Set read-only users for bpm

let’s say i have a contract approval BP, and i want to head developer to accept or decline it, but this head developer might want to consult with managers(of the same organization) about some parts of this contract. So that a manager should ‘open’ this contract to others, but the shouldn’t be able to approve the contract.
So here’s my question, how could i better hide the approval button from managers, and leave it only to head developer - by security roles or by security group constraints? where could i find more info about hat?

why the “Approve” button is visible for managers? As I understand, only a head developer is among process actors and only head developer has an associated UserTask.

i have system roles related to organizations, and my contract is given to an organization, where only one responsible person could approve/decline it, and others, if that responsible person wants - could only read that contract.
Should i make an additional system role that will allow them watch a contract and have no rights for BPM? then, how should i restrict them from watching all other contracts, and see only the contract that is currently in the proper task of bpm?

One of possible solutions is to add a property with a list of users to each contract. The head developer will populate this list with employees who should be able to see the contract. Then create a new security group. The group should contain a constraint that limits a list of contracts only to those where the current user is among the users from the “allowedPersons” property of the contract entity.

1 Like

i think i got your idea, thank you)