict) -> None:
+    """Apply transformation rules to the given subscription instance dict."""
+
+    from orchestrator.domain.base import ProductBlockModel
+
+    # Lookup applicable rules through product block name
+    field_rules = all_rules[instance["name"]]
+
+    klass = ProductBlockModel.registry[instance["name"]]
+
+    # Ensure the product block's metadata is loaded
+    klass._fix_pb_data()
+
+    # Transform all fields in this subscription instance
+    try:
+        for field_name, rewrite_func in field_rules.items():
+            field_value = instance.get(field_name)
+            instance[field_name] = rewrite_func(field_value)
+    except ValueError as e:
+        raise ValueError(f"Invalid subscription instance data {instance}") from e
+
+    # Recurse into nested subscription instances
+    for field_value in instance.values():
+        if isinstance(field_value, dict):
+            transform_instance_fields(all_rules, field_value)
+        if isinstance(field_value, list) and isinstance(first(field_value, None), dict):
+            for list_value in field_value:
+                transform_instance_fields(all_rules, list_value)

orchestrator/graphql/resolvers/process.py

@@ -34,7 +34,7 @@ from orchestrator.graphql.utils import (
     is_querying_page_data,
     to_graphql_result_page,
 )
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.schemas.process import ProcessSchema
 from orchestrator.services.processes import load_process
 from orchestrator.utils.enrich_process import enrich_process
@@ -56,7 +56,7 @@ def _enrich_process(process: ProcessTable, with_details: bool = False) -> Proces
 
 
 async def resolve_process(info: OrchestratorInfo, process_id: UUID) -> ProcessType | None:
-    query_loaders = get_query_loaders(info, ProcessTable)
+    query_loaders = get_query_loaders_for_gql_fields(ProcessTable, info)
     stmt = select(ProcessTable).options(*query_loaders).where(ProcessTable.process_id == process_id)
     if process := db.session.scalar(stmt):
         is_detailed = _is_process_detailed(info)
@@ -83,7 +83,7 @@ async def resolve_processes(
         .selectinload(ProcessSubscriptionTable.subscription)
         .joinedload(SubscriptionTable.product)
     ]
-    query_loaders = get_query_loaders(info, ProcessTable) or default_loaders
+    query_loaders = get_query_loaders_for_gql_fields(ProcessTable, info) or default_loaders
     select_stmt = select(ProcessTable).options(*query_loaders)
     select_stmt = filter_processes(select_stmt, pydantic_filter_by, _error_handler)
     if query is not None:

orchestrator/graphql/resolvers/product.py

@@ -13,7 +13,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.product import ProductType
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -33,7 +33,7 @@ async def resolve_products(
     pydantic_sort_by: list[Sort] = [item.to_pydantic() for item in sort_by] if sort_by else []
     logger.debug("resolve_products() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by)
 
-    query_loaders = get_query_loaders(info, ProductTable)
+    query_loaders = get_query_loaders_for_gql_fields(ProductTable, info)
     select_stmt = select(ProductTable).options(*query_loaders)
     select_stmt = filter_products(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/resolvers/product_block.py

@@ -17,7 +17,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.product_block import ProductBlock
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -39,7 +39,7 @@ async def resolve_product_blocks(
         "resolve_product_blocks() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by
     )
 
-    query_loaders = get_query_loaders(info, ProductBlockTable)
+    query_loaders = get_query_loaders_for_gql_fields(ProductBlockTable, info)
     select_stmt = select(ProductBlockTable)
     select_stmt = filter_product_blocks(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/resolvers/resource_type.py

@@ -17,7 +17,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.resource_type import ResourceType
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -38,7 +38,7 @@ async def resolve_resource_types(
     logger.debug(
         "resolve_resource_types() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by
     )
-    query_loaders = get_query_loaders(info, ResourceTypeTable)
+    query_loaders = get_query_loaders_for_gql_fields(ResourceTypeTable, info)
     select_stmt = select(ResourceTypeTable).options(*query_loaders)
     select_stmt = filter_resource_types(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/resolvers/workflow.py

@@ -13,7 +13,7 @@ from orchestrator.graphql.resolvers.helpers import rows_from_statement
 from orchestrator.graphql.schemas.workflow import Workflow
 from orchestrator.graphql.types import GraphqlFilter, GraphqlSort, OrchestratorInfo
 from orchestrator.graphql.utils import create_resolver_error_handler, is_querying_page_data, to_graphql_result_page
-from orchestrator.graphql.utils.get_query_loaders import get_query_loaders
+from orchestrator.graphql.utils.get_query_loaders import get_query_loaders_for_gql_fields
 from orchestrator.utils.search_query import create_sqlalchemy_select
 
 logger = structlog.get_logger(__name__)
@@ -33,7 +33,7 @@ async def resolve_workflows(
     pydantic_sort_by: list[Sort] = [item.to_pydantic() for item in sort_by] if sort_by else []
     logger.debug("resolve_workflows() called", range=[after, after + first], sort=sort_by, filter=pydantic_filter_by)
 
-    query_loaders = get_query_loaders(info, WorkflowTable)
+    query_loaders = get_query_loaders_for_gql_fields(WorkflowTable, info)
     select_stmt = WorkflowTable.select().options(*query_loaders)
     select_stmt = filter_workflows(select_stmt, pydantic_filter_by, _error_handler)
 

orchestrator/graphql/schema.py

@@ -1,4 +1,4 @@
-# Copyright 2022-2023 SURF.
+# Copyright 2022-2023 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/graphql/types.py

@@ -1,4 +1,4 @@
-# Copyright 2022-2023 SURF.
+# Copyright 2022-2023 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/graphql/utils/get_query_loaders.py

@@ -1,61 +1,19 @@
-from typing import Iterable
-
-import structlog
 from sqlalchemy.orm import Load
 
 from orchestrator.db.database import BaseModel as DbBaseModel
-from orchestrator.db.loaders import AttrLoader, join_attr_loaders, lookup_attr_loaders
+from orchestrator.db.loaders import (
+    get_query_loaders_for_model_paths,
+)
 from orchestrator.graphql.types import OrchestratorInfo
 from orchestrator.graphql.utils.get_selected_paths import get_selected_paths
 
-logger = structlog.get_logger(__name__)
-
-
-def _split_path(query_path: str) -> Iterable[str]:
-    yield from (field for field in query_path.split(".") if field != "page")
 
-
-def get_query_loaders(info: OrchestratorInfo, root_model: type[DbBaseModel]) -> list[Load]:
+def get_query_loaders_for_gql_fields(root_model: type[DbBaseModel], info: OrchestratorInfo) -> list[Load]:
     """Get sqlalchemy query loaders for the given GraphQL query.
 
     Based on the GraphQL query's selected fields, returns the required DB loaders to use
     in SQLALchemy's `.options()` for efficiently quering (nested) relationships.
     """
-    # Strip page and sort by length to find the longest match first
-    query_paths = [path.removeprefix("page.") for path in get_selected_paths(info)]
-    query_paths.sort(key=lambda x: x.count("."), reverse=True)
-
-    def get_loader_for_path(query_path: str) -> tuple[str, Load | None]:
-        next_model = root_model
-
-        matched_fields: list[str] = []
-        path_loaders: list[AttrLoader] = []
-
-        for field in _split_path(query_path):
-            if not (attr_loaders := lookup_attr_loaders(next_model, field)):
-                break
-
-            matched_fields.append(field)
-            path_loaders.extend(attr_loaders)
-            next_model = attr_loaders[-1].next_model
-
-        return ".".join(matched_fields), join_attr_loaders(path_loaders)
-
-    query_loaders: dict[str, Load] = {}
-
-    for path in query_paths:
-        matched_path, loader = get_loader_for_path(path)
-        if not matched_path or not loader or matched_path in query_loaders:
-            continue
-        if any(known_path.startswith(f"{matched_path}.") for known_path in query_loaders):
-            continue
-        query_loaders[matched_path] = loader
+    model_paths = [path.removeprefix("page.") for path in get_selected_paths(info)]
 
-    loaders = list(query_loaders.values())
-    logger.debug(
-        "Generated query loaders",
-        root_model=root_model,
-        query_paths=query_paths,
-        query_loaders=[str(i.path) for i in loaders],
-    )
-    return loaders
+    return get_query_loaders_for_model_paths(root_model, model_paths)

orchestrator/graphql/utils/get_subscription_product_blocks.py

@@ -1,3 +1,16 @@
+# Copyright 2022-2023 SURF, GÉANT.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 from collections.abc import Generator
 from itertools import count
 from typing import TYPE_CHECKING, Annotated, Any
@@ -57,7 +70,14 @@ def get_all_product_blocks(subscription: dict[str, Any], _tags: list[str] | None
     return list(locate_product_block(subscription))
 
 
-pb_instance_property_keys = ("id", "parent", "owner_subscription_id", "subscription_instance_id", "in_use_by_relations")
+pb_instance_property_keys = (
+    "id",
+    "parent",
+    "owner_subscription_id",
+    "subscription_instance_id",
+    "in_use_by_relations",
+    "in_use_by_ids",
+)
 
 
 async def get_subscription_product_blocks(

orchestrator/migrations/env.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2020 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/migrations/helpers.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2020 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -880,10 +880,10 @@ def delete_product(conn: sa.engine.Connection, name: str) -> None:
                 RETURNING  product_id
             ),
             deleted_p_pb AS (
-                DELETE FROM product_product_blocks WHERE product_id = ANY(SELECT product_id FROM deleted_p)
+                DELETE FROM product_product_blocks WHERE product_id IN (SELECT product_id FROM deleted_p)
             ),
             deleted_pb_rt AS (
-                DELETE FROM products_workflows WHERE product_id = ANY(SELECT product_id FROM deleted_p)
+                DELETE FROM products_workflows WHERE product_id IN (SELECT product_id FROM deleted_p)
             )
             SELECT * from deleted_p;
             """
@@ -911,10 +911,10 @@ def delete_product_block(conn: sa.engine.Connection, name: str) -> None:
                 RETURNING  product_block_id
             ),
             deleted_p_pb AS (
-                DELETE FROM product_product_blocks WHERE product_block_id =ANY(SELECT product_block_id FROM deleted_pb)
+                DELETE FROM product_product_blocks WHERE product_block_id IN (SELECT product_block_id FROM deleted_pb)
             ),
             deleted_pb_rt AS (
-                DELETE FROM product_block_resource_types WHERE product_block_id =ANY(SELECT product_block_id FROM deleted_pb)
+                DELETE FROM product_block_resource_types WHERE product_block_id IN (SELECT product_block_id FROM deleted_pb)
             )
             SELECT * from deleted_pb;
             """
@@ -968,7 +968,7 @@ def delete_resource_type(conn: sa.engine.Connection, resource_type: str) -> None
                 RETURNING  resource_type_id
             ),
             deleted_pb_rt AS (
-                DELETE FROM product_block_resource_types WHERE resource_type_id =ANY(SELECT resource_type_id FROM deleted_pb)
+                DELETE FROM product_block_resource_types WHERE resource_type_id IN (SELECT resource_type_id FROM deleted_pb)
             )
             SELECT * from deleted_pb;
             """

orchestrator/migrations/versions/schema/2025-03-06_42b3d076a85b_subscription_instance_as_json_function.py

@@ -0,0 +1,33 @@
+"""Add postgres function subscription_instance_as_json.
+
+Revision ID: 42b3d076a85b
+Revises: bac6be6f2b4f
+Create Date: 2025-03-06 15:03:09.477225
+
+"""
+
+from pathlib import Path
+
+from alembic import op
+from sqlalchemy import text
+
+# revision identifiers, used by Alembic.
+revision = "42b3d076a85b"
+down_revision = "bac6be6f2b4f"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    revision_file_path = Path(__file__)
+    with open(revision_file_path.with_suffix(".sql")) as f:
+        conn.execute(text(f.read()))
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(text("DROP FUNCTION IF EXISTS subscription_instance_as_json;"))
+    conn.execute(text("DROP FUNCTION IF EXISTS subscription_instance_fields_as_json;"))

orchestrator/migrations/versions/schema/2025-03-06_42b3d076a85b_subscription_instance_as_json_function.sql

@@ -0,0 +1,40 @@
+CREATE OR REPLACE FUNCTION subscription_instance_fields_as_json(sub_inst_id uuid)
+    RETURNS jsonb
+    LANGUAGE sql
+    STABLE PARALLEL SAFE AS
+$func$
+select jsonb_object_agg(rts.key, rts.val)
+from (select attr.key,
+             attr.val
+      from subscription_instances si
+               join product_blocks pb ON si.product_block_id = pb.product_block_id
+               cross join lateral (
+          values ('subscription_instance_id', to_jsonb(si.subscription_instance_id)),
+                 ('owner_subscription_id', to_jsonb(si.subscription_id)),
+                 ('name', to_jsonb(pb.name))
+          ) as attr(key, val)
+      where si.subscription_instance_id = sub_inst_id
+      union all
+      select rt.resource_type                            key,
+             jsonb_agg(siv.value ORDER BY siv.value ASC) val
+      from subscription_instance_values siv
+               join resource_types rt on siv.resource_type_id = rt.resource_type_id
+      where siv.subscription_instance_id = sub_inst_id
+      group by rt.resource_type) as rts
+$func$;
+
+
+CREATE OR REPLACE FUNCTION subscription_instance_as_json(sub_inst_id uuid)
+    RETURNS jsonb
+    LANGUAGE sql
+    STABLE PARALLEL SAFE AS
+$func$
+select subscription_instance_fields_as_json(sub_inst_id) ||
+       coalesce(jsonb_object_agg(depends_on.block_name, depends_on.block_instances), '{}'::jsonb)
+from (select sir.domain_model_attr                                                                    block_name,
+             jsonb_agg(subscription_instance_as_json(sir.depends_on_id) ORDER BY sir.order_id ASC) as block_instances
+      from subscription_instance_relations sir
+      where sir.in_use_by_id = sub_inst_id
+        and sir.domain_model_attr is not null
+      group by block_name) as depends_on
+$func$;

orchestrator/migrations/versions/schema/2025-04-09_fc5c993a4b4a_add_cascade_constraint_on_processes_.py

@@ -0,0 +1,44 @@
+"""add cascade constraint on processes input state.
+
+Revision ID: fc5c993a4b4a
+Revises: 42b3d076a85b
+Create Date: 2025-04-09 18:27:31.922214
+
+"""
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "fc5c993a4b4a"
+down_revision = "42b3d076a85b"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Drop the existing foreign key constraint
+    op.drop_constraint("input_states_pid_fkey", "input_states", type_="foreignkey")
+
+    # Add a new foreign key constraint with cascade delete
+    op.create_foreign_key(
+        "input_states_pid_fkey",
+        "input_states",
+        "processes",
+        ["pid"],
+        ["pid"],
+        ondelete="CASCADE",
+    )
+
+
+def downgrade() -> None:
+    # Drop the cascade foreign key constraint
+    op.drop_constraint("input_states_pid_fkey", "input_states", type_="foreignkey")
+
+    # Recreate the original foreign key constraint without cascade
+    op.create_foreign_key(
+        "input_states_pid_fkey",
+        "input_states",
+        "processes",
+        ["pid"],
+        ["pid"],
+    )

orchestrator/schemas/engine_settings.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2020 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/schemas/subscription.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2025 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/security.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2020 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/services/celery.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2020 SURF, GÉANT.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at

orchestrator/services/processes.py

@@ -1,4 +1,4 @@
-# Copyright 2019-2020 SURF.
+# Copyright 2019-2025 SURF, GÉANT, ESnet.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -24,15 +24,10 @@ from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import joinedload
 
 from nwastdlib.ex import show_ex
+from oauth2_lib.fastapi import OIDCUserModel
 from orchestrator.api.error_handling import raise_status
 from orchestrator.config.assignee import Assignee
-from orchestrator.db import (
-    EngineSettingsTable,
-    ProcessStepTable,
-    ProcessSubscriptionTable,
-    ProcessTable,
-    db,
-)
+from orchestrator.db import EngineSettingsTable, ProcessStepTable, ProcessSubscriptionTable, ProcessTable, db
 from orchestrator.distlock import distlock_manager
 from orchestrator.schemas.engine_settings import WorkerStatus
 from orchestrator.services.input_state import store_input_state
@@ -414,10 +409,15 @@ def _run_process_async(process_id: UUID, f: Callable) -> UUID:
     return process_id
 
 
+def error_message_unauthorized(workflow_key: str) -> str:
+    return f"User is not authorized to execute '{workflow_key}' workflow"
+
+
 def create_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
 ) -> ProcessStat:
     # ATTENTION!! When modifying this function make sure you make similar changes to `run_workflow` in the test code
 
@@ -430,6 +430,9 @@ def create_process(
     if not workflow:
         raise_status(HTTPStatus.NOT_FOUND, "Workflow does not exist")
 
+    if not workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
+
     initial_state = {
         "process_id": process_id,
         "reporter": user,
@@ -449,6 +452,7 @@ def create_process(
         state=Success(state | initial_state),
         log=workflow.steps,
         current_user=user,
+        user_model=user_model,
     )
 
     _db_create_process(pstat)
@@ -460,9 +464,12 @@ def thread_start_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     pstat = create_process(workflow_key, user_inputs=user_inputs, user=user)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(workflow_key))
 
     _safe_logstep_with_func = partial(safe_logstep, broadcast_func=broadcast_func)
     return _run_process_async(pstat.process_id, lambda: runwf(pstat, _safe_logstep_with_func))
@@ -472,6 +479,7 @@ def start_process(
     workflow_key: str,
     user_inputs: list[State] | None = None,
     user: str = SYSTEM_USER,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Start a process for workflow.
@@ -480,6 +488,7 @@ def start_process(
         workflow_key: name of workflow
         user_inputs: List of form inputs from frontend
         user: User who starts this process
+        user_model: Full OIDCUserModel with claims, etc
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -487,7 +496,9 @@ def start_process(
 
     """
     start_func = get_execution_context()["start"]
-    return start_func(workflow_key, user_inputs=user_inputs, user=user, broadcast_func=broadcast_func)
+    return start_func(
+        workflow_key, user_inputs=user_inputs, user=user, user_model=user_model, broadcast_func=broadcast_func
+    )
 
 
 def thread_resume_process(
@@ -495,6 +506,7 @@ def thread_resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     # ATTENTION!! When modifying this function make sure you make similar changes to `resume_workflow` in the test code
@@ -503,6 +515,8 @@ def thread_resume_process(
         user_inputs = [{}]
 
     pstat = load_process(process)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
 
     if pstat.workflow == removed_workflow:
         raise ValueError("This workflow cannot be resumed")
@@ -542,6 +556,7 @@ def resume_process(
     *,
     user_inputs: list[State] | None = None,
     user: str | None = None,
+    user_model: OIDCUserModel | None = None,
     broadcast_func: BroadcastFunc | None = None,
 ) -> UUID:
     """Resume a failed or suspended process.
@@ -550,6 +565,7 @@ def resume_process(
         process: Process from database
         user_inputs: Optional user input from forms
         user: user who resumed this process
+        user_model: OIDCUserModel of user who resumed this process
         broadcast_func: Optional function to broadcast process data
 
     Returns:
@@ -557,6 +573,9 @@ def resume_process(
 
     """
     pstat = load_process(process)
+    if not pstat.workflow.authorize_callback(user_model):
+        raise_status(HTTPStatus.FORBIDDEN, error_message_unauthorized(str(process.workflow_name)))
+
     try:
         post_form(pstat.log[0].form, pstat.state.unwrap(), user_inputs=user_inputs or [])
     except FormValidationError: