Squashed 'spiffworkflow-backend/' changes from 7600e1e57..094de3563

094de3563 pyl w/ burnettk 7575ce459 Merge pull request #95 from sartography/feature/find_by_process_instance_id bb3c9ebea fixed test w/ burnettk 4b8b5fc40 added fix to SpiffWorkflow to deepcopy operation params before evaluating them w/ burnettk 08909ae93 Add get_secret script (#94) 158cbb4bf basic support to find a process instance by id w/ burnettk 49a71d898 pyl w/ burnettk 3d87cc56a Merge branch 'main' into feature/process-nav-improvements 13ef0ab87 fixed issue displaying task data for call activities called multiple times in a diagram w/ burnettk e99caf034 Merge branch 'main' into feature/process-nav-improvements e64fe5eee add a bit more debugging info f4907aeab pyl ac079f881 added ability to filter process instances by process initiator 9d848effa pyl w/ burnettk 7ae3dca55 added process group display name to model search and cache the groups to avoid extra lookups w/ burnettk fc30bd843 merged in main and resolved conflicts 9f036a1d0 Helper function to support reaping process instances (#91) 29fb40b3f pyl w/ burnettk 10e2ea6f9 added new page to create process models using english text w/ burnettk 7f9422ce2 added method to create process models based on english string w/ burnettk 8de7d1378 upgrade black, give it the preview flag, and let it rip on long strings 9310c8eec configure metadata extration paths appropriately 2adb6b206 actually create process model afd6bcbc3 added basis of api to create process models from text w/ burnettk 141b19241 reformat file 119f2513e remove reset tasks from human task table 244c6178a added all users to waiting for column on task list tables w/ burnettk 787e1e1ee fix method overwritten by merge 8dd2457ce Merge branch 'main' into feature/process-nav-improvements dab22e0ec ensure we get logs for both db and backend with docker compose w/ burnettk a2aa3ae4f remove unused task method ad17ca3f5 allow tests to determine what paginated entity id to use to determine a table has loaded 1fcaf8bdb create spiff steps for manual navigation 0bc9ae6f6 Merge remote-tracking branch 'origin/main' into feature/process_api_blueprint_refactor 71475ddf8 Merge pull request #78 from sartography/feature/process-navigation 534e2d468 move helpers where they belong 22cdc28a8 run ./bin/run_pyl 55eedd28c new service tasks controller 439106265 move status to health controller e0f7da69a fix test accde5d4e move helpers where they belong 524434a10 allow option to complete single tasks with or without execution 865fd6c8c get tests passing 7faf753e6 moved some more apis w/ burnettk aa87d68d5 moved more api methods to own controllers w/ burnettk 6b78eddc8 add endpoint to reset process to earlier step be5580a92 moved process groups, models, and instances api methods to own controller files w/ burnettk 3933c92a5 fix bug with opening call activities when processes conflict with dmn files 76c71a7e5 fix show previous spiff steps 7f09a92eb Minor fix to SpiffWorkflow library d3136f8e4 Don't freak out if git is not yet setup in the working directory. 83e468d43 Merge branch 'main' into feature/process-navigation 42393d8d7 Make list available to script tasks (#86) 0972d9790 save the process instance even if it fails to run all the way w/ burnettk 626db0d78 delete human tasks when process instance is deleted w/ burnettk 1a71a44b5 Merge branch 'main' of github.com:sartography/spiff-arena 0cc6f2c2d fixed some cypress tests and fixed issue where an invalid date caused the page to constantly reload w/ burnettk 07a977f02 Revive report deletion (#85) 8aafd69db do not delete groups that were just added w/ burnettk f4b01d957 update flask-bpmn w/ burnettk b33947bda some cypress tests w/ burnettk c56a2b0d7 update flask-bpmn w/ burnettk e3d381a23 log api errors when sending to sentry w/ burnettk 568c2b7f2 give read access to process-data for all permission macro w/ burnettk bf1ecb87d added ability to view data objects from the process instance show page w/ burnettk 2ba416f58 dev permissions copied from terraform deployed and terraform deployed now tiny, minor fixes 18ae75fa5 link to correct instances page, fix fin users, ignore coverage files 25022c35f trim down granted permissions to just the ones that exist in the API, improve output of permissions 3fd9aafe0 use spiffworkflow.org for admin and other minor permissions tweaks fbfc0f118 fix flask bpmn poetry lock and change admin email to spiffworkflow.org cd623fc97 fix qa1 and add script to get perms 8ed7800e5 lint and regen schema 0e8f6fc04 50 is not long enough to store our keycloak urls 3178909c1 add qa1 env ffcfa7b37 added test to check only privileged users can call refresh_permissions w/ burnettk 833976ef0 updated permission yamls to have email addresses and look more the same w/ burnettk 73356471b pyl passes w/ burnettk 533beee8b removed scripts for permissions since that code has been mostly moved and superseded by refresh_permissions w/ burnettk be228d405 added script to refresh permissions w/ burnettk 2b5d03beb pyl w/ burnettk 0ad370896 added script to get all permissions for the confirmation page when adding permissions from a process model w/ burnettk d67ec1687 added test to for permission to process group w/ burnettk f4558b616 fixed slashes to colons in permission macros w/ burnettk a56734226 pyl e3b9e127c added ALL macro for easier use with admin groups and some failure test cases 2a5954109 added remaining tests for current permission macros f669d19ea added test for perm macros w/ burnettk b73699e69 added method to add permissions based on macros w/ burnettk 4ac265433 Merge remote-tracking branch 'origin/main' into feature/bpmn_user_permissions d45860254 minor tweak to test bpmn w/ burnettk 1c027df7c Merge branch 'main' of github.com:sartography/spiff-arena into main 91630588f Do not require a Git Repository to start a process. d12696fcd do not force permissions to use the v1.0 path prefix but it can be used if desired w/ burnettk 7756165b0 pyl w/ burnettk dc2a976b9 default requiring permissions to run a script to True w/ burnettk 71c4a2fdc added permission to run privileged scripts w/ burnettk 1033159b2 Merge pull request #79 from sartography/feature/better_unit_tests 6b886663f Merge remote-tracking branch 'origin/main' into feature/bpmn_user_permissions c49355dec pyl fixed w/ burnettk 068c3f133 fixed get tasks and process instances by group w/ burnettk 66ebe1ad2 pyl w/ burnettk a7256622d fixed completed instances filter w/ burnettk 0f18bb798 merged in main and resolved conflicts w/ burnettk 6a578b6f4 a little refactor w/ burnettk f9fa7e514 set the completed by user on human task w/ burnettk be47b7352 added remaining filter tests w/ burnettk 0d3506944 added another filter test 578481416 added test for report filters w/ burnettk 6cb0b068b reformat file again e5a803f2b renamed test process instance create method w/ burnettk 4d2796fac some initial changes to refactor report filters w/ burnettk e0ce9f71e fix more bs errors e1d132cf6 fix lint errors ca9587f1a fix conflicts for like the thousandth time 84749f194 fix filtering issue on completed instances tab and lint junk 3c2b71549 fix getting task info for a process instance w/ burnettk 90a5b0c31 added correct process instance permissions w/ burnettk af03e4823 renamed active task to human task since we are no longer deleting them w/ burnettk 86cb5d77a created process instance list and show pages to handle all and for-me w/ burnettk ec492b3cf fix conflicts yet again 6c64e7312 merged in main and resolved conflicts w/ burnettk d4ef203da give everybody crud for reports w/ burnettk a6a84beae fixed file upload and do not allow submitting task data to a suspended process instance w/ burnettk bd835f980 fix typing problem 76481f57c updates to disallow modifying a process instance when it is not in the correct state w/ burnettk b9642bfdf do not allow editing task data for process instances that are not suspended and some code cleanup w/ burnettk a7fb08b11 add integration tests for process nav endpoints 51cfe2417 added updated and created at columns on user w/ burnettk 20f378922 set the auth header when calling git commit w/ burnettk 8ebd5f5b1 Fixing some tests. 3d769e185 Merge remote-tracking branch 'origin/main' into feature/bpmn_user_permissions d24b53b7a Adding tests for the user service , and closing a few logic errors. Adding support for a single wild card for matching all users. 71a154db1 allow marking task complete without executing b08496f4b fix conflicts again d358f0e70 fix tests f81851122 added completed column to active task w/ burnettk 10c92cd58 update url to allow permissions on send event a32bf8993 some basic stuff for showing only relating items to user w/ burnettk 87b5d9aff fixed permissions w/ burnettk ecc70c189 Merge remote-tracking branch 'origin/main' into feature/bpmn_user_permissions 07c5fe2e9 add a test group and put natalia in it e2a7a5de2 updated some text for task tables w/ burnettk d0fbd20ee merged in main and resolved conflicts w/ burnettk 609343d06 updated flask-bpmn so it does not send invalid token exceptions to sentry w/ burnettk cd36bff52 Merge remote-tracking branch 'origin/main' into feature/better_unit_tests 06ea528c1 fix conflicts & update event url to match other process instance urls 3697c86c2 Merge branch 'feature/better_unit_tests' into feature/bpmn_user_permissions b7d6448b8 Fixes a bug that was causing tests to be added to the incorrect task. Clean up UI for a better experience when viewing tests. 20f445d85 Updated migrations. a75a5407e When loading permissions and the user does not exist, add records to the UserGroupAssignmentWaiting table that can be picked up later. Request "profile" scope over OpenID so we can get a few more bits of information when avilable. Add a "clear_perissions" script Add an "add_permissions" script Add an "add_permissions" script When logging in for the first time, check for any awaiting permissions and assign them. Add "enumerate" as a whitelisted function to React Schema Add a "display_name" to the user table e10cb73f7 reformat & fix types 68c4aa2db Merge branch 'main' into feature/process-navigation 8f233106e Merge remote-tracking branch 'origin/unit_test_404' into feature/bpmn_user_permissions 9af47b207 Fix api endpoints for script unit tests 6c8cbe6f2 working but barely functional UI for manually sending events a9673dd4b Assure our open-id system can return emails. Update our data from Open ID Systems when users log in a66591833 Removing two fields from user table that were not used (uid, name) Request email from open id clients, as this would provide a handy way to uniquely reference users when assigning to groups. During Login do a lookup on email if possible -- so that permissions assignments based on email can be connected when sigining in through openid. Don't use "open_id" for the service name on user accounts, use the iss string provided through open id, this will allow us to support more than one open id platform. Update the KeyCloak configuration so it is able to return email addresses for users -- which will make permission assignment easier in the future. Removed several unused commands in the user_service class. 33d68368b split out completed instances by group as well e7873c5be updated group api so it is not under tasks 88f6ea071 pyl 1582dca2d split group task tables by group and created component for group tables 37a516d99 some base work to try to get display names searchable for process models w/ burnettk git-subtree-dir: spiffworkflow-backend git-subtree-split: 094de3563ef9020743aaf116f98cbc8e81b9e5d6
2023-01-05 17:35:21 -05:00 · 2023-01-05 17:35:21 -05:00 · 38f5b5b37c
parent 7b85be037b
commit 38f5b5b37c
118 changed files with 6946 additions and 3180 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,7 @@
 .mypy_cache/
 /.idea/
 /.coverage
-/.coverage.*
+.coverage.*
 /.nox/
 /.python-version
 /.pytype/
--- a/bin/delete_and_import_all_permissions.py
+++ b/bin/delete_and_import_all_permissions.py
@ -7,7 +7,8 @@ def main() -> None:
    """Main."""
    app = get_hacked_up_app_for_script()
    with app.app_context():
-        AuthorizationService.delete_all_permissions_and_recreate()
+        AuthorizationService.delete_all_permissions()
+        AuthorizationService.import_permissions_from_yaml_file()


 if __name__ == "__main__":
--- a/bin/get_bpmn_json_for_process_instance
+++ b/bin/get_bpmn_json_for_process_instance
@ -1,5 +1,4 @@
 """Get the bpmn process json for a given process instance id and store it in /tmp."""
-#!/usr/bin/env python
 import os
 import sys

@ -18,15 +17,17 @@ def main(process_instance_id: str):
            id=process_instance_id
        ).first()

+        file_path = f"/tmp/{process_instance_id}_bpmn_json.json"
        if not process_instance:
            raise Exception(
                f"Could not find a process instance with id: {process_instance_id}"
            )

        with open(
-            f"/tmp/{process_instance_id}_bpmn_json.json", "w", encoding="utf-8"
+            file_path, "w", encoding="utf-8"
        ) as f:
            f.write(process_instance.bpmn_json)
+        print(f"Saved to {file_path}")


 if len(sys.argv) < 2:
--- a/bin/get_logs_from_docker_compose
+++ b/bin/get_logs_from_docker_compose
@ -7,4 +7,5 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail

-docker compose logs "$@"
+# "docker compose logs" is only getting the db logs so specify them both
+docker compose logs db spiffworkflow-backend
--- a/bin/get_perms
+++ b/bin/get_perms
@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+set -x
+mysql -uroot spiffworkflow_backend_development -e 'select pa.id, g.identifier group_identifier, pt.uri, permission from permission_assignment pa join principal p on p.id = pa.principal_id join `group` g on g.id = p.group_id join permission_target pt on pt.id = pa.permission_target_id;'
--- a/bin/get_routes
+++ b/bin/get_routes
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+grep -E '^ +\/' src/spiffworkflow_backend/api.yml | sort
--- a/bin/git_commit_bpmn_models_repo
+++ b/bin/git_commit_bpmn_models_repo
@ -14,21 +14,39 @@ git_commit_message="$2"
 git_branch="$3"
 git_commit_username="$4"
 git_commit_email="$5"
+git_commit_password="$6"

-if [[ -z "${5:-}" ]]; then
+if [[ -z "${6:-}" ]]; then
  >&2 echo "usage: $(basename "$0") [bpmn_models_absolute_dir] [git_commit_message] [git_branch] [git_commit_username] [git_commit_email]"
  exit 1
 fi

-cd "$bpmn_models_absolute_dir"
-git add .
+function failed_to_get_lock() {
+  >&2 echo "ERROR: Failed to get lock."
+  exit 1
+}

-# https://unix.stackexchange.com/a/155077/456630
-if [ -z "$(git status --porcelain)" ]; then
-  echo "No changes to commit"
-else
-  git config --local user.name "$git_commit_username"
-  git config --local user.email "$git_commit_email"
-  git commit -m "$git_commit_message"
-  git push --set-upstream origin "$git_branch"
-fi
+function run() {
+  cd "$bpmn_models_absolute_dir"
+  git add .
+
+  # https://unix.stackexchange.com/a/155077/456630
+  if [ -z "$(git status --porcelain)" ]; then
+    echo "No changes to commit"
+  else
+    PAT="${git_commit_username}:${git_commit_password}"
+    AUTH=$(echo -n "$PAT" | openssl base64 | tr -d '\n')
+
+    git config --local user.name "$git_commit_username"
+    git config --local user.email "$git_commit_email"
+    git config --local http.extraHeader "Authorization: Basic $AUTH"
+    git commit -m "$git_commit_message"
+    git push --set-upstream origin "$git_branch"
+    git config --unset --local http.extraHeader
+  fi
+}
+
+exec {lock_fd}>/var/lock/mylockfile || failed_to_get_lock
+flock --timeout 60 "$lock_fd" || failed_to_get_lock
+run
+flock -u "$lock_fd"
--- a/bin/import_tickets_for_command_line.py
+++ b/bin/import_tickets_for_command_line.py
@ -27,7 +27,6 @@ def main():
    """Main."""
    app = get_hacked_up_app_for_script()
    with app.app_context():
-
        process_model_identifier_ticket = "ticket"
        db.session.query(ProcessInstanceModel).filter(
            ProcessInstanceModel.process_model_identifier
--- a/bin/keycloak_test_server.py
+++ b/bin/keycloak_test_server.py
@ -40,7 +40,8 @@ def hello_world():
        return (
            'Hello, %s, <a href="/private">See private</a> '
            '<a href="/logout">Log out</a>'
-        ) % oidc.user_getfield("preferred_username")
+            % oidc.user_getfield("preferred_username")
+        )
    else:
        return 'Welcome anonymous, <a href="/private">Log in</a>'

--- a/bin/recreate_db
+++ b/bin/recreate_db
@ -61,3 +61,7 @@ for task in $tasks; do
 done

 SPIFFWORKFLOW_BACKEND_ENV=testing FLASK_APP=src/spiffworkflow_backend poetry run flask db upgrade
+if [[ -n "${SPIFFWORKFLOW_BACKEND_ENV:-}" ]] && ! grep -Eq '^(development|testing)$' <<< "$SPIFFWORKFLOW_BACKEND_ENV"; then
+  mysql -uroot -e "CREATE DATABASE IF NOT EXISTS spiffworkflow_backend_$SPIFFWORKFLOW_BACKEND_ENV"
+  FLASK_APP=src/spiffworkflow_backend poetry run flask db upgrade
+fi
--- a/bin/spiffworkflow-realm.json
+++ b/bin/spiffworkflow-realm.json
@ -426,6 +426,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "admin@spiffworkflow.org",
    "credentials" : [ {
      "id" : "ef435043-ef0c-407a-af5b-ced13182a408",
      "type" : "password",
@ -446,6 +447,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "alex@sartography.com",
    "credentials" : [ {
      "id" : "81a61a3b-228d-42b3-b39a-f62d8e7f57ca",
      "type" : "password",
@ -465,6 +467,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "amir@status.im",
    "credentials" : [ {
      "id" : "e589f3ad-bf7b-4756-89f7-7894c03c2831",
      "type" : "password",
@ -484,6 +487,9 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "firstName" : "",
+    "lastName" : "",
+    "email" : "ciadmin1@spiffworkflow.org",
    "credentials" : [ {
      "id" : "111b5ea1-c2ab-470a-a16b-2373bc94de7a",
      "type" : "password",
@ -499,28 +505,6 @@
    },
    "notBefore" : 0,
    "groups" : [ ]
-  }, {
-    "id" : "56457e8f-47c6-4f9f-a72b-473dea5edfeb",
-    "createdTimestamp" : 1657139955336,
-    "username" : "ciuser1",
-    "enabled" : true,
-    "totp" : false,
-    "emailVerified" : false,
-    "credentials" : [ {
-      "id" : "762f36e9-47af-44da-8520-cf09d752497a",
-      "type" : "password",
-      "createdDate" : 1657139966468,
-      "secretData" : "{\"value\":\"Dpn9QBJSxvl54b0Fu+OKrKRwmDJbk28FQ3xhlOdJPvZVJU/SpdrcsH7ktYAIkVLkRC5qILSZuNPQ3vDGzE2r1Q==\",\"salt\":\"yXd7N8XIQBkJ7swHDeRzXw==\",\"additionalParameters\":{}}",
-      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
-    } ],
-    "disableableCredentialTypes" : [ ],
-    "requiredActions" : [ ],
-    "realmRoles" : [ "default-roles-spiffworkflow" ],
-    "clientRoles" : {
-      "spiffworkflow-backend" : [ "uma_protection" ]
-    },
-    "notBefore" : 0,
-    "groups" : [ ]
  }, {
    "id" : "d58b61cc-a77e-488f-a427-05f4e0572e20",
    "createdTimestamp" : 1669132945413,
@ -530,6 +514,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "core@status.im",
    "credentials" : [ {
      "id" : "ee80092b-8ee6-4699-8492-566e088b48f5",
      "type" : "password",
@ -550,6 +535,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "dan@sartography.com",
    "credentials" : [ {
      "id" : "d517c520-f500-4542-80e5-7144daef1e32",
      "type" : "password",
@ -569,6 +555,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "daniel@sartography.com",
    "credentials" : [ {
      "id" : "f240495c-265b-42fc-99db-46928580d07d",
      "type" : "password",
@ -588,6 +575,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "elizabeth@sartography.com",
    "credentials" : [ {
      "id" : "ae951ec8-9fc9-4f1b-b340-bbbe463ae5c2",
      "type" : "password",
@ -609,6 +597,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "fin@status.im",
    "credentials" : [ {
      "id" : "2379940c-98b4-481a-b629-0bd1a4e91acf",
      "type" : "password",
@ -631,6 +620,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "fin1@status.im",
    "credentials" : [ {
      "id" : "96216746-ff72-454e-8288-232428d10b42",
      "type" : "password",
@ -651,6 +641,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "finance_user1@status.im",
    "credentials" : [ {
      "id" : "f14722ec-13a7-4d35-a4ec-0475d405ae58",
      "type" : "password",
@ -670,6 +661,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "harmeet@status.im",
    "credentials" : [ {
      "id" : "89c26090-9bd3-46ac-b038-883d02e3f125",
      "type" : "password",
@ -691,6 +683,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "j@status.im",
    "credentials" : [ {
      "id" : "e71ec785-9133-4b7d-8015-1978379af0bb",
      "type" : "password",
@ -711,6 +704,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "jakub@status.im",
    "credentials" : [ {
      "id" : "ce141fa5-b8d5-4bbe-93e7-22e7119f97c2",
      "type" : "password",
@ -730,6 +724,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "jarrad@status.im",
    "credentials" : [ {
      "id" : "113e0343-1069-476d-83f9-21d98edb9cfa",
      "type" : "password",
@ -749,6 +744,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "jason@sartography.com",
    "credentials" : [ {
      "id" : "40abf32e-f0cc-4a17-8231-1a69a02c1b0b",
      "type" : "password",
@ -768,6 +764,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "jon@sartography.com",
    "credentials" : [ {
      "id" : "8b520e01-5b9b-44ab-9ee8-505bd0831a45",
      "type" : "password",
@ -787,6 +784,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "kb@sartography.com",
    "credentials" : [ {
      "id" : "2c0be363-038f-48f1-86d6-91fdd28657cf",
      "type" : "password",
@ -808,6 +806,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "lead@status.im",
    "credentials" : [ {
      "id" : "96e836a4-1a84-45c5-a9ed-651b0c90195e",
      "type" : "password",
@ -830,6 +829,7 @@
    "emailVerified" : false,
    "firstName" : "",
    "lastName" : "",
+    "email" : "lead1@status.im",
    "credentials" : [ {
      "id" : "4e17388b-6c44-44e1-b20a-a873c0feb9a8",
      "type" : "password",
@ -850,6 +850,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "manuchehr@status.im",
    "credentials" : [ {
      "id" : "07dabf55-b5d3-4f98-abba-3334086ecf5e",
      "type" : "password",
@ -869,6 +870,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "mike@sartography.com",
    "credentials" : [ {
      "id" : "1ed375fb-0f1a-4c2a-9243-2477242cf7bd",
      "type" : "password",
@ -887,7 +889,10 @@
    "username" : "natalia",
    "enabled" : true,
    "totp" : false,
-    "emailVerified" : false,
+    "emailVerified" : true,
+    "firstName" : "",
+    "lastName" : "",
+    "email" : "natalia@sartography.com",
    "credentials" : [ {
      "id" : "b6aa9936-39cc-4931-bfeb-60e6753de5ba",
      "type" : "password",
@ -907,6 +912,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "sasha@status.im",
    "credentials" : [ {
      "id" : "4a170af4-6f0c-4e7b-b70c-e674edf619df",
      "type" : "password",
@ -926,6 +932,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "service-account@status.im",
    "serviceAccountClientId" : "spiffworkflow-backend",
    "credentials" : [ ],
    "disableableCredentialTypes" : [ ],
@ -943,6 +950,7 @@
    "enabled" : true,
    "totp" : false,
    "emailVerified" : false,
+    "email" : "service-account-withauth@status.im",
    "serviceAccountClientId" : "withAuth",
    "credentials" : [ ],
    "disableableCredentialTypes" : [ ],
@ -2166,7 +2174,7 @@
      "subType" : "authenticated",
      "subComponents" : { },
      "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper" ]
      }
    }, {
      "id" : "d68e938d-dde6-47d9-bdc8-8e8523eb08cd",
@ -2184,7 +2192,7 @@
      "subType" : "anonymous",
      "subComponents" : { },
      "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-address-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper", "saml-user-attribute-mapper" ]
      }
    }, {
      "id" : "3854361d-3fe5-47fb-9417-a99592e3dc5c",
@ -2274,7 +2282,7 @@
  "internationalizationEnabled" : false,
  "supportedLocales" : [ ],
  "authenticationFlows" : [ {
-    "id" : "b896c673-57ab-4f24-bbb1-334bdadbecd3",
+    "id" : "76ae522e-7ab3-48dc-af76-9cb8069368a2",
    "alias" : "Account verification options",
    "description" : "Method with which to verity the existing account",
    "providerId" : "basic-flow",
@ -2296,7 +2304,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "4da99e29-371e-4f4b-a863-e5079f30a714",
+    "id" : "ddf80243-ec40-4c21-ae94-2967d841f84c",
    "alias" : "Authentication Options",
    "description" : "Authentication options.",
    "providerId" : "basic-flow",
@ -2325,7 +2333,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "d398c928-e201-4e8b-ab09-289bb351cd2e",
+    "id" : "4f075680-46b7-49eb-b94c-d7425f105cb9",
    "alias" : "Browser - Conditional OTP",
    "description" : "Flow to determine if the OTP is required for the authentication",
    "providerId" : "basic-flow",
@ -2347,7 +2355,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "663b7aa3-84f6-4347-8ed4-588c2464b75d",
+    "id" : "a0467c77-c3dc-4df6-acd2-c05ca13601ed",
    "alias" : "Direct Grant - Conditional OTP",
    "description" : "Flow to determine if the OTP is required for the authentication",
    "providerId" : "basic-flow",
@ -2369,7 +2377,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "98013bc1-e4dd-41f7-9849-1f898143b944",
+    "id" : "07536fec-8d41-4c73-845f-ca85002022e0",
    "alias" : "First broker login - Conditional OTP",
    "description" : "Flow to determine if the OTP is required for the authentication",
    "providerId" : "basic-flow",
@ -2391,7 +2399,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "b77e7545-9e39-4d72-93f8-1b38c954c2e2",
+    "id" : "f123f912-71fb-4596-97f9-c0628a59413d",
    "alias" : "Handle Existing Account",
    "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
    "providerId" : "basic-flow",
@ -2413,7 +2421,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "2470e6f4-9a01-476a-9057-75d78e577182",
+    "id" : "03c26cc5-366b-462d-9297-b4016f8d7c57",
    "alias" : "Reset - Conditional OTP",
    "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
    "providerId" : "basic-flow",
@ -2435,7 +2443,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "8e7dad0b-f4e1-4534-b618-b635b0a0e4f9",
+    "id" : "1b4f474e-aa64-45cc-90f1-63504585d89c",
    "alias" : "User creation or linking",
    "description" : "Flow for the existing/non-existing user alternatives",
    "providerId" : "basic-flow",
@ -2458,7 +2466,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "97c83e43-cba8-4d92-b108-9181bca07a1e",
+    "id" : "38024dd6-daff-45de-8782-06b07b7bfa56",
    "alias" : "Verify Existing Account by Re-authentication",
    "description" : "Reauthentication of existing account",
    "providerId" : "basic-flow",
@ -2480,7 +2488,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "fbabd64c-20de-4b8c-bfd2-be6822572278",
+    "id" : "b7e30fca-e4ac-4886-a2e7-642fe2a27ee7",
    "alias" : "browser",
    "description" : "browser based authentication",
    "providerId" : "basic-flow",
@ -2516,7 +2524,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "0628a99f-b194-495d-8e54-cc4ca8684956",
+    "id" : "92e3571d-ac3e-4e79-a391-5315954e866f",
    "alias" : "clients",
    "description" : "Base authentication for clients",
    "providerId" : "client-flow",
@ -2552,7 +2560,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "ce6bf7af-3bff-48ce-b214-7fed08503a2a",
+    "id" : "5093dd2d-fe5d-4f41-a54d-03cd648d9b7f",
    "alias" : "direct grant",
    "description" : "OpenID Connect Resource Owner Grant",
    "providerId" : "basic-flow",
@ -2581,7 +2589,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "60ce729b-d055-4ae7-83cb-85dbcf8cfdaa",
+    "id" : "95d2f1ff-6907-47ce-a93c-db462fe04844",
    "alias" : "docker auth",
    "description" : "Used by Docker clients to authenticate against the IDP",
    "providerId" : "basic-flow",
@ -2596,7 +2604,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "0bd3cf93-7f33-46b2-ad1f-85cdfb0a87f9",
+    "id" : "27405ee8-5730-419c-944c-a7c67edd91ce",
    "alias" : "first broker login",
    "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
    "providerId" : "basic-flow",
@ -2619,7 +2627,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "3e52f178-9b9d-4a62-97d5-f9f3f872bcd9",
+    "id" : "fce6d926-3a99-40ee-b79e-cae84493dbd8",
    "alias" : "forms",
    "description" : "Username, password, otp and other auth forms.",
    "providerId" : "basic-flow",
@ -2641,7 +2649,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "3f5fd6cc-2935-45d8-9bef-6857bba3657a",
+    "id" : "75d93596-b7fb-4a2c-a780-e6a038e66fe9",
    "alias" : "http challenge",
    "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
    "providerId" : "basic-flow",
@ -2663,7 +2671,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "2c2b32dd-57dc-45d7-9a24-b4a253cb6a03",
+    "id" : "04cdc1ac-c58d-4f8c-bc10-7d5e2bb99485",
    "alias" : "registration",
    "description" : "registration flow",
    "providerId" : "basic-flow",
@ -2679,7 +2687,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "dbc28b13-dba7-42a0-a8ab-faa8762979c3",
+    "id" : "99593c1e-f2a5-4198-ad41-634694259110",
    "alias" : "registration form",
    "description" : "registration form",
    "providerId" : "form-flow",
@ -2715,7 +2723,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "b4a901d5-e7b9-4eb6-9f8e-1d3305846828",
+    "id" : "7d53f026-b05e-4a9c-aba6-23b17826a4d4",
    "alias" : "reset credentials",
    "description" : "Reset credentials for a user if they forgot their password or something",
    "providerId" : "basic-flow",
@ -2751,7 +2759,7 @@
      "userSetupAllowed" : false
    } ]
  }, {
-    "id" : "824fe757-cc5c-4e13-ab98-9a2132e10f5c",
+    "id" : "7ca17e64-f916-4d6c-91f0-815ec66f50e8",
    "alias" : "saml ecp",
    "description" : "SAML ECP Profile Authentication Flow",
    "providerId" : "basic-flow",
@ -2767,13 +2775,13 @@
    } ]
  } ],
  "authenticatorConfig" : [ {
-    "id" : "817a93da-29df-447f-ab05-cd9557e66745",
+    "id" : "9b71d817-b999-479d-97f8-07e39dd9e9fa",
    "alias" : "create unique user config",
    "config" : {
      "require.password.update.after.registration" : "false"
    }
  }, {
-    "id" : "4a8a9659-fa0d-4da8-907b-3b6daec1c878",
+    "id" : "f9f13ba1-6a17-436b-a80b-6ccc042f9fc2",
    "alias" : "review profile config",
    "config" : {
      "update.profile.on.first.login" : "missing"
--- a/conftest.py
+++ b/conftest.py
@ -9,7 +9,7 @@ from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest

-from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.services.process_instance_processor import (
@ -47,7 +47,7 @@ def app() -> Flask:
@pytest.fixture()
 def with_db_and_bpmn_file_cleanup() -> None:
    """Process_group_resource."""
-    db.session.query(ActiveTaskUserModel).delete()
+    db.session.query(HumanTaskUserModel).delete()

    for model in SpiffworkflowBaseDBModel._all_subclasses():
        db.session.query(model).delete()
--- a/migrations/versions/907bcf0c3d75_.py
+++ b/migrations/versions/907bcf0c3d75_.py
@ -1,8 +1,8 @@
 """empty message

-Revision ID: 4d75421c0af0
+Revision ID: 907bcf0c3d75
 Revises: 
-Create Date: 2022-12-06 17:42:56.417673
+Create Date: 2022-12-28 13:52:13.030028

 """
 from alembic import op
@ -10,7 +10,7 @@ import sqlalchemy as sa


 # revision identifiers, used by Alembic.
-revision = '4d75421c0af0'
+revision = '907bcf0c3d75'
 down_revision = None
 branch_labels = None
 depends_on = None
@ -72,14 +72,15 @@ def upgrade():
    op.create_table('user',
    sa.Column('id', sa.Integer(), nullable=False),
    sa.Column('username', sa.String(length=255), nullable=False),
-    sa.Column('uid', sa.String(length=50), nullable=True),
-    sa.Column('service', sa.String(length=50), nullable=False),
+    sa.Column('service', sa.String(length=255), nullable=False),
    sa.Column('service_id', sa.String(length=255), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=True),
+    sa.Column('display_name', sa.String(length=255), nullable=True),
    sa.Column('email', sa.String(length=255), nullable=True),
+    sa.Column('updated_at_in_seconds', sa.Integer(), nullable=True),
+    sa.Column('created_at_in_seconds', sa.Integer(), nullable=True),
    sa.PrimaryKeyConstraint('id'),
    sa.UniqueConstraint('service', 'service_id', name='service_key'),
-    sa.UniqueConstraint('uid')
+    sa.UniqueConstraint('username')
    )
    op.create_table('message_correlation_property',
    sa.Column('id', sa.Integer(), nullable=False),
@ -174,11 +175,20 @@ def upgrade():
    sa.PrimaryKeyConstraint('id'),
    sa.UniqueConstraint('user_id', 'group_id', name='user_group_assignment_unique')
    )
-    op.create_table('active_task',
+    op.create_table('user_group_assignment_waiting',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('username', sa.String(length=255), nullable=False),
+    sa.Column('group_id', sa.Integer(), nullable=False),
+    sa.ForeignKeyConstraint(['group_id'], ['group.id'], ),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('username', 'group_id', name='user_group_assignment_staged_unique')
+    )
+    op.create_table('human_task',
    sa.Column('id', sa.Integer(), nullable=False),
    sa.Column('process_instance_id', sa.Integer(), nullable=False),
-    sa.Column('actual_owner_id', sa.Integer(), nullable=True),
    sa.Column('lane_assignment_id', sa.Integer(), nullable=True),
+    sa.Column('completed_by_user_id', sa.Integer(), nullable=True),
+    sa.Column('actual_owner_id', sa.Integer(), nullable=True),
    sa.Column('form_file_name', sa.String(length=50), nullable=True),
    sa.Column('ui_form_file_name', sa.String(length=50), nullable=True),
    sa.Column('updated_at_in_seconds', sa.Integer(), nullable=True),
@ -189,12 +199,15 @@ def upgrade():
    sa.Column('task_type', sa.String(length=50), nullable=True),
    sa.Column('task_status', sa.String(length=50), nullable=True),
    sa.Column('process_model_display_name', sa.String(length=255), nullable=True),
+    sa.Column('completed', sa.Boolean(), nullable=False),
    sa.ForeignKeyConstraint(['actual_owner_id'], ['user.id'], ),
+    sa.ForeignKeyConstraint(['completed_by_user_id'], ['user.id'], ),
    sa.ForeignKeyConstraint(['lane_assignment_id'], ['group.id'], ),
    sa.ForeignKeyConstraint(['process_instance_id'], ['process_instance.id'], ),
    sa.PrimaryKeyConstraint('id'),
-    sa.UniqueConstraint('task_id', 'process_instance_id', name='active_task_unique')
+    sa.UniqueConstraint('task_id', 'process_instance_id', name='human_task_unique')
    )
+    op.create_index(op.f('ix_human_task_completed'), 'human_task', ['completed'], unique=False)
    op.create_table('message_correlation',
    sa.Column('id', sa.Integer(), nullable=False),
    sa.Column('process_instance_id', sa.Integer(), nullable=False),
@ -255,23 +268,20 @@ def upgrade():
    sa.Column('spiff_step', sa.Integer(), nullable=False),
    sa.Column('task_json', sa.JSON(), nullable=False),
    sa.Column('timestamp', sa.DECIMAL(precision=17, scale=6), nullable=False),
-    sa.Column('completed_by_user_id', sa.Integer(), nullable=True),
-    sa.Column('lane_assignment_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['lane_assignment_id'], ['group.id'], ),
    sa.ForeignKeyConstraint(['process_instance_id'], ['process_instance.id'], ),
    sa.PrimaryKeyConstraint('id')
    )
-    op.create_table('active_task_user',
+    op.create_table('human_task_user',
    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('active_task_id', sa.Integer(), nullable=False),
+    sa.Column('human_task_id', sa.Integer(), nullable=False),
    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['active_task_id'], ['active_task.id'], ),
+    sa.ForeignKeyConstraint(['human_task_id'], ['human_task.id'], ),
    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
    sa.PrimaryKeyConstraint('id'),
-    sa.UniqueConstraint('active_task_id', 'user_id', name='active_task_user_unique')
+    sa.UniqueConstraint('human_task_id', 'user_id', name='human_task_user_unique')
    )
-    op.create_index(op.f('ix_active_task_user_active_task_id'), 'active_task_user', ['active_task_id'], unique=False)
-    op.create_index(op.f('ix_active_task_user_user_id'), 'active_task_user', ['user_id'], unique=False)
+    op.create_index(op.f('ix_human_task_user_human_task_id'), 'human_task_user', ['human_task_id'], unique=False)
+    op.create_index(op.f('ix_human_task_user_user_id'), 'human_task_user', ['user_id'], unique=False)
    op.create_table('message_correlation_message_instance',
    sa.Column('id', sa.Integer(), nullable=False),
    sa.Column('message_instance_id', sa.Integer(), nullable=False),
@ -291,9 +301,9 @@ def downgrade():
    op.drop_index(op.f('ix_message_correlation_message_instance_message_instance_id'), table_name='message_correlation_message_instance')
    op.drop_index(op.f('ix_message_correlation_message_instance_message_correlation_id'), table_name='message_correlation_message_instance')
    op.drop_table('message_correlation_message_instance')
-    op.drop_index(op.f('ix_active_task_user_user_id'), table_name='active_task_user')
-    op.drop_index(op.f('ix_active_task_user_active_task_id'), table_name='active_task_user')
-    op.drop_table('active_task_user')
+    op.drop_index(op.f('ix_human_task_user_user_id'), table_name='human_task_user')
+    op.drop_index(op.f('ix_human_task_user_human_task_id'), table_name='human_task_user')
+    op.drop_table('human_task_user')
    op.drop_table('spiff_step_details')
    op.drop_index(op.f('ix_process_instance_metadata_key'), table_name='process_instance_metadata')
    op.drop_table('process_instance_metadata')
@ -304,7 +314,9 @@ def downgrade():
    op.drop_index(op.f('ix_message_correlation_name'), table_name='message_correlation')
    op.drop_index(op.f('ix_message_correlation_message_correlation_property_id'), table_name='message_correlation')
    op.drop_table('message_correlation')
-    op.drop_table('active_task')
+    op.drop_index(op.f('ix_human_task_completed'), table_name='human_task')
+    op.drop_table('human_task')
+    op.drop_table('user_group_assignment_waiting')
    op.drop_table('user_group_assignment')
    op.drop_table('secret')
    op.drop_table('refresh_token')
--- a/poetry.lock
+++ b/poetry.lock
@ -654,7 +654,7 @@ werkzeug = "*"
 type = "git"
 url = "https://github.com/sartography/flask-bpmn"
 reference = "main"
-resolved_reference = "860f2387bebdaa9220e9fbf6f8fa7f74e805d0d4"
+resolved_reference = "c79c1e0b6d34ec05d82cce888b5e57b33d24403b"

 [[package]]
 name = "Flask-Cors"
@ -1851,7 +1851,7 @@ lxml = "*"
 type = "git"
 url = "https://github.com/sartography/SpiffWorkflow"
 reference = "main"
-resolved_reference = "ffb1686757f944065580dd2db8def73d6c1f0134"
+resolved_reference = "80640024a8030481645f0c34f34c57e88f7b4f0c"

 [[package]]
 name = "SQLAlchemy"
--- a/src/.coverage.jason-Gazelle.473795.719220
+++ b/src/.coverage.jason-Gazelle.473795.719220
--- a/src/.coverage.jason-Gazelle.475245.497833
+++ b/src/.coverage.jason-Gazelle.475245.497833
--- a/src/.coverage.jason-Gazelle.476451.578823
+++ b/src/.coverage.jason-Gazelle.476451.578823
--- a/src/spiffworkflow_backend/init.py
+++ b/src/spiffworkflow_backend/init.py
@ -18,11 +18,11 @@ from werkzeug.exceptions import NotFound

 import spiffworkflow_backend.load_database_models  # noqa: F401
 from spiffworkflow_backend.config import setup_config
+from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
 from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_blueprint
 from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
    openid_blueprint,
 )
-from spiffworkflow_backend.routes.process_api_blueprint import process_api_blueprint
 from spiffworkflow_backend.routes.user import verify_token
 from spiffworkflow_backend.routes.user_blueprint import user_blueprint
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
@ -93,7 +93,8 @@ def create_app() -> flask.app.Flask:

    if os.environ.get("FLASK_SESSION_SECRET_KEY") is None:
        raise KeyError(
-            "Cannot find the secret_key from the environment. Please set FLASK_SESSION_SECRET_KEY"
+            "Cannot find the secret_key from the environment. Please set"
+            " FLASK_SESSION_SECRET_KEY"
        )

    app.secret_key = os.environ.get("FLASK_SESSION_SECRET_KEY")
@ -103,7 +104,6 @@ def create_app() -> flask.app.Flask:
    migrate.init_app(app, db)

    app.register_blueprint(user_blueprint)
-    app.register_blueprint(process_api_blueprint)
    app.register_blueprint(api_error_blueprint)
    app.register_blueprint(admin_blueprint, url_prefix="/admin")
    app.register_blueprint(openid_blueprint, url_prefix="/openid")
@ -117,7 +117,7 @@ def create_app() -> flask.app.Flask:
    ]
    CORS(app, origins=origins_re, max_age=3600)

-    connexion_app.add_api("api.yml", base_path="/v1.0")
+    connexion_app.add_api("api.yml", base_path=V1_API_PATH_PREFIX)

    mail = Mail(app)
    app.config["MAIL_APP"] = mail
--- a/src/spiffworkflow_backend/api.yml
+++ b/src/spiffworkflow_backend/api.yml
--- a/src/spiffworkflow_backend/config/init.py
+++ b/src/spiffworkflow_backend/config/init.py
@ -17,21 +17,21 @@ def setup_database_uri(app: Flask) -> None:
    if app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI") is None:
        database_name = f"spiffworkflow_backend_{app.config['ENV_IDENTIFIER']}"
        if app.config.get("SPIFF_DATABASE_TYPE") == "sqlite":
-            app.config[
-                "SQLALCHEMY_DATABASE_URI"
-            ] = f"sqlite:///{app.instance_path}/db_{app.config['ENV_IDENTIFIER']}.sqlite3"
+            app.config["SQLALCHEMY_DATABASE_URI"] = (
+                f"sqlite:///{app.instance_path}/db_{app.config['ENV_IDENTIFIER']}.sqlite3"
+            )
        elif app.config.get("SPIFF_DATABASE_TYPE") == "postgres":
-            app.config[
-                "SQLALCHEMY_DATABASE_URI"
-            ] = f"postgresql://spiffworkflow_backend:spiffworkflow_backend@localhost:5432/{database_name}"
+            app.config["SQLALCHEMY_DATABASE_URI"] = (
+                f"postgresql://spiffworkflow_backend:spiffworkflow_backend@localhost:5432/{database_name}"
+            )
        else:
            # use pswd to trick flake8 with hardcoded passwords
            db_pswd = os.environ.get("DB_PASSWORD")
            if db_pswd is None:
                db_pswd = ""
-            app.config[
-                "SQLALCHEMY_DATABASE_URI"
-            ] = f"mysql+mysqlconnector://root:{db_pswd}@localhost/{database_name}"
+            app.config["SQLALCHEMY_DATABASE_URI"] = (
+                f"mysql+mysqlconnector://root:{db_pswd}@localhost/{database_name}"
+            )
    else:
        app.config["SQLALCHEMY_DATABASE_URI"] = app.config.get(
            "SPIFFWORKFLOW_BACKEND_DATABASE_URI"
@ -42,6 +42,7 @@ def load_config_file(app: Flask, env_config_module: str) -> None:
    """Load_config_file."""
    try:
        app.config.from_object(env_config_module)
+        print(f"loaded config: {env_config_module}")
    except ImportStringError as exception:
        if os.environ.get("TERRAFORM_DEPLOYED_ENVIRONMENT") != "true":
            raise ModuleNotFoundError(
@ -62,6 +63,7 @@ def setup_config(app: Flask) -> None:
    )
    app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
    app.config.from_object("spiffworkflow_backend.config.default")
+    print("loaded config: default")

    env_config_prefix = "spiffworkflow_backend.config."
    if (
@ -69,6 +71,7 @@ def setup_config(app: Flask) -> None:
        and os.environ.get("SPIFFWORKFLOW_BACKEND_ENV") is not None
    ):
        load_config_file(app, f"{env_config_prefix}terraform_deployed_environment")
+        print("loaded config: terraform_deployed_environment")

    env_config_module = env_config_prefix + app.config["ENV_IDENTIFIER"]
    load_config_file(app, env_config_module)
@ -87,6 +90,14 @@ def setup_config(app: Flask) -> None:
            "permissions",
            app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"],
        )
+        print(
+            "set permissions file name config:"
+            f" {app.config['SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME']}"
+        )
+        print(
+            "set permissions file name full path:"
+            f" {app.config['PERMISSIONS_FILE_FULLPATH']}"
+        )

    # unversioned (see .gitignore) config that can override everything and include secrets.
    # src/spiffworkflow_backend/config/secrets.py
--- a/src/spiffworkflow_backend/config/dev.py
+++ b/src/spiffworkflow_backend/config/dev.py
@ -6,3 +6,4 @@ GIT_USERNAME = environ.get("GIT_USERNAME", default="sartography-automated-commit
 GIT_USER_EMAIL = environ.get(
    "GIT_USER_EMAIL", default="sartography-automated-committer@users.noreply.github.com"
 )
+SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = "dev.yml"
--- a/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml
+++ b/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml
@ -1,13 +1,10 @@
 groups:
  admin:
-    users: [ciadmin1]
-
-  common-user:
-    users: [ciuser1]
+    users: [ciadmin1@spiffworkflow.org]

 permissions:
  admin:
-    groups: [admin, common-user]
+    groups: [admin]
    users: []
-    allowed_permissions: [create, read, update, delete, list, instantiate]
+    allowed_permissions: [create, read, update, delete]
    uri: /*
--- a/src/spiffworkflow_backend/config/permissions/dev.yml
+++ b/src/spiffworkflow_backend/config/permissions/dev.yml
@ -0,0 +1,151 @@
+default_group: everybody
+
+groups:
+  admin:
+    users:
+      [
+        admin@spiffworkflow.org,
+        jakub@status.im,
+        jarrad@status.im,
+        kb@sartography.com,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
+      ]
+
+  Finance Team:
+    users:
+      [
+        jakub@status.im,
+        amir@status.im,
+        jarrad@status.im,
+        sasha@status.im,
+        fin@status.im,
+        fin1@status.im,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
+      ]
+
+  demo:
+    users:
+      [
+        harmeet@status.im,
+        sasha@status.im,
+        manuchehr@status.im,
+        core@status.im,
+        fin@status.im,
+        fin1@status.im,
+        lead@status.im,
+        lead1@status.im,
+      ]
+
+  test:
+    users:
+      [
+        natalia@sartography.com,
+      ]
+
+permissions:
+  admin:
+    groups: [admin]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /*
+
+  # open system defaults for everybody
+  read-all-process-groups:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-groups/*
+  read-all-process-models:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-models/*
+
+  # basic perms for everybody
+  read-all-process-instances-for-me:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/*
+  read-process-instance-reports:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /process-instances/reports/*
+  processes-read:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /processes
+  service-tasks:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /service-tasks
+  tasks-crud:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /tasks/*
+  user-groups-for-current-user:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /user-groups/for-current-user
+
+
+  finance-admin:
+    groups: ["Finance Team"]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /process-groups/manage-procurement:procurement:*
+
+  manage-revenue-streams-instances:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [create]
+    uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
+  manage-procurement-invoice-instances:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [create]
+    uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
+  manage-procurement-instances:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [create]
+    uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
+
+  manage-revenue-streams-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
+  manage-procurement-invoice-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:procurement:core-contributor-invoice-management:*
+  manage-procurement-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:vendor-lifecycle-management:*
+
+  create-test-instances:
+    groups: ["test"]
+    users: []
+    allowed_permissions: [create, read]
+    uri: /process-instances/misc:test:*
--- a/src/spiffworkflow_backend/config/permissions/development.yml
+++ b/src/spiffworkflow_backend/config/permissions/development.yml
@ -10,61 +10,60 @@ groups:
  admin:
    users:
      [
-        admin,
-        jakub,
-        kb,
-        alex,
-        dan,
-        mike,
-        jason,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
+        admin@spiffworkflow.org,
+        jakub@status.im,
+        jarrad@status.im,
+        kb@sartography.com,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
      ]

  Finance Team:
    users:
      [
-        jakub,
-        alex,
-        dan,
-        mike,
-        jason,
-        amir,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
-        sasha,
-        fin,
-        fin1,
+        jakub@status.im,
+        amir@status.im,
+        jarrad@status.im,
+        sasha@status.im,
+        fin@status.im,
+        fin1@status.im,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
      ]

  demo:
    users:
      [
-        core,
-        fin,
-        fin1,
-        harmeet,
-        sasha,
-        manuchehr,
-        lead,
-        lead1
+        harmeet@status.im,
+        sasha@status.im,
+        manuchehr@status.im,
+        core@status.im,
+        fin@status.im,
+        fin1@status.im,
+        lead@status.im,
+        lead1@status.im,
      ]

-  core-contributor:
+  test:
    users:
      [
-        core,
-        harmeet,
+        natalia@sartography.com,
      ]

  admin-ro:
    users:
      [
-        j,
+        j@sartography.com,
      ]

 permissions:
@ -73,7 +72,6 @@ permissions:
    users: []
    allowed_permissions: [create, read, update, delete]
    uri: /*
-
  admin-readonly:
    groups: [admin-ro]
    users: []
@ -83,136 +81,93 @@ permissions:
    groups: [admin-ro]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/*

-  tasks-crud:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/tasks/*
-  service-tasks:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/service-tasks
-
-
-  # read all for everybody
+  # open system defaults for everybody
  read-all-process-groups:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-groups/*
+    uri: /process-groups/*
  read-all-process-models:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-models/*
-  read-all-process-instance:
+    uri: /process-models/*
+
+  # basic perms for everybody
+  read-all-process-instances-for-me:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/for-me/*
  read-process-instance-reports:
    groups: [everybody]
    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-instances/reports/*
+    allowed_permissions: [create, read, update, delete]
+    uri: /process-instances/reports/*
  processes-read:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/processes
-  #
-  # task-data-read:
-  #   groups: [demo]
-  #   users: []
-  #   allowed_permissions: [read]
-  #   uri: /v1.0/task-data/*
+    uri: /processes
+  service-tasks:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /service-tasks
+  tasks-crud:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /tasks/*
+  user-groups-for-current-user:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /user-groups/for-current-user


-  manage-procurement-admin:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement:*
-  manage-procurement-admin-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement/*
-  manage-procurement-admin-models:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/manage-procurement:*
-  manage-procurement-admin-models-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/manage-procurement/*
-  manage-procurement-admin-instances:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement:*
-  manage-procurement-admin-instances-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement/*
-
  finance-admin:
    groups: ["Finance Team"]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement:procurement:*
+    uri: /process-groups/manage-procurement:procurement:*

-  manage-revenue-streams-instantiate:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create]
-    uri: /v1.0/process-models/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
  manage-revenue-streams-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
-
-  manage-procurement-invoice-instantiate:
-    groups: ["core-contributor", "demo"]
+    groups: ["demo"]
    users: []
    allowed_permissions: [create]
-    uri: /v1.0/process-models/manage-procurement:procurement:core-contributor-invoice-management:*
+    uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
  manage-procurement-invoice-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
-
-  manage-procurement-instantiate:
-    groups: ["core-contributor", "demo"]
+    groups: ["demo"]
    users: []
    allowed_permissions: [create]
-    uri: /v1.0/process-models/manage-procurement:vendor-lifecycle-management:*
+    uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
  manage-procurement-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
-
-  core1-admin-models-instantiate:
-    groups: ["core-contributor", "Finance Team"]
+    groups: ["demo"]
    users: []
    allowed_permissions: [create]
-    uri: /v1.0/process-models/misc:category_number_one:process-model-with-form/process-instances
-  core1-admin-instances:
-    groups: ["core-contributor", "Finance Team"]
+    uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
+
+  manage-revenue-streams-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
+  manage-procurement-invoice-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:procurement:core-contributor-invoice-management:*
+  manage-procurement-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:vendor-lifecycle-management:*
+
+  create-test-instances:
+    groups: ["test"]
    users: []
    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form:*
-  core1-admin-instances-slash:
-    groups: ["core-contributor", "Finance Team"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form/*
+    uri: /process-instances/misc:test:*
--- a/src/spiffworkflow_backend/config/permissions/example.yml
+++ b/src/spiffworkflow_backend/config/permissions/example.yml
@ -2,14 +2,17 @@ default_group: everybody

 users:
  admin:
+    service: local_open_id
    email: admin@spiffworkflow.org
    password: admin
    preferred_username: Admin
  nelson:
+    service: local_open_id
    email: nelson@spiffworkflow.org
    password: nelson
    preferred_username: Nelson
  malala:
+    service: local_open_id
    email: malala@spiffworkflow.org
    password: malala
    preferred_username: Malala
@ -18,17 +21,17 @@ groups:
  admin:
    users:
      [
-        admin,
+        admin@spiffworkflow.org,
      ]
  Education:
    users:
      [
-        malala
+        malala@spiffworkflow.org
      ]
  President:
    users:
      [
-        nelson
+        nelson@spiffworkflow.org
      ]

 permissions:
@ -44,45 +47,44 @@ permissions:
    groups: [everybody]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/tasks/*
+    uri: /tasks/*

  # Everyone can see everything (all groups, and processes are visible)
  read-all-process-groups:
    groups: [ everybody ]
    users: [ ]
    allowed_permissions: [ read ]
-    uri: /v1.0/process-groups/*
+    uri: /process-groups/*
  read-all-process-models:
    groups: [ everybody ]
    users: [ ]
    allowed_permissions: [ read ]
-    uri: /v1.0/process-models/*
+    uri: /process-models/*
  read-all-process-instance:
    groups: [ everybody ]
    users: [ ]
    allowed_permissions: [ read ]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/*
  read-process-instance-reports:
    groups: [ everybody ]
    users: [ ]
    allowed_permissions: [ read ]
-    uri: /v1.0/process-instances/reports/*
+    uri: /process-instances/reports/*
  processes-read:
    groups: [ everybody ]
    users: [ ]
    allowed_permissions: [ read ]
-    uri: /v1.0/processes
-
-  # Members of the Education group can change they processes work.
+    uri: /processes
+  # Members of the Education group can change the processes under "education".
  education-admin:
    groups: ["Education", "President"]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/education:*
+    uri: /process-groups/education:*

  # Anyone can start an education process.
  education-everybody:
    groups: [everybody]
    users: []
    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/misc:category_number_one:process-model-with-form/*
+    uri: /process-instances/misc:category_number_one:process-model-with-form/*
--- a/src/spiffworkflow_backend/config/permissions/qa1.yml
+++ b/src/spiffworkflow_backend/config/permissions/qa1.yml
@ -0,0 +1,12 @@
+default_group: everybody
+
+groups:
+  admin:
+    users: [admin@spiffworkflow.org]
+
+permissions:
+  admin:
+    groups: [admin]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /*
--- a/src/spiffworkflow_backend/config/permissions/staging.yml
+++ b/src/spiffworkflow_backend/config/permissions/staging.yml
@ -4,57 +4,53 @@ groups:
  admin:
    users:
      [
-        admin,
-        jakub,
-        kb,
-        alex,
-        dan,
-        mike,
-        jason,
-        j,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
+        admin@spiffworkflow.org,
+        jakub@status.im,
+        jarrad@status.im,
+        kb@sartography.com,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
      ]

  Finance Team:
    users:
      [
-        jakub,
-        alex,
-        dan,
-        mike,
-        jason,
-        j,
-        amir,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
-        sasha,
-        fin,
-        fin1,
+        jakub@status.im,
+        amir@status.im,
+        jarrad@status.im,
+        sasha@status.im,
+        fin@status.im,
+        fin1@status.im,
+        alex@sartography.com,
+        dan@sartography.com,
+        mike@sartography.com,
+        jason@sartography.com,
+        j@sartography.com,
+        elizabeth@sartography.com,
+        jon@sartography.com,
      ]

  demo:
    users:
      [
-        core,
-        fin,
-        fin1,
-        harmeet,
-        sasha,
-        manuchehr,
-        lead,
-        lead1
+        harmeet@status.im,
+        sasha@status.im,
+        manuchehr@status.im,
+        core@status.im,
+        fin@status.im,
+        fin1@status.im,
+        lead@status.im,
+        lead1@status.im,
      ]
-
-  core-contributor:
+  test:
    users:
      [
-        core,
-        harmeet,
+        natalia@sartography.com,
      ]

 permissions:
@ -67,99 +63,86 @@ permissions:
    groups: [admin]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/*

-  tasks-crud:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/tasks/*
-
-  service-tasks:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/service-tasks
-
-
-  # read all for everybody
+  # open system defaults for everybody
  read-all-process-groups:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-groups/*
+    uri: /process-groups/*
  read-all-process-models:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-models/*
-  read-all-process-instance:
+    uri: /process-models/*
+
+  # basic perms for everybody
+  read-all-process-instances-for-me:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/for-me/*
  read-process-instance-reports:
    groups: [everybody]
    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-instances/reports/*
+    allowed_permissions: [create, read, update, delete]
+    uri: /process-instances/reports/*
  processes-read:
    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/processes
-
-
-  manage-procurement-admin-instances:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement:*
-  manage-procurement-admin-instances-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement/*
-  manage-procurement-admin-instance-logs:
-    groups: ["Project Lead"]
+    uri: /processes
+  service-tasks:
+    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/logs/manage-procurement:*
-  manage-procurement-admin-instance-logs-slash:
-    groups: ["Project Lead"]
+    uri: /service-tasks
+  tasks-crud:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [create, read, update, delete]
+    uri: /tasks/*
+  user-groups-for-current-user:
+    groups: [everybody]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/logs/manage-procurement/*
+    uri: /user-groups/for-current-user

  manage-revenue-streams-instances:
-    groups: ["core-contributor", "demo"]
+    groups: ["demo"]
    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
-  manage-revenue-streams-instance-logs:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/logs/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
-
+    allowed_permissions: [create]
+    uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
  manage-procurement-invoice-instances:
-    groups: ["core-contributor", "demo"]
+    groups: ["demo"]
    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
-  manage-procurement-invoice-instance-logs:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/logs/manage-procurement:procurement:core-contributor-invoice-management:*
-
+    allowed_permissions: [create]
+    uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
  manage-procurement-instances:
-    groups: ["core-contributor", "demo"]
+    groups: ["demo"]
    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
-  manage-procurement-instance-logs:
-    groups: ["core-contributor", "demo"]
+    allowed_permissions: [create]
+    uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
+
+  manage-revenue-streams-instances-for-me:
+    groups: ["demo"]
    users: []
    allowed_permissions: [read]
-    uri: /v1.0/logs/manage-procurement:vendor-lifecycle-management:*
+    uri: /process-instances/for-me/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
+  manage-procurement-invoice-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:procurement:core-contributor-invoice-management:*
+  manage-procurement-instances-for-me:
+    groups: ["demo"]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/for-me/manage-procurement:vendor-lifecycle-management:*
+
+  create-test-instances:
+    groups: ["test"]
+    users: []
+    allowed_permissions: [create, read]
+    uri: /process-instances/misc:test:*
--- a/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
+++ b/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
@ -2,60 +2,7 @@ default_group: everybody

 groups:
  admin:
-    users:
-      [
-        admin,
-        jakub,
-        kb,
-        alex,
-        dan,
-        mike,
-        jason,
-        j,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
-      ]
-
-  Finance Team:
-    users:
-      [
-        jakub,
-        alex,
-        dan,
-        mike,
-        jason,
-        j,
-        amir,
-        jarrad,
-        elizabeth,
-        jon,
-        natalia,
-        sasha,
-        fin,
-        fin1,
-      ]
-
-  demo:
-    users:
-      [
-        core,
-        fin,
-        fin1,
-        harmeet,
-        sasha,
-        manuchehr,
-        lead,
-        lead1
-      ]
-
-  core-contributor:
-    users:
-      [
-        core,
-        harmeet,
-      ]
+    users: [admin@spiffworkflow.org]

 permissions:
  admin:
@ -63,105 +10,3 @@ permissions:
    users: []
    allowed_permissions: [create, read, update, delete]
    uri: /*
-
-  tasks-crud:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/tasks/*
-
-  service-tasks:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/service-tasks
-
-
-  # read all for everybody
-  read-all-process-groups:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-groups/*
-  read-all-process-models:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-models/*
-  read-all-process-instance:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-instances/*
-  read-process-instance-reports:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/process-instances/reports/*
-  processes-read:
-    groups: [everybody]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/processes
-
-  task-data-read:
-    groups: [demo]
-    users: []
-    allowed_permissions: [read]
-    uri: /v1.0/task-data/*
-
-
-  manage-procurement-admin:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement:*
-  manage-procurement-admin-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement/*
-  manage-procurement-admin-models:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/manage-procurement:*
-  manage-procurement-admin-models-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/manage-procurement/*
-  manage-procurement-admin-instances:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement:*
-  manage-procurement-admin-instances-slash:
-    groups: ["Project Lead"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/manage-procurement/*
-
-  finance-admin:
-    groups: ["Finance Team"]
-    users: []
-    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/manage-procurement:procurement:*
-
-  manage-revenue-streams-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
-
-  manage-procurement-invoice-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
-
-  manage-procurement-instances:
-    groups: ["core-contributor", "demo"]
-    users: []
-    allowed_permissions: [create, read]
-    uri: /v1.0/process-instances/manage-procurement:vendor-lifecycle-management:*
--- a/src/spiffworkflow_backend/config/permissions/testing.yml
+++ b/src/spiffworkflow_backend/config/permissions/testing.yml
@ -1,5 +1,12 @@
 default_group: everybody

+users:
+  testadmin1:
+    service: https://testing/openid/thing
+    email: testadmin1@spiffworkflow.org
+    password: admin
+    preferred_username: El administrador de la muerte
+
 groups:
  admin:
    users: [testadmin1, testadmin2]
@ -14,7 +21,7 @@ permissions:
  admin:
    groups: [admin]
    users: []
-    allowed_permissions: [create, read, update, delete, list, instantiate]
+    allowed_permissions: [create, read, update, delete]
    uri: /*

  read-all:
@ -23,33 +30,39 @@ permissions:
    allowed_permissions: [read]
    uri: /*

+  process-instances-find-by-id:
+    groups: [everybody]
+    users: []
+    allowed_permissions: [read]
+    uri: /process-instances/find-by-id/*
+
  tasks-crud:
    groups: [everybody]
    users: []
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/tasks/*
+    uri: /tasks/*

  # TODO: all uris should really have the same structure
  finance-admin-group:
    groups: ["Finance Team"]
    users: [testuser4]
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-groups/finance/*
+    uri: /process-groups/finance/*

  finance-admin-model:
    groups: ["Finance Team"]
    users: [testuser4]
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/finance/*
+    uri: /process-models/finance/*

  finance-admin-model-lanes:
    groups: ["Finance Team"]
    users: [testuser4]
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-models/finance:model_with_lanes/*
+    uri: /process-models/finance:model_with_lanes/*

  finance-admin-instance-run:
    groups: ["Finance Team"]
    users: [testuser4]
    allowed_permissions: [create, read, update, delete]
-    uri: /v1.0/process-instances/*
+    uri: /process-instances/*
--- a/src/spiffworkflow_backend/config/qa1.py
+++ b/src/spiffworkflow_backend/config/qa1.py
@ -0,0 +1,11 @@
+"""Qa1."""
+from os import environ
+
+GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="qa2")
+GIT_USERNAME = environ.get("GIT_USERNAME", default="sartography-automated-committer")
+GIT_USER_EMAIL = environ.get(
+    "GIT_USER_EMAIL", default="sartography-automated-committer@users.noreply.github.com"
+)
+SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
+    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME", default="qa1.yml"
+)
--- a/src/spiffworkflow_backend/config/staging.py
+++ b/src/spiffworkflow_backend/config/staging.py
@ -1,7 +1,7 @@
 """Staging."""
 from os import environ

-GIT_BRANCH = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="staging")
+GIT_BRANCH = environ.get("GIT_BRANCH", default="staging")
 GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="main")
 GIT_COMMIT_ON_SAVE = False
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = "staging.yml"
--- a/src/spiffworkflow_backend/helpers/api_version.py
+++ b/src/spiffworkflow_backend/helpers/api_version.py
@ -0,0 +1,2 @@
+"""Api_version."""
+V1_API_PATH_PREFIX = "/v1.0"
--- a/src/spiffworkflow_backend/interfaces.py
+++ b/src/spiffworkflow_backend/interfaces.py
@ -0,0 +1,24 @@
+"""Interfaces."""
+from typing import NewType
+from typing import TYPE_CHECKING
+from typing import TypedDict
+
+if TYPE_CHECKING:
+    from spiffworkflow_backend.models.process_group import ProcessGroup
+
+
+IdToProcessGroupMapping = NewType("IdToProcessGroupMapping", dict[str, "ProcessGroup"])
+
+
+class ProcessGroupLite(TypedDict):
+    """ProcessGroupLite."""
+
+    id: str
+    display_name: str
+
+
+class ProcessGroupLitesWithCache(TypedDict):
+    """ProcessGroupLitesWithCache."""
+
+    cache: dict[str, "ProcessGroup"]
+    process_groups: list[ProcessGroupLite]
--- a/src/spiffworkflow_backend/load_database_models.py
+++ b/src/spiffworkflow_backend/load_database_models.py
@ -17,7 +17,7 @@ from spiffworkflow_backend.models.user_group_assignment import (
 from spiffworkflow_backend.models.principal import PrincipalModel  # noqa: F401


-from spiffworkflow_backend.models.active_task import ActiveTaskModel  # noqa: F401
+from spiffworkflow_backend.models.human_task import HumanTaskModel  # noqa: F401
 from spiffworkflow_backend.models.spec_reference import (
    SpecReferenceCache,
 )  # noqa: F401
--- a/src/spiffworkflow_backend/models/group.py
+++ b/src/spiffworkflow_backend/models/group.py
@ -27,6 +27,9 @@ class GroupModel(FlaskBpmnGroupModel):
    identifier = db.Column(db.String(255))

    user_group_assignments = relationship("UserGroupAssignmentModel", cascade="delete")
+    user_group_assignments_waiting = relationship(  # type: ignore
+        "UserGroupAssignmentWaitingModel", cascade="delete"
+    )
    users = relationship(  # type: ignore
        "UserModel",
        viewonly=True,
--- a/src/spiffworkflow_backend/models/active_task.py
+++ b/src/spiffworkflow_backend/models/active_task.py
@ -1,4 +1,4 @@
-"""Active_task."""
+"""Human_task."""
 from __future__ import annotations

 from dataclasses import dataclass
@ -8,7 +8,6 @@ from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import relationship
-from sqlalchemy.orm import RelationshipProperty

 from spiffworkflow_backend.models.group import GroupModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
@ -17,29 +16,30 @@ from spiffworkflow_backend.models.user import UserModel


 if TYPE_CHECKING:
-    from spiffworkflow_backend.models.active_task_user import (  # noqa: F401
-        ActiveTaskUserModel,
+    from spiffworkflow_backend.models.human_task_user import (  # noqa: F401
+        HumanTaskUserModel,
    )


@dataclass
-class ActiveTaskModel(SpiffworkflowBaseDBModel):
-    """ActiveTaskModel."""
+class HumanTaskModel(SpiffworkflowBaseDBModel):
+    """HumanTaskModel."""

-    __tablename__ = "active_task"
+    __tablename__ = "human_task"
    __table_args__ = (
-        db.UniqueConstraint(
-            "task_id", "process_instance_id", name="active_task_unique"
-        ),
+        db.UniqueConstraint("task_id", "process_instance_id", name="human_task_unique"),
    )

-    actual_owner: RelationshipProperty[UserModel] = relationship(UserModel)
    id: int = db.Column(db.Integer, primary_key=True)
    process_instance_id: int = db.Column(
        ForeignKey(ProcessInstanceModel.id), nullable=False  # type: ignore
    )
-    actual_owner_id: int = db.Column(ForeignKey(UserModel.id))
    lane_assignment_id: int | None = db.Column(ForeignKey(GroupModel.id))
+    completed_by_user_id: int = db.Column(ForeignKey(UserModel.id), nullable=True)  # type: ignore
+
+    actual_owner_id: int = db.Column(ForeignKey(UserModel.id))  # type: ignore
+    # actual_owner: RelationshipProperty[UserModel] = relationship(UserModel)
+
    form_file_name: str | None = db.Column(db.String(50))
    ui_form_file_name: str | None = db.Column(db.String(50))

@ -52,17 +52,18 @@ class ActiveTaskModel(SpiffworkflowBaseDBModel):
    task_type: str = db.Column(db.String(50))
    task_status: str = db.Column(db.String(50))
    process_model_display_name: str = db.Column(db.String(255))
+    completed: bool = db.Column(db.Boolean, default=False, nullable=False, index=True)

-    active_task_users = relationship("ActiveTaskUserModel", cascade="delete")
+    human_task_users = relationship("HumanTaskUserModel", cascade="delete")
    potential_owners = relationship(  # type: ignore
        "UserModel",
        viewonly=True,
-        secondary="active_task_user",
-        overlaps="active_task_user,users",
+        secondary="human_task_user",
+        overlaps="human_task_user,users",
    )

    @classmethod
-    def to_task(cls, task: ActiveTaskModel) -> Task:
+    def to_task(cls, task: HumanTaskModel) -> Task:
        """To_task."""
        new_task = Task(
            task.task_id,
@ -79,7 +80,7 @@ class ActiveTaskModel(SpiffworkflowBaseDBModel):
        if hasattr(task, "process_model_identifier"):
            new_task.process_model_identifier = task.process_model_identifier

-        # active tasks only have status when getting the list on the home page
+        # human tasks only have status when getting the list on the home page
        # and it comes from the process_instance. it should not be confused with task_status.
        if hasattr(task, "status"):
            new_task.process_instance_status = task.status
--- a/src/spiffworkflow_backend/models/active_task_user.py
+++ b/src/spiffworkflow_backend/models/active_task_user.py
@ -1,4 +1,4 @@
-"""Active_task_user."""
+"""Human_task_user."""
 from __future__ import annotations

 from dataclasses import dataclass
@ -7,26 +7,26 @@ from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey

-from spiffworkflow_backend.models.active_task import ActiveTaskModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
 from spiffworkflow_backend.models.user import UserModel


@dataclass
-class ActiveTaskUserModel(SpiffworkflowBaseDBModel):
-    """ActiveTaskUserModel."""
+class HumanTaskUserModel(SpiffworkflowBaseDBModel):
+    """HumanTaskUserModel."""

-    __tablename__ = "active_task_user"
+    __tablename__ = "human_task_user"

    __table_args__ = (
        db.UniqueConstraint(
-            "active_task_id",
+            "human_task_id",
            "user_id",
-            name="active_task_user_unique",
+            name="human_task_user_unique",
        ),
    )

    id = db.Column(db.Integer, primary_key=True)
-    active_task_id = db.Column(
-        ForeignKey(ActiveTaskModel.id), nullable=False, index=True  # type: ignore
+    human_task_id = db.Column(
+        ForeignKey(HumanTaskModel.id), nullable=False, index=True  # type: ignore
    )
-    user_id = db.Column(ForeignKey(UserModel.id), nullable=False, index=True)
+    user_id = db.Column(ForeignKey(UserModel.id), nullable=False, index=True)  # type: ignore
--- a/src/spiffworkflow_backend/models/message_instance.py
+++ b/src/spiffworkflow_backend/models/message_instance.py
@ -86,5 +86,6 @@ def ensure_failure_cause_is_set_if_message_instance_failed(
        if isinstance(instance, MessageInstanceModel):
            if instance.status == "failed" and instance.failure_cause is None:
                raise ValueError(
-                    f"{instance.__class__.__name__}: failure_cause must be set if status is failed"
+                    f"{instance.__class__.__name__}: failure_cause must be set if"
+                    " status is failed"
                )
--- a/src/spiffworkflow_backend/models/permission_assignment.py
+++ b/src/spiffworkflow_backend/models/permission_assignment.py
@ -32,14 +32,6 @@ class Permission(enum.Enum):
    update = "update"
    delete = "delete"

-    # maybe read to GET process_model/process-instances instead?
-    list = "list"
-
-    # maybe use create instead on
-    # POST http://localhost:7000/v1.0/process-models/category_number_one/call-activity/process-instances/*
-    # POST http://localhost:7000/v1.0/process-models/category_number_one/call-activity/process-instances/332/run
-    instantiate = "instantiate"  # this is something you do to a process model
-

 class PermissionAssignmentModel(SpiffworkflowBaseDBModel):
    """PermissionAssignmentModel."""
--- a/src/spiffworkflow_backend/models/principal.py
+++ b/src/spiffworkflow_backend/models/principal.py
@ -27,7 +27,7 @@ class PrincipalModel(SpiffworkflowBaseDBModel):
    __table_args__ = (CheckConstraint("NOT(user_id IS NULL AND group_id IS NULL)"),)

    id = db.Column(db.Integer, primary_key=True)
-    user_id = db.Column(ForeignKey(UserModel.id), nullable=True, unique=True)
+    user_id = db.Column(ForeignKey(UserModel.id), nullable=True, unique=True)  # type: ignore
    group_id = db.Column(ForeignKey(GroupModel.id), nullable=True, unique=True)

    user = relationship("UserModel", viewonly=True)
--- a/src/spiffworkflow_backend/models/process_group.py
+++ b/src/spiffworkflow_backend/models/process_group.py
@ -11,6 +11,7 @@ import marshmallow
 from marshmallow import post_load
 from marshmallow import Schema

+from spiffworkflow_backend.interfaces import ProcessGroupLite
 from spiffworkflow_backend.models.process_model import ProcessModelInfo


@ -29,7 +30,7 @@ class ProcessGroup:
        default_factory=list[ProcessModelInfo]
    )
    process_groups: list[ProcessGroup] = field(default_factory=list["ProcessGroup"])
-    parent_groups: list[dict] | None = None
+    parent_groups: list[ProcessGroupLite] | None = None

    def __post_init__(self) -> None:
        """__post_init__."""
--- a/src/spiffworkflow_backend/models/process_instance.py
+++ b/src/spiffworkflow_backend/models/process_instance.py
@ -26,34 +26,12 @@ class ProcessInstanceNotFoundError(Exception):
    """ProcessInstanceNotFoundError."""


-class NavigationItemSchema(Schema):
-    """NavigationItemSchema."""
+class ProcessInstanceTaskDataCannotBeUpdatedError(Exception):
+    """ProcessInstanceTaskDataCannotBeUpdatedError."""

-    class Meta:
-        """Meta."""

-        fields = [
-            "spec_id",
-            "name",
-            "spec_type",
-            "task_id",
-            "description",
-            "backtracks",
-            "indent",
-            "lane",
-            "state",
-            "children",
-        ]
-        unknown = INCLUDE
-
-    state = marshmallow.fields.String(required=False, allow_none=True)
-    description = marshmallow.fields.String(required=False, allow_none=True)
-    backtracks = marshmallow.fields.String(required=False, allow_none=True)
-    lane = marshmallow.fields.String(required=False, allow_none=True)
-    task_id = marshmallow.fields.String(required=False, allow_none=True)
-    children = marshmallow.fields.List(
-        marshmallow.fields.Nested(lambda: NavigationItemSchema())
-    )
+class ProcessInstanceCannotBeDeletedError(Exception):
+    """ProcessInstanceCannotBeDeletedError."""


 class ProcessInstanceStatus(SpiffEnum):
@ -79,10 +57,22 @@ class ProcessInstanceModel(SpiffworkflowBaseDBModel):
    process_model_display_name: str = db.Column(
        db.String(255), nullable=False, index=True
    )
-    process_initiator_id: int = db.Column(ForeignKey(UserModel.id), nullable=False)
+    process_initiator_id: int = db.Column(ForeignKey(UserModel.id), nullable=False)  # type: ignore
    process_initiator = relationship("UserModel")

-    active_tasks = relationship("ActiveTaskModel", cascade="delete")  # type: ignore
+    active_human_tasks = relationship(
+        "HumanTaskModel",
+        primaryjoin=(
+            "and_(HumanTaskModel.process_instance_id==ProcessInstanceModel.id,"
+            " HumanTaskModel.completed == False)"
+        ),
+    )  # type: ignore
+
+    human_tasks = relationship(
+        "HumanTaskModel",
+        cascade="delete",
+        overlaps="active_human_tasks",
+    )  # type: ignore
    message_instances = relationship("MessageInstanceModel", cascade="delete")  # type: ignore
    message_correlations = relationship("MessageCorrelationModel", cascade="delete")  # type: ignore

@ -131,6 +121,19 @@ class ProcessInstanceModel(SpiffworkflowBaseDBModel):
        """Validate_status."""
        return self.validate_enum_field(key, value, ProcessInstanceStatus)

+    def can_submit_task(self) -> bool:
+        """Can_submit_task."""
+        return not self.has_terminal_status() and self.status != "suspended"
+
+    def has_terminal_status(self) -> bool:
+        """Has_terminal_status."""
+        return self.status in self.terminal_statuses()
+
+    @classmethod
+    def terminal_statuses(cls) -> list[str]:
+        """Terminal_statuses."""
+        return ["complete", "error", "terminated"]
+

 class ProcessInstanceModelSchema(Schema):
    """ProcessInstanceModelSchema."""
--- a/src/spiffworkflow_backend/models/process_instance_report.py
+++ b/src/spiffworkflow_backend/models/process_instance_report.py
@ -70,7 +70,7 @@ class ProcessInstanceReportModel(SpiffworkflowBaseDBModel):
    id: int = db.Column(db.Integer, primary_key=True)
    identifier: str = db.Column(db.String(50), nullable=False, index=True)
    report_metadata: dict = deferred(db.Column(db.JSON))  # type: ignore
-    created_by_id = db.Column(ForeignKey(UserModel.id), nullable=False, index=True)
+    created_by_id = db.Column(ForeignKey(UserModel.id), nullable=False, index=True)  # type: ignore
    created_by = relationship("UserModel")
    created_at_in_seconds = db.Column(db.Integer)
    updated_at_in_seconds = db.Column(db.Integer)
--- a/src/spiffworkflow_backend/models/process_model.py
+++ b/src/spiffworkflow_backend/models/process_model.py
@ -11,6 +11,7 @@ import marshmallow
 from marshmallow import Schema
 from marshmallow.decorators import post_load

+from spiffworkflow_backend.interfaces import ProcessGroupLite
 from spiffworkflow_backend.models.file import File


@ -37,7 +38,7 @@ class ProcessModelInfo:
    files: list[File] | None = field(default_factory=list[File])
    fault_or_suspend_on_exception: str = NotificationType.fault.value
    exception_notification_addresses: list[str] = field(default_factory=list)
-    parent_groups: list[dict] | None = None
+    parent_groups: list[ProcessGroupLite] | None = None
    metadata_extraction_paths: list[dict[str, str]] | None = None

    def __post_init__(self) -> None:
@ -57,6 +58,14 @@ class ProcessModelInfo:
        """Id_for_file_path."""
        return self.id.replace("/", os.sep)

+    @classmethod
+    def modify_process_identifier_for_path_param(cls, identifier: str) -> str:
+        """Identifier."""
+        if "\\" in identifier:
+            raise Exception(f"Found backslash in identifier: {identifier}")
+
+        return identifier.replace("/", ":")
+

 class ProcessModelInfoSchema(Schema):
    """ProcessModelInfoSchema."""
--- a/src/spiffworkflow_backend/models/secret_model.py
+++ b/src/spiffworkflow_backend/models/secret_model.py
@ -17,7 +17,7 @@ class SecretModel(SpiffworkflowBaseDBModel):
    id: int = db.Column(db.Integer, primary_key=True)
    key: str = db.Column(db.String(50), unique=True, nullable=False)
    value: str = db.Column(db.Text(), nullable=False)
-    user_id: int = db.Column(ForeignKey(UserModel.id), nullable=False)
+    user_id: int = db.Column(ForeignKey(UserModel.id), nullable=False)  # type: ignore
    updated_at_in_seconds: int = db.Column(db.Integer)
    created_at_in_seconds: int = db.Column(db.Integer)

--- a/src/spiffworkflow_backend/models/spiff_step_details.py
+++ b/src/spiffworkflow_backend/models/spiff_step_details.py
@ -1,13 +1,11 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
-from typing import Optional

 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred

-from spiffworkflow_backend.models.group import GroupModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel


@ -20,10 +18,13 @@ class SpiffStepDetailsModel(SpiffworkflowBaseDBModel):
    process_instance_id: int = db.Column(
        ForeignKey(ProcessInstanceModel.id), nullable=False  # type: ignore
    )
+    # human_task_id: int = db.Column(
+    #     ForeignKey(HumanTaskModel.id)  # type: ignore
+    # )
    spiff_step: int = db.Column(db.Integer, nullable=False)
    task_json: dict = deferred(db.Column(db.JSON, nullable=False))  # type: ignore
    timestamp: float = db.Column(db.DECIMAL(17, 6), nullable=False)
-    completed_by_user_id: int = db.Column(db.Integer, nullable=True)
-    lane_assignment_id: Optional[int] = db.Column(
-        ForeignKey(GroupModel.id), nullable=True
-    )
+    # completed_by_user_id: int = db.Column(db.Integer, nullable=True)
+    # lane_assignment_id: Optional[int] = db.Column(
+    #     ForeignKey(GroupModel.id), nullable=True
+    # )
--- a/src/spiffworkflow_backend/models/task.py
+++ b/src/spiffworkflow_backend/models/task.py
@ -43,8 +43,8 @@ class Task:
    FIELD_TYPE_EMAIL = "email"  # email: Email address
    FIELD_TYPE_URL = "url"  # url: Website address

-    FIELD_PROP_AUTO_COMPLETE_MAX = (
-        "autocomplete_num"  # Not used directly, passed in from the front end.
+    FIELD_PROP_AUTO_COMPLETE_MAX = (  # Not used directly, passed in from the front end.
+        "autocomplete_num"
    )

    # Required field
@ -77,8 +77,8 @@ class Task:

    # File specific field properties
    FIELD_PROP_DOC_CODE = "doc_code"  # to associate a file upload field with a doc code
-    FIELD_PROP_FILE_DATA = (
-        "file_data"  # to associate a bit of data with a specific file upload file.
+    FIELD_PROP_FILE_DATA = (  # to associate a bit of data with a specific file upload file.
+        "file_data"
    )

    # Additional properties
@ -118,7 +118,9 @@ class Task:
        form_schema: Union[str, None] = None,
        form_ui_schema: Union[str, None] = None,
        parent: Optional[str] = None,
+        event_definition: Union[dict[str, Any], None] = None,
        call_activity_process_identifier: Optional[str] = None,
+        calling_subprocess_task_id: Optional[str] = None,
    ):
        """__init__."""
        self.id = id
@ -130,7 +132,9 @@ class Task:
        self.documentation = documentation
        self.lane = lane
        self.parent = parent
+        self.event_definition = event_definition
        self.call_activity_process_identifier = call_activity_process_identifier
+        self.calling_subprocess_task_id = calling_subprocess_task_id

        self.data = data
        if self.data is None:
@ -189,7 +193,9 @@ class Task:
            "form_schema": self.form_schema,
            "form_ui_schema": self.form_ui_schema,
            "parent": self.parent,
+            "event_definition": self.event_definition,
            "call_activity_process_identifier": self.call_activity_process_identifier,
+            "calling_subprocess_task_id": self.calling_subprocess_task_id,
        }

    @classmethod
@ -290,6 +296,7 @@ class TaskSchema(Schema):
            "process_instance_id",
            "form_schema",
            "form_ui_schema",
+            "event_definition",
        ]

    multi_instance_type = EnumField(MultiInstanceType)
--- a/src/spiffworkflow_backend/models/user.py
+++ b/src/spiffworkflow_backend/models/user.py
@ -1,42 +1,41 @@
 """User."""
 from __future__ import annotations

-from typing import Any
+from dataclasses import dataclass

 import jwt
 import marshmallow
 from flask import current_app
-from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import Schema
 from sqlalchemy.orm import relationship
-from sqlalchemy.orm import validates

 from spiffworkflow_backend.models.group import GroupModel
-from spiffworkflow_backend.services.authentication_service import (
-    AuthenticationProviderTypes,
-)


 class UserNotFoundError(Exception):
    """UserNotFoundError."""


+@dataclass
 class UserModel(SpiffworkflowBaseDBModel):
    """UserModel."""

    __tablename__ = "user"
    __table_args__ = (db.UniqueConstraint("service", "service_id", name="service_key"),)

-    id = db.Column(db.Integer, primary_key=True)
-    # server and service id must be unique, not username.
-    username = db.Column(db.String(255), nullable=False, unique=False)
-    uid = db.Column(db.String(50), unique=True)
-    service = db.Column(db.String(50), nullable=False, unique=False)
+    id: int = db.Column(db.Integer, primary_key=True)
+    username: str = db.Column(db.String(255), nullable=False, unique=True)
+
+    service = db.Column(
+        db.String(255), nullable=False, unique=False
+    )  # not 'openid' -- google, aws
    service_id = db.Column(db.String(255), nullable=False, unique=False)
-    name = db.Column(db.String(255))
+    display_name = db.Column(db.String(255))
    email = db.Column(db.String(255))
+    updated_at_in_seconds: int = db.Column(db.Integer)
+    created_at_in_seconds: int = db.Column(db.Integer)

    user_group_assignments = relationship("UserGroupAssignmentModel", cascade="delete")  # type: ignore
    groups = relationship(  # type: ignore
@ -47,21 +46,6 @@ class UserModel(SpiffworkflowBaseDBModel):
    )
    principal = relationship("PrincipalModel", uselist=False)  # type: ignore

-    @validates("service")
-    def validate_service(self, key: str, value: Any) -> str:
-        """Validate_service."""
-        try:
-            ap_type = getattr(AuthenticationProviderTypes, value, None)
-        except Exception as e:
-            raise ValueError(f"invalid service type: {value}") from e
-        if ap_type is not None:
-            ap_value: str = ap_type.value
-            return ap_value
-        raise ApiError(
-            error_code="invalid_service",
-            message=f"Could not validate service with value: {value}",
-        )
-
    def encode_auth_token(self) -> str:
        """Generate the Auth Token.

--- a/src/spiffworkflow_backend/models/user_group_assignment.py
+++ b/src/spiffworkflow_backend/models/user_group_assignment.py
@ -17,7 +17,7 @@ class UserGroupAssignmentModel(SpiffworkflowBaseDBModel):
    )

    id = db.Column(db.Integer, primary_key=True)
-    user_id = db.Column(ForeignKey(UserModel.id), nullable=False)
+    user_id = db.Column(ForeignKey(UserModel.id), nullable=False)  # type: ignore
    group_id = db.Column(ForeignKey(GroupModel.id), nullable=False)

    group = relationship("GroupModel", overlaps="groups,user_group_assignments,users")  # type: ignore
--- a/src/spiffworkflow_backend/models/user_group_assignment_waiting.py
+++ b/src/spiffworkflow_backend/models/user_group_assignment_waiting.py
@ -0,0 +1,34 @@
+"""UserGroupAssignment."""
+from flask_bpmn.models.db import db
+from flask_bpmn.models.db import SpiffworkflowBaseDBModel
+from sqlalchemy import ForeignKey
+from sqlalchemy.orm import relationship
+
+from spiffworkflow_backend.models.group import GroupModel
+
+
+class UserGroupAssignmentWaitingModel(SpiffworkflowBaseDBModel):
+    """When a user is assigned to a group, but that username does not exist.
+
+    We cache it here to be applied in the event the user does log in to the system.
+    """
+
+    MATCH_ALL_USERS = "*"
+    __tablename__ = "user_group_assignment_waiting"
+    __table_args__ = (
+        db.UniqueConstraint(
+            "username", "group_id", name="user_group_assignment_staged_unique"
+        ),
+    )
+
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(255), nullable=False)
+    group_id = db.Column(ForeignKey(GroupModel.id), nullable=False)
+
+    group = relationship("GroupModel", overlaps="groups,user_group_assignments_waiting,users")  # type: ignore
+
+    def is_match_all(self) -> bool:
+        """Is_match_all."""
+        if self.username == self.MATCH_ALL_USERS:
+            return True
+        return False
--- a/src/spiffworkflow_backend/routes/admin_blueprint/admin_blueprint.py
+++ b/src/spiffworkflow_backend/routes/admin_blueprint/admin_blueprint.py
@ -141,7 +141,7 @@ def process_model_save(process_model_id: str, file_name: str) -> Union[str, Resp
@admin_blueprint.route("/process-models/<process_model_id>/run", methods=["GET"])
 def process_model_run(process_model_id: str) -> Union[str, Response]:
    """Process_model_run."""
-    user = UserService.create_user("internal", "Mr. Test", username="Mr. Test")
+    user = UserService.create_user("Mr. Test", "internal", "Mr. Test")
    process_instance = (
        ProcessInstanceService.create_process_instance_from_process_model_identifier(
            process_model_id, user
--- a/src/spiffworkflow_backend/routes/health_controller.py
+++ b/src/spiffworkflow_backend/routes/health_controller.py
@ -0,0 +1,13 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+
+import flask.wrappers
+from flask.wrappers import Response
+
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+
+
+def status() -> flask.wrappers.Response:
+    """Status."""
+    ProcessInstanceModel.query.filter().first()
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
--- a/src/spiffworkflow_backend/routes/messages_controller.py
+++ b/src/spiffworkflow_backend/routes/messages_controller.py
@ -0,0 +1,176 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+from typing import Any
+from typing import Dict
+from typing import Optional
+
+import flask.wrappers
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+
+from spiffworkflow_backend.models.message_correlation import MessageCorrelationModel
+from spiffworkflow_backend.models.message_instance import MessageInstanceModel
+from spiffworkflow_backend.models.message_model import MessageModel
+from spiffworkflow_backend.models.message_triggerable_process_model import (
+    MessageTriggerableProcessModel,
+)
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModelSchema
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _find_process_instance_by_id_or_raise,
+)
+from spiffworkflow_backend.services.message_service import MessageService
+
+
+def message_instance_list(
+    process_instance_id: Optional[int] = None,
+    page: int = 1,
+    per_page: int = 100,
+) -> flask.wrappers.Response:
+    """Message_instance_list."""
+    # to make sure the process instance exists
+    message_instances_query = MessageInstanceModel.query
+
+    if process_instance_id:
+        message_instances_query = message_instances_query.filter_by(
+            process_instance_id=process_instance_id
+        )
+
+    message_instances = (
+        message_instances_query.order_by(
+            MessageInstanceModel.created_at_in_seconds.desc(),  # type: ignore
+            MessageInstanceModel.id.desc(),  # type: ignore
+        )
+        .join(MessageModel, MessageModel.id == MessageInstanceModel.message_model_id)
+        .join(ProcessInstanceModel)
+        .add_columns(
+            MessageModel.identifier.label("message_identifier"),
+            ProcessInstanceModel.process_model_identifier,
+            ProcessInstanceModel.process_model_display_name,
+        )
+        .paginate(page=page, per_page=per_page, error_out=False)
+    )
+
+    for message_instance in message_instances:
+        message_correlations: dict = {}
+        for (
+            mcmi
+        ) in (
+            message_instance.MessageInstanceModel.message_correlations_message_instances
+        ):
+            mc = MessageCorrelationModel.query.filter_by(
+                id=mcmi.message_correlation_id
+            ).all()
+            for m in mc:
+                if m.name not in message_correlations:
+                    message_correlations[m.name] = {}
+                message_correlations[m.name][
+                    m.message_correlation_property.identifier
+                ] = m.value
+        message_instance.MessageInstanceModel.message_correlations = (
+            message_correlations
+        )
+
+    response_json = {
+        "results": message_instances.items,
+        "pagination": {
+            "count": len(message_instances.items),
+            "total": message_instances.total,
+            "pages": message_instances.pages,
+        },
+    }
+
+    return make_response(jsonify(response_json), 200)
+
+
+# body: {
+#   payload: dict,
+#   process_instance_id: Optional[int],
+# }
+def message_start(
+    message_identifier: str,
+    body: Dict[str, Any],
+) -> flask.wrappers.Response:
+    """Message_start."""
+    message_model = MessageModel.query.filter_by(identifier=message_identifier).first()
+    if message_model is None:
+        raise (
+            ApiError(
+                error_code="unknown_message",
+                message=f"Could not find message with identifier: {message_identifier}",
+                status_code=404,
+            )
+        )
+
+    if "payload" not in body:
+        raise (
+            ApiError(
+                error_code="missing_payload",
+                message="Body is missing payload.",
+                status_code=400,
+            )
+        )
+
+    process_instance = None
+    if "process_instance_id" in body:
+        # to make sure we have a valid process_instance_id
+        process_instance = _find_process_instance_by_id_or_raise(
+            body["process_instance_id"]
+        )
+
+        message_instance = MessageInstanceModel.query.filter_by(
+            process_instance_id=process_instance.id,
+            message_model_id=message_model.id,
+            message_type="receive",
+            status="ready",
+        ).first()
+        if message_instance is None:
+            raise (
+                ApiError(
+                    error_code="cannot_find_waiting_message",
+                    message=(
+                        "Could not find waiting message for identifier"
+                        f" {message_identifier} and process instance"
+                        f" {process_instance.id}"
+                    ),
+                    status_code=400,
+                )
+            )
+        MessageService.process_message_receive(
+            message_instance, message_model.name, body["payload"]
+        )
+
+    else:
+        message_triggerable_process_model = (
+            MessageTriggerableProcessModel.query.filter_by(
+                message_model_id=message_model.id
+            ).first()
+        )
+
+        if message_triggerable_process_model is None:
+            raise (
+                ApiError(
+                    error_code="cannot_start_message",
+                    message=(
+                        "Message with identifier cannot be start with message:"
+                        f" {message_identifier}"
+                    ),
+                    status_code=400,
+                )
+            )
+
+        process_instance = MessageService.process_message_triggerable_process_model(
+            message_triggerable_process_model,
+            message_model.name,
+            body["payload"],
+            g.user,
+        )
+
+    return Response(
+        json.dumps(ProcessInstanceModelSchema().dump(process_instance)),
+        status=200,
+        mimetype="application/json",
+    )
--- a/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@ -111,6 +111,7 @@ def token() -> dict:
            "iat": time.time(),
            "exp": time.time() + 86400,  # Expire after a day.
            "sub": user_name,
+            "email": user_details["email"],
            "preferred_username": user_details.get("preferred_username", user_name),
        },
        client_secret,
--- a/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/src/spiffworkflow_backend/routes/process_api_blueprint.py
--- a/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/src/spiffworkflow_backend/routes/process_groups_controller.py
@ -0,0 +1,130 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+from typing import Any
+from typing import Optional
+
+import flask.wrappers
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+
+from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
+    ProcessEntityNotFoundError,
+)
+from spiffworkflow_backend.models.process_group import ProcessGroup
+from spiffworkflow_backend.models.process_group import ProcessGroupSchema
+from spiffworkflow_backend.routes.process_api_blueprint import _commit_and_push_to_git
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _un_modify_modified_process_model_id,
+)
+from spiffworkflow_backend.services.process_model_service import ProcessModelService
+
+
+def process_group_create(body: dict) -> flask.wrappers.Response:
+    """Add_process_group."""
+    process_group = ProcessGroup(**body)
+    ProcessModelService.add_process_group(process_group)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} added process group {process_group.id}"
+    )
+    return make_response(jsonify(process_group), 201)
+
+
+def process_group_delete(modified_process_group_id: str) -> flask.wrappers.Response:
+    """Process_group_delete."""
+    process_group_id = _un_modify_modified_process_model_id(modified_process_group_id)
+    ProcessModelService().process_group_delete(process_group_id)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} deleted process group {process_group_id}"
+    )
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_group_update(
+    modified_process_group_id: str, body: dict
+) -> flask.wrappers.Response:
+    """Process Group Update."""
+    body_include_list = ["display_name", "description"]
+    body_filtered = {
+        include_item: body[include_item]
+        for include_item in body_include_list
+        if include_item in body
+    }
+
+    process_group_id = _un_modify_modified_process_model_id(modified_process_group_id)
+    process_group = ProcessGroup(id=process_group_id, **body_filtered)
+    ProcessModelService.update_process_group(process_group)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} updated process group {process_group_id}"
+    )
+    return make_response(jsonify(process_group), 200)
+
+
+def process_group_list(
+    process_group_identifier: Optional[str] = None, page: int = 1, per_page: int = 100
+) -> flask.wrappers.Response:
+    """Process_group_list."""
+    if process_group_identifier is not None:
+        process_groups = ProcessModelService.get_process_groups(
+            process_group_identifier
+        )
+    else:
+        process_groups = ProcessModelService.get_process_groups()
+    batch = ProcessModelService().get_batch(
+        items=process_groups, page=page, per_page=per_page
+    )
+    pages = len(process_groups) // per_page
+    remainder = len(process_groups) % per_page
+    if remainder > 0:
+        pages += 1
+
+    response_json = {
+        "results": ProcessGroupSchema(many=True).dump(batch),
+        "pagination": {
+            "count": len(batch),
+            "total": len(process_groups),
+            "pages": pages,
+        },
+    }
+    return Response(json.dumps(response_json), status=200, mimetype="application/json")
+
+
+def process_group_show(
+    modified_process_group_id: str,
+) -> Any:
+    """Process_group_show."""
+    process_group_id = _un_modify_modified_process_model_id(modified_process_group_id)
+    try:
+        process_group = ProcessModelService.get_process_group(process_group_id)
+    except ProcessEntityNotFoundError as exception:
+        raise (
+            ApiError(
+                error_code="process_group_cannot_be_found",
+                message=f"Process group cannot be found: {process_group_id}",
+                status_code=400,
+            )
+        ) from exception
+
+    process_group.parent_groups = ProcessModelService.get_parent_group_array(
+        process_group.id
+    )
+    return make_response(jsonify(process_group), 200)
+
+
+def process_group_move(
+    modified_process_group_identifier: str, new_location: str
+) -> flask.wrappers.Response:
+    """Process_group_move."""
+    original_process_group_id = _un_modify_modified_process_model_id(
+        modified_process_group_identifier
+    )
+    new_process_group = ProcessModelService().process_group_move(
+        original_process_group_id, new_location
+    )
+    _commit_and_push_to_git(
+        f"User: {g.user.username} moved process group {original_process_group_id} to"
+        f" {new_process_group.id}"
+    )
+    return make_response(jsonify(new_process_group), 200)
--- a/src/spiffworkflow_backend/routes/process_instances_controller.py
+++ b/src/spiffworkflow_backend/routes/process_instances_controller.py
@ -0,0 +1,696 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+from typing import Any
+from typing import Dict
+from typing import Optional
+
+import flask.wrappers
+from flask import current_app
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask import request
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+from SpiffWorkflow.task import TaskState  # type: ignore
+from sqlalchemy import and_
+from sqlalchemy import or_
+
+from spiffworkflow_backend.models.human_task import HumanTaskModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceApiSchema
+from spiffworkflow_backend.models.process_instance import (
+    ProcessInstanceCannotBeDeletedError,
+)
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModelSchema
+from spiffworkflow_backend.models.process_instance_metadata import (
+    ProcessInstanceMetadataModel,
+)
+from spiffworkflow_backend.models.process_instance_report import (
+    ProcessInstanceReportModel,
+)
+from spiffworkflow_backend.models.process_model import ProcessModelInfo
+from spiffworkflow_backend.models.spec_reference import SpecReferenceCache
+from spiffworkflow_backend.models.spec_reference import SpecReferenceNotFoundError
+from spiffworkflow_backend.models.spiff_logging import SpiffLoggingModel
+from spiffworkflow_backend.models.spiff_step_details import SpiffStepDetailsModel
+from spiffworkflow_backend.models.user import UserModel
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _find_process_instance_by_id_or_raise,
+)
+from spiffworkflow_backend.routes.process_api_blueprint import _get_process_model
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _un_modify_modified_process_model_id,
+)
+from spiffworkflow_backend.services.authorization_service import AuthorizationService
+from spiffworkflow_backend.services.error_handling_service import ErrorHandlingService
+from spiffworkflow_backend.services.git_service import GitCommandError
+from spiffworkflow_backend.services.git_service import GitService
+from spiffworkflow_backend.services.message_service import MessageService
+from spiffworkflow_backend.services.process_instance_processor import (
+    ProcessInstanceProcessor,
+)
+from spiffworkflow_backend.services.process_instance_report_service import (
+    ProcessInstanceReportFilter,
+)
+from spiffworkflow_backend.services.process_instance_report_service import (
+    ProcessInstanceReportService,
+)
+from spiffworkflow_backend.services.process_instance_service import (
+    ProcessInstanceService,
+)
+from spiffworkflow_backend.services.process_model_service import ProcessModelService
+from spiffworkflow_backend.services.spec_file_service import SpecFileService
+
+
+def process_instance_create(
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Create_process_instance."""
+    process_model_identifier = _un_modify_modified_process_model_id(
+        modified_process_model_identifier
+    )
+    process_instance = (
+        ProcessInstanceService.create_process_instance_from_process_model_identifier(
+            process_model_identifier, g.user
+        )
+    )
+    return Response(
+        json.dumps(ProcessInstanceModelSchema().dump(process_instance)),
+        status=201,
+        mimetype="application/json",
+    )
+
+
+def process_instance_run(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    do_engine_steps: bool = True,
+) -> flask.wrappers.Response:
+    """Process_instance_run."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    if process_instance.status != "not_started":
+        raise ApiError(
+            error_code="process_instance_not_runnable",
+            message=(
+                f"Process Instance ({process_instance.id}) is currently running or has"
+                " already run."
+            ),
+            status_code=400,
+        )
+
+    processor = ProcessInstanceProcessor(process_instance)
+
+    if do_engine_steps:
+        try:
+            processor.do_engine_steps(save=True)
+        except ApiError as e:
+            ErrorHandlingService().handle_error(processor, e)
+            raise e
+        except Exception as e:
+            ErrorHandlingService().handle_error(processor, e)
+            task = processor.bpmn_process_instance.last_task
+            raise ApiError.from_task(
+                error_code="unknown_exception",
+                message=f"An unknown error occurred. Original error: {e}",
+                status_code=400,
+                task=task,
+            ) from e
+
+        if not current_app.config["RUN_BACKGROUND_SCHEDULER"]:
+            MessageService.process_message_instances()
+
+    process_instance_api = ProcessInstanceService.processor_to_process_instance_api(
+        processor
+    )
+    process_instance_data = processor.get_data()
+    process_instance_metadata = ProcessInstanceApiSchema().dump(process_instance_api)
+    process_instance_metadata["data"] = process_instance_data
+    return Response(
+        json.dumps(process_instance_metadata), status=200, mimetype="application/json"
+    )
+
+
+def process_instance_terminate(
+    process_instance_id: int,
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_instance_run."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    processor = ProcessInstanceProcessor(process_instance)
+    processor.terminate()
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_suspend(
+    process_instance_id: int,
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_instance_suspend."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    processor = ProcessInstanceProcessor(process_instance)
+    processor.suspend()
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_resume(
+    process_instance_id: int,
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_instance_resume."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    processor = ProcessInstanceProcessor(process_instance)
+    processor.resume()
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_log_list(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    page: int = 1,
+    per_page: int = 100,
+    detailed: bool = False,
+) -> flask.wrappers.Response:
+    """Process_instance_log_list."""
+    # to make sure the process instance exists
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+
+    log_query = SpiffLoggingModel.query.filter(
+        SpiffLoggingModel.process_instance_id == process_instance.id
+    )
+    if not detailed:
+        log_query = log_query.filter(SpiffLoggingModel.message.in_(["State change to COMPLETED"]))  # type: ignore
+
+    logs = (
+        log_query.order_by(SpiffLoggingModel.timestamp.desc())  # type: ignore
+        .join(
+            UserModel, UserModel.id == SpiffLoggingModel.current_user_id, isouter=True
+        )  # isouter since if we don't have a user, we still want the log
+        .add_columns(
+            UserModel.username,
+        )
+        .paginate(page=page, per_page=per_page, error_out=False)
+    )
+
+    response_json = {
+        "results": logs.items,
+        "pagination": {
+            "count": len(logs.items),
+            "total": logs.total,
+            "pages": logs.pages,
+        },
+    }
+
+    return make_response(jsonify(response_json), 200)
+
+
+def process_instance_list_for_me(
+    process_model_identifier: Optional[str] = None,
+    page: int = 1,
+    per_page: int = 100,
+    start_from: Optional[int] = None,
+    start_to: Optional[int] = None,
+    end_from: Optional[int] = None,
+    end_to: Optional[int] = None,
+    process_status: Optional[str] = None,
+    user_filter: Optional[bool] = False,
+    report_identifier: Optional[str] = None,
+    report_id: Optional[int] = None,
+    user_group_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """Process_instance_list_for_me."""
+    return process_instance_list(
+        process_model_identifier=process_model_identifier,
+        page=page,
+        per_page=per_page,
+        start_from=start_from,
+        start_to=start_to,
+        end_from=end_from,
+        end_to=end_to,
+        process_status=process_status,
+        user_filter=user_filter,
+        report_identifier=report_identifier,
+        report_id=report_id,
+        user_group_identifier=user_group_identifier,
+        with_relation_to_me=True,
+    )
+
+
+def process_instance_list(
+    process_model_identifier: Optional[str] = None,
+    page: int = 1,
+    per_page: int = 100,
+    start_from: Optional[int] = None,
+    start_to: Optional[int] = None,
+    end_from: Optional[int] = None,
+    end_to: Optional[int] = None,
+    process_status: Optional[str] = None,
+    with_relation_to_me: Optional[bool] = None,
+    user_filter: Optional[bool] = False,
+    report_identifier: Optional[str] = None,
+    report_id: Optional[int] = None,
+    user_group_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """Process_instance_list."""
+    process_instance_report = ProcessInstanceReportService.report_with_identifier(
+        g.user, report_id, report_identifier
+    )
+
+    if user_filter:
+        report_filter = ProcessInstanceReportFilter(
+            process_model_identifier=process_model_identifier,
+            user_group_identifier=user_group_identifier,
+            start_from=start_from,
+            start_to=start_to,
+            end_from=end_from,
+            end_to=end_to,
+            with_relation_to_me=with_relation_to_me,
+            process_status=process_status.split(",") if process_status else None,
+        )
+    else:
+        report_filter = (
+            ProcessInstanceReportService.filter_from_metadata_with_overrides(
+                process_instance_report=process_instance_report,
+                process_model_identifier=process_model_identifier,
+                user_group_identifier=user_group_identifier,
+                start_from=start_from,
+                start_to=start_to,
+                end_from=end_from,
+                end_to=end_to,
+                process_status=process_status,
+                with_relation_to_me=with_relation_to_me,
+            )
+        )
+
+    response_json = ProcessInstanceReportService.run_process_instance_report(
+        report_filter=report_filter,
+        process_instance_report=process_instance_report,
+        page=page,
+        per_page=per_page,
+        user=g.user,
+    )
+
+    return make_response(jsonify(response_json), 200)
+
+
+def process_instance_report_column_list() -> flask.wrappers.Response:
+    """Process_instance_report_column_list."""
+    table_columns = ProcessInstanceReportService.builtin_column_options()
+    columns_for_metadata = (
+        db.session.query(ProcessInstanceMetadataModel.key)
+        .order_by(ProcessInstanceMetadataModel.key)
+        .distinct()  # type: ignore
+        .all()
+    )
+    columns_for_metadata_strings = [
+        {"Header": i[0], "accessor": i[0], "filterable": True}
+        for i in columns_for_metadata
+    ]
+    return make_response(jsonify(table_columns + columns_for_metadata_strings), 200)
+
+
+def process_instance_show_for_me(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    process_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """Process_instance_show_for_me."""
+    process_instance = _find_process_instance_for_me_or_raise(process_instance_id)
+    return _get_process_instance(
+        process_instance=process_instance,
+        modified_process_model_identifier=modified_process_model_identifier,
+        process_identifier=process_identifier,
+    )
+
+
+def process_instance_show(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    process_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """Create_process_instance."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    return _get_process_instance(
+        process_instance=process_instance,
+        modified_process_model_identifier=modified_process_model_identifier,
+        process_identifier=process_identifier,
+    )
+
+
+def process_instance_delete(
+    process_instance_id: int, modified_process_model_identifier: str
+) -> flask.wrappers.Response:
+    """Create_process_instance."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+
+    if not process_instance.has_terminal_status():
+        raise ProcessInstanceCannotBeDeletedError(
+            f"Process instance ({process_instance.id}) cannot be deleted since it does"
+            f" not have a terminal status. Current status is {process_instance.status}."
+        )
+
+    # (Pdb) db.session.delete
+    # <bound method delete of <sqlalchemy.orm.scoping.scoped_session object at 0x103eaab30>>
+    db.session.query(SpiffLoggingModel).filter_by(
+        process_instance_id=process_instance.id
+    ).delete()
+    db.session.query(SpiffStepDetailsModel).filter_by(
+        process_instance_id=process_instance.id
+    ).delete()
+    db.session.delete(process_instance)
+    db.session.commit()
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_report_list(
+    page: int = 1, per_page: int = 100
+) -> flask.wrappers.Response:
+    """Process_instance_report_list."""
+    process_instance_reports = ProcessInstanceReportModel.query.filter_by(
+        created_by_id=g.user.id,
+    ).all()
+
+    return make_response(jsonify(process_instance_reports), 200)
+
+
+def process_instance_report_create(body: Dict[str, Any]) -> flask.wrappers.Response:
+    """Process_instance_report_create."""
+    process_instance_report = ProcessInstanceReportModel.create_report(
+        identifier=body["identifier"],
+        user=g.user,
+        report_metadata=body["report_metadata"],
+    )
+
+    return make_response(jsonify(process_instance_report), 201)
+
+
+def process_instance_report_update(
+    report_id: int,
+    body: Dict[str, Any],
+) -> flask.wrappers.Response:
+    """Process_instance_report_update."""
+    process_instance_report = ProcessInstanceReportModel.query.filter_by(
+        id=report_id,
+        created_by_id=g.user.id,
+    ).first()
+    if process_instance_report is None:
+        raise ApiError(
+            error_code="unknown_process_instance_report",
+            message="Unknown process instance report",
+            status_code=404,
+        )
+
+    process_instance_report.report_metadata = body["report_metadata"]
+    db.session.commit()
+
+    return make_response(jsonify(process_instance_report), 201)
+
+
+def process_instance_report_delete(
+    report_id: int,
+) -> flask.wrappers.Response:
+    """Process_instance_report_delete."""
+    process_instance_report = ProcessInstanceReportModel.query.filter_by(
+        id=report_id,
+        created_by_id=g.user.id,
+    ).first()
+    if process_instance_report is None:
+        raise ApiError(
+            error_code="unknown_process_instance_report",
+            message="Unknown process instance report",
+            status_code=404,
+        )
+
+    db.session.delete(process_instance_report)
+    db.session.commit()
+
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_report_show(
+    report_id: int,
+    page: int = 1,
+    per_page: int = 100,
+) -> flask.wrappers.Response:
+    """Process_instance_report_show."""
+    process_instances = ProcessInstanceModel.query.order_by(
+        ProcessInstanceModel.start_in_seconds.desc(), ProcessInstanceModel.id.desc()  # type: ignore
+    ).paginate(page=page, per_page=per_page, error_out=False)
+
+    process_instance_report = ProcessInstanceReportModel.query.filter_by(
+        id=report_id,
+        created_by_id=g.user.id,
+    ).first()
+    if process_instance_report is None:
+        raise ApiError(
+            error_code="unknown_process_instance_report",
+            message="Unknown process instance report",
+            status_code=404,
+        )
+
+    substitution_variables = request.args.to_dict()
+    result_dict = process_instance_report.generate_report(
+        process_instances.items, substitution_variables
+    )
+
+    # update this if we go back to a database query instead of filtering in memory
+    result_dict["pagination"] = {
+        "count": len(result_dict["results"]),
+        "total": len(result_dict["results"]),
+        "pages": 1,
+    }
+
+    return Response(json.dumps(result_dict), status=200, mimetype="application/json")
+
+
+def process_instance_task_list_without_task_data_for_me(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    all_tasks: bool = False,
+    spiff_step: int = 0,
+) -> flask.wrappers.Response:
+    """Process_instance_task_list_without_task_data_for_me."""
+    process_instance = _find_process_instance_for_me_or_raise(process_instance_id)
+    return process_instance_task_list(
+        modified_process_model_identifier,
+        process_instance,
+        all_tasks,
+        spiff_step,
+        get_task_data=False,
+    )
+
+
+def process_instance_task_list_without_task_data(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    all_tasks: bool = False,
+    spiff_step: int = 0,
+) -> flask.wrappers.Response:
+    """Process_instance_task_list_without_task_data."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    return process_instance_task_list(
+        modified_process_model_identifier,
+        process_instance,
+        all_tasks,
+        spiff_step,
+        get_task_data=False,
+    )
+
+
+def process_instance_task_list_with_task_data(
+    modified_process_model_identifier: str,
+    process_instance_id: int,
+    all_tasks: bool = False,
+    spiff_step: int = 0,
+) -> flask.wrappers.Response:
+    """Process_instance_task_list_with_task_data."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    return process_instance_task_list(
+        modified_process_model_identifier,
+        process_instance,
+        all_tasks,
+        spiff_step,
+        get_task_data=True,
+    )
+
+
+def process_instance_task_list(
+    _modified_process_model_identifier: str,
+    process_instance: ProcessInstanceModel,
+    all_tasks: bool = False,
+    spiff_step: int = 0,
+    get_task_data: bool = False,
+) -> flask.wrappers.Response:
+    """Process_instance_task_list."""
+    if spiff_step > 0:
+        step_detail = (
+            db.session.query(SpiffStepDetailsModel)
+            .filter(
+                SpiffStepDetailsModel.process_instance_id == process_instance.id,
+                SpiffStepDetailsModel.spiff_step == spiff_step,
+            )
+            .first()
+        )
+        if step_detail is not None and process_instance.bpmn_json is not None:
+            bpmn_json = json.loads(process_instance.bpmn_json)
+            bpmn_json["tasks"] = step_detail.task_json["tasks"]
+            bpmn_json["subprocesses"] = step_detail.task_json["subprocesses"]
+            process_instance.bpmn_json = json.dumps(bpmn_json)
+
+    processor = ProcessInstanceProcessor(process_instance)
+
+    spiff_tasks = None
+    if all_tasks:
+        spiff_tasks = processor.bpmn_process_instance.get_tasks(TaskState.ANY_MASK)
+    else:
+        spiff_tasks = processor.get_all_user_tasks()
+
+    subprocesses_by_child_task_ids = processor.get_subprocesses_by_child_task_ids()
+    tasks = []
+    for spiff_task in spiff_tasks:
+        calling_subprocess_task_id = subprocesses_by_child_task_ids.get(
+            str(spiff_task.id), None
+        )
+        task = ProcessInstanceService.spiff_task_to_api_task(
+            processor, spiff_task, calling_subprocess_task_id=calling_subprocess_task_id
+        )
+        if get_task_data:
+            task.data = spiff_task.data
+        tasks.append(task)
+
+    return make_response(jsonify(tasks), 200)
+
+
+def process_instance_reset(
+    process_instance_id: int,
+    modified_process_model_identifier: str,
+    spiff_step: int = 0,
+) -> flask.wrappers.Response:
+    """Reset a process instance to a particular step."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    processor = ProcessInstanceProcessor(process_instance)
+    processor.reset_process(spiff_step)
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_instance_find_by_id(
+    process_instance_id: int,
+) -> flask.wrappers.Response:
+    """Process_instance_find_by_id."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    modified_process_model_identifier = (
+        ProcessModelInfo.modify_process_identifier_for_path_param(
+            process_instance.process_model_identifier
+        )
+    )
+    process_instance_uri = (
+        f"/process-instances/{modified_process_model_identifier}/{process_instance.id}"
+    )
+    has_permission = AuthorizationService.user_has_permission(
+        user=g.user,
+        permission="read",
+        target_uri=process_instance_uri,
+    )
+
+    uri_type = None
+    if not has_permission:
+        process_instance = _find_process_instance_for_me_or_raise(process_instance_id)
+        uri_type = "for-me"
+
+    response_json = {
+        "process_instance": process_instance,
+        "uri_type": uri_type,
+    }
+    return make_response(jsonify(response_json), 200)
+
+
+def _get_process_instance(
+    modified_process_model_identifier: str,
+    process_instance: ProcessInstanceModel,
+    process_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """_get_process_instance."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    try:
+        current_version_control_revision = GitService.get_current_revision()
+    except GitCommandError:
+        current_version_control_revision = ""
+
+    process_model_with_diagram = None
+    name_of_file_with_diagram = None
+    if process_identifier:
+        spec_reference = SpecReferenceCache.query.filter_by(
+            identifier=process_identifier, type="process"
+        ).first()
+        if spec_reference is None:
+            raise SpecReferenceNotFoundError(
+                "Could not find given process identifier in the cache:"
+                f" {process_identifier}"
+            )
+
+        process_model_with_diagram = ProcessModelService.get_process_model(
+            spec_reference.process_model_id
+        )
+        name_of_file_with_diagram = spec_reference.file_name
+    else:
+        process_model_with_diagram = _get_process_model(process_model_identifier)
+        if process_model_with_diagram.primary_file_name:
+            name_of_file_with_diagram = process_model_with_diagram.primary_file_name
+
+    if process_model_with_diagram and name_of_file_with_diagram:
+        if (
+            process_instance.bpmn_version_control_identifier
+            == current_version_control_revision
+        ):
+            bpmn_xml_file_contents = SpecFileService.get_data(
+                process_model_with_diagram, name_of_file_with_diagram
+            ).decode("utf-8")
+        else:
+            bpmn_xml_file_contents = GitService.get_instance_file_contents_for_revision(
+                process_model_with_diagram,
+                process_instance.bpmn_version_control_identifier,
+                file_name=name_of_file_with_diagram,
+            )
+        process_instance.bpmn_xml_file_contents = bpmn_xml_file_contents
+
+    return make_response(jsonify(process_instance), 200)
+
+
+def _find_process_instance_for_me_or_raise(
+    process_instance_id: int,
+) -> ProcessInstanceModel:
+    """_find_process_instance_for_me_or_raise."""
+    process_instance: ProcessInstanceModel = (
+        ProcessInstanceModel.query.filter_by(id=process_instance_id)
+        .outerjoin(HumanTaskModel)
+        .outerjoin(
+            HumanTaskUserModel,
+            and_(
+                HumanTaskModel.id == HumanTaskUserModel.human_task_id,
+                HumanTaskUserModel.user_id == g.user.id,
+            ),
+        )
+        .filter(
+            or_(
+                HumanTaskUserModel.id.is_not(None),
+                ProcessInstanceModel.process_initiator_id == g.user.id,
+            )
+        )
+        .first()
+    )
+
+    if process_instance is None:
+        raise (
+            ApiError(
+                error_code="process_instance_cannot_be_found",
+                message=(
+                    f"Process instance with id {process_instance_id} cannot be found"
+                    " that is associated with you."
+                ),
+                status_code=400,
+            )
+        )
+
+    return process_instance
--- a/src/spiffworkflow_backend/routes/process_models_controller.py
+++ b/src/spiffworkflow_backend/routes/process_models_controller.py
@ -0,0 +1,496 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+import os
+import re
+from typing import Any
+from typing import Dict
+from typing import Optional
+from typing import Union
+
+import connexion  # type: ignore
+import flask.wrappers
+from flask import current_app
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+
+from spiffworkflow_backend.interfaces import IdToProcessGroupMapping
+from spiffworkflow_backend.models.file import FileSchema
+from spiffworkflow_backend.models.process_group import ProcessGroup
+from spiffworkflow_backend.models.process_instance_report import (
+    ProcessInstanceReportModel,
+)
+from spiffworkflow_backend.models.process_model import ProcessModelInfo
+from spiffworkflow_backend.models.process_model import ProcessModelInfoSchema
+from spiffworkflow_backend.routes.process_api_blueprint import _commit_and_push_to_git
+from spiffworkflow_backend.routes.process_api_blueprint import _get_process_model
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _un_modify_modified_process_model_id,
+)
+from spiffworkflow_backend.services.git_service import GitService
+from spiffworkflow_backend.services.git_service import MissingGitConfigsError
+from spiffworkflow_backend.services.process_instance_report_service import (
+    ProcessInstanceReportService,
+)
+from spiffworkflow_backend.services.process_model_service import ProcessModelService
+from spiffworkflow_backend.services.spec_file_service import SpecFileService
+
+
+def process_model_create(
+    modified_process_group_id: str, body: Dict[str, Union[str, bool, int]]
+) -> flask.wrappers.Response:
+    """Process_model_create."""
+    body_include_list = [
+        "id",
+        "display_name",
+        "primary_file_name",
+        "primary_process_id",
+        "description",
+        "metadata_extraction_paths",
+    ]
+    body_filtered = {
+        include_item: body[include_item]
+        for include_item in body_include_list
+        if include_item in body
+    }
+
+    _get_process_group_from_modified_identifier(modified_process_group_id)
+
+    process_model_info = ProcessModelInfo(**body_filtered)  # type: ignore
+    if process_model_info is None:
+        raise ApiError(
+            error_code="process_model_could_not_be_created",
+            message=f"Process Model could not be created from given body: {body}",
+            status_code=400,
+        )
+
+    ProcessModelService.add_process_model(process_model_info)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} created process model {process_model_info.id}"
+    )
+    return Response(
+        json.dumps(ProcessModelInfoSchema().dump(process_model_info)),
+        status=201,
+        mimetype="application/json",
+    )
+
+
+def process_model_delete(
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_model_delete."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    ProcessModelService().process_model_delete(process_model_identifier)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} deleted process model {process_model_identifier}"
+    )
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_model_update(
+    modified_process_model_identifier: str, body: Dict[str, Union[str, bool, int]]
+) -> Any:
+    """Process_model_update."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    body_include_list = [
+        "display_name",
+        "primary_file_name",
+        "primary_process_id",
+        "description",
+        "metadata_extraction_paths",
+    ]
+    body_filtered = {
+        include_item: body[include_item]
+        for include_item in body_include_list
+        if include_item in body
+    }
+
+    process_model = _get_process_model(process_model_identifier)
+    ProcessModelService.update_process_model(process_model, body_filtered)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} updated process model {process_model_identifier}"
+    )
+    return ProcessModelInfoSchema().dump(process_model)
+
+
+def process_model_show(modified_process_model_identifier: str) -> Any:
+    """Process_model_show."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+    files = sorted(
+        SpecFileService.get_files(process_model),
+        key=lambda f: "" if f.name == process_model.primary_file_name else f.sort_index,
+    )
+    process_model.files = files
+    for file in process_model.files:
+        file.references = SpecFileService.get_references_for_file(file, process_model)
+
+    process_model.parent_groups = ProcessModelService.get_parent_group_array(
+        process_model.id
+    )
+    return make_response(jsonify(process_model), 200)
+
+
+def process_model_move(
+    modified_process_model_identifier: str, new_location: str
+) -> flask.wrappers.Response:
+    """Process_model_move."""
+    original_process_model_id = _un_modify_modified_process_model_id(
+        modified_process_model_identifier
+    )
+    new_process_model = ProcessModelService().process_model_move(
+        original_process_model_id, new_location
+    )
+    _commit_and_push_to_git(
+        f"User: {g.user.username} moved process model {original_process_model_id} to"
+        f" {new_process_model.id}"
+    )
+    return make_response(jsonify(new_process_model), 200)
+
+
+def process_model_publish(
+    modified_process_model_identifier: str, branch_to_update: Optional[str] = None
+) -> flask.wrappers.Response:
+    """Process_model_publish."""
+    if branch_to_update is None:
+        branch_to_update = current_app.config["GIT_BRANCH_TO_PUBLISH_TO"]
+    if branch_to_update is None:
+        raise MissingGitConfigsError(
+            "Missing config for GIT_BRANCH_TO_PUBLISH_TO. "
+            "This is required for publishing process models"
+        )
+    process_model_identifier = _un_modify_modified_process_model_id(
+        modified_process_model_identifier
+    )
+    pr_url = GitService().publish(process_model_identifier, branch_to_update)
+    data = {"ok": True, "pr_url": pr_url}
+    return Response(json.dumps(data), status=200, mimetype="application/json")
+
+
+def process_model_list(
+    process_group_identifier: Optional[str] = None,
+    recursive: Optional[bool] = False,
+    filter_runnable_by_user: Optional[bool] = False,
+    include_parent_groups: Optional[bool] = False,
+    page: int = 1,
+    per_page: int = 100,
+) -> flask.wrappers.Response:
+    """Process model list!"""
+    process_models = ProcessModelService.get_process_models(
+        process_group_id=process_group_identifier,
+        recursive=recursive,
+        filter_runnable_by_user=filter_runnable_by_user,
+    )
+    process_models_to_return = ProcessModelService().get_batch(
+        process_models, page=page, per_page=per_page
+    )
+
+    if include_parent_groups:
+        process_group_cache = IdToProcessGroupMapping({})
+        for process_model in process_models_to_return:
+            parent_group_lites_with_cache = (
+                ProcessModelService.get_parent_group_array_and_cache_it(
+                    process_model.id, process_group_cache
+                )
+            )
+            process_model.parent_groups = parent_group_lites_with_cache[
+                "process_groups"
+            ]
+
+    pages = len(process_models) // per_page
+    remainder = len(process_models) % per_page
+    if remainder > 0:
+        pages += 1
+    response_json = {
+        "results": process_models_to_return,
+        "pagination": {
+            "count": len(process_models_to_return),
+            "total": len(process_models),
+            "pages": pages,
+        },
+    }
+    return make_response(jsonify(response_json), 200)
+
+
+def process_model_file_update(
+    modified_process_model_identifier: str, file_name: str
+) -> flask.wrappers.Response:
+    """Process_model_file_update."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+
+    request_file = _get_file_from_request()
+    request_file_contents = request_file.stream.read()
+    if not request_file_contents:
+        raise ApiError(
+            error_code="file_contents_empty",
+            message="Given request file does not have any content",
+            status_code=400,
+        )
+
+    SpecFileService.update_file(process_model, file_name, request_file_contents)
+    _commit_and_push_to_git(
+        f"User: {g.user.username} clicked save for"
+        f" {process_model_identifier}/{file_name}"
+    )
+
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_model_file_delete(
+    modified_process_model_identifier: str, file_name: str
+) -> flask.wrappers.Response:
+    """Process_model_file_delete."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+    try:
+        SpecFileService.delete_file(process_model, file_name)
+    except FileNotFoundError as exception:
+        raise (
+            ApiError(
+                error_code="process_model_file_cannot_be_found",
+                message=f"Process model file cannot be found: {file_name}",
+                status_code=400,
+            )
+        ) from exception
+
+    _commit_and_push_to_git(
+        f"User: {g.user.username} deleted process model file"
+        f" {process_model_identifier}/{file_name}"
+    )
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def process_model_file_create(
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_model_file_create."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+    request_file = _get_file_from_request()
+    if not request_file.filename:
+        raise ApiError(
+            error_code="could_not_get_filename",
+            message="Could not get filename from request",
+            status_code=400,
+        )
+
+    file = SpecFileService.add_file(
+        process_model, request_file.filename, request_file.stream.read()
+    )
+    file_contents = SpecFileService.get_data(process_model, file.name)
+    file.file_contents = file_contents
+    file.process_model_id = process_model.id
+    _commit_and_push_to_git(
+        f"User: {g.user.username} added process model file"
+        f" {process_model_identifier}/{file.name}"
+    )
+    return Response(
+        json.dumps(FileSchema().dump(file)), status=201, mimetype="application/json"
+    )
+
+
+def process_model_file_show(
+    modified_process_model_identifier: str, file_name: str
+) -> Any:
+    """Process_model_file_show."""
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+    files = SpecFileService.get_files(process_model, file_name)
+    if len(files) == 0:
+        raise ApiError(
+            error_code="unknown file",
+            message=(
+                f"No information exists for file {file_name}"
+                f" it does not exist in workflow {process_model_identifier}."
+            ),
+            status_code=404,
+        )
+
+    file = files[0]
+    file_contents = SpecFileService.get_data(process_model, file.name)
+    file.file_contents = file_contents
+    file.process_model_id = process_model.id
+    return FileSchema().dump(file)
+
+
+#   {
+#       "natural_language_text": "Create a bug tracker process model \
+#           with a bug-details form that collects summary, description, and priority"
+#   }
+def process_model_create_with_natural_language(
+    modified_process_group_id: str, body: Dict[str, str]
+) -> flask.wrappers.Response:
+    """Process_model_create_with_natural_language."""
+    pattern = re.compile(
+        r"Create a (?P<pm_name>.*?) process model with a (?P<form_name>.*?) form that"
+        r" collects (?P<columns>.*)"
+    )
+    match = pattern.match(body["natural_language_text"])
+    if match is None:
+        raise ApiError(
+            error_code="natural_language_text_not_yet_supported",
+            message=(
+                "Natural language text is not yet supported. Please use the form:"
+                f" {pattern.pattern}"
+            ),
+            status_code=400,
+        )
+    process_model_display_name = match.group("pm_name")
+    process_model_identifier = re.sub(r"[ _]", "-", process_model_display_name)
+    process_model_identifier = re.sub(r"-{2,}", "-", process_model_identifier).lower()
+
+    form_name = match.group("form_name")
+    form_identifier = re.sub(r"[ _]", "-", form_name)
+    form_identifier = re.sub(r"-{2,}", "-", form_identifier).lower()
+
+    column_names = match.group("columns")
+    columns = re.sub(r"(, (and )?)", ",", column_names).split(",")
+
+    process_group = _get_process_group_from_modified_identifier(
+        modified_process_group_id
+    )
+    qualified_process_model_identifier = (
+        f"{process_group.id}/{process_model_identifier}"
+    )
+
+    metadata_extraction_paths = []
+    for column in columns:
+        metadata_extraction_paths.append({"key": column, "path": column})
+
+    process_model_attributes = {
+        "id": qualified_process_model_identifier,
+        "display_name": process_model_display_name,
+        "description": None,
+        "metadata_extraction_paths": metadata_extraction_paths,
+    }
+
+    process_model_info = ProcessModelInfo(**process_model_attributes)  # type: ignore
+    if process_model_info is None:
+        raise ApiError(
+            error_code="process_model_could_not_be_created",
+            message=f"Process Model could not be created from given body: {body}",
+            status_code=400,
+        )
+
+    bpmn_template_file = os.path.join(
+        current_app.root_path, "templates", "basic_with_user_task_template.bpmn"
+    )
+    if not os.path.exists(bpmn_template_file):
+        raise ApiError(
+            error_code="bpmn_template_file_does_not_exist",
+            message="Could not find the bpmn template file to create process model.",
+            status_code=500,
+        )
+
+    ProcessModelService.add_process_model(process_model_info)
+    bpmn_process_identifier = f"{process_model_identifier}_process"
+    bpmn_template_contents = ""
+    with open(bpmn_template_file, encoding="utf-8") as f:
+        bpmn_template_contents = f.read()
+
+    bpmn_template_contents = bpmn_template_contents.replace(
+        "natural_language_process_id_template", bpmn_process_identifier
+    )
+    bpmn_template_contents = bpmn_template_contents.replace(
+        "form-identifier-id-template", form_identifier
+    )
+
+    form_uischema_json: dict = {"ui:order": columns}
+
+    form_properties: dict = {}
+    for column in columns:
+        form_properties[column] = {
+            "type": "string",
+            "title": column,
+        }
+    form_schema_json = {
+        "title": form_identifier,
+        "description": "",
+        "properties": form_properties,
+        "required": [],
+    }
+
+    SpecFileService.add_file(
+        process_model_info,
+        f"{process_model_identifier}.bpmn",
+        str.encode(bpmn_template_contents),
+    )
+    SpecFileService.add_file(
+        process_model_info,
+        f"{form_identifier}-schema.json",
+        str.encode(json.dumps(form_schema_json)),
+    )
+    SpecFileService.add_file(
+        process_model_info,
+        f"{form_identifier}-uischema.json",
+        str.encode(json.dumps(form_uischema_json)),
+    )
+
+    _commit_and_push_to_git(
+        f"User: {g.user.username} created process model via natural language:"
+        f" {process_model_info.id}"
+    )
+
+    default_report_metadata = ProcessInstanceReportService.system_metadata_map(
+        "default"
+    )
+    for column in columns:
+        default_report_metadata["columns"].append(
+            {"Header": column, "accessor": column, "filterable": True}
+        )
+    ProcessInstanceReportModel.create_report(
+        identifier=process_model_identifier,
+        user=g.user,
+        report_metadata=default_report_metadata,
+    )
+
+    return Response(
+        json.dumps(ProcessModelInfoSchema().dump(process_model_info)),
+        status=201,
+        mimetype="application/json",
+    )
+
+
+def _get_file_from_request() -> Any:
+    """Get_file_from_request."""
+    request_file = connexion.request.files.get("file")
+    if not request_file:
+        raise ApiError(
+            error_code="no_file_given",
+            message="Given request does not contain a file",
+            status_code=400,
+        )
+    return request_file
+
+
+def _get_process_group_from_modified_identifier(
+    modified_process_group_id: str,
+) -> ProcessGroup:
+    """_get_process_group_from_modified_identifier."""
+    if modified_process_group_id is None:
+        raise ApiError(
+            error_code="process_group_id_not_specified",
+            message=(
+                "Process Model could not be created when process_group_id path param is"
+                " unspecified"
+            ),
+            status_code=400,
+        )
+
+    unmodified_process_group_id = _un_modify_modified_process_model_id(
+        modified_process_group_id
+    )
+    process_group = ProcessModelService.get_process_group(unmodified_process_group_id)
+    if process_group is None:
+        raise ApiError(
+            error_code="process_model_could_not_be_created",
+            message=(
+                "Process Model could not be created from given body because Process"
+                f" Group could not be found: {unmodified_process_group_id}"
+            ),
+            status_code=400,
+        )
+    return process_group
--- a/src/spiffworkflow_backend/routes/script_unit_tests_controller.py
+++ b/src/spiffworkflow_backend/routes/script_unit_tests_controller.py
@ -0,0 +1,134 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+import random
+import string
+from typing import Dict
+from typing import Union
+
+import flask.wrappers
+from flask import current_app
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+from lxml import etree  # type: ignore
+from lxml.builder import ElementMaker  # type: ignore
+
+from spiffworkflow_backend.routes.process_api_blueprint import _get_process_model
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _get_required_parameter_or_raise,
+)
+from spiffworkflow_backend.services.script_unit_test_runner import ScriptUnitTestRunner
+from spiffworkflow_backend.services.spec_file_service import SpecFileService
+
+
+def script_unit_test_create(
+    modified_process_model_identifier: str, body: Dict[str, Union[str, bool, int]]
+) -> flask.wrappers.Response:
+    """Script_unit_test_create."""
+    bpmn_task_identifier = _get_required_parameter_or_raise(
+        "bpmn_task_identifier", body
+    )
+    input_json = _get_required_parameter_or_raise("input_json", body)
+    expected_output_json = _get_required_parameter_or_raise(
+        "expected_output_json", body
+    )
+
+    process_model_identifier = modified_process_model_identifier.replace(":", "/")
+    process_model = _get_process_model(process_model_identifier)
+    file = SpecFileService.get_files(process_model, process_model.primary_file_name)[0]
+    if file is None:
+        raise ApiError(
+            error_code="cannot_find_file",
+            message=(
+                "Could not find the primary bpmn file for process_model:"
+                f" {process_model.id}"
+            ),
+            status_code=404,
+        )
+
+    # TODO: move this to an xml service or something
+    file_contents = SpecFileService.get_data(process_model, file.name)
+    bpmn_etree_element = etree.fromstring(file_contents)
+
+    nsmap = bpmn_etree_element.nsmap
+    spiff_element_maker = ElementMaker(
+        namespace="http://spiffworkflow.org/bpmn/schema/1.0/core", nsmap=nsmap
+    )
+
+    script_task_elements = bpmn_etree_element.xpath(
+        f"//bpmn:scriptTask[@id='{bpmn_task_identifier}']",
+        namespaces={"bpmn": "http://www.omg.org/spec/BPMN/20100524/MODEL"},
+    )
+    if len(script_task_elements) == 0:
+        raise ApiError(
+            error_code="missing_script_task",
+            message=f"Cannot find a script task with id: {bpmn_task_identifier}",
+            status_code=404,
+        )
+    script_task_element = script_task_elements[0]
+
+    extension_elements = None
+    extension_elements_array = script_task_element.xpath(
+        ".//bpmn:extensionElements",
+        namespaces={"bpmn": "http://www.omg.org/spec/BPMN/20100524/MODEL"},
+    )
+    if len(extension_elements_array) == 0:
+        bpmn_element_maker = ElementMaker(
+            namespace="http://www.omg.org/spec/BPMN/20100524/MODEL", nsmap=nsmap
+        )
+        extension_elements = bpmn_element_maker("extensionElements")
+        script_task_element.append(extension_elements)
+    else:
+        extension_elements = extension_elements_array[0]
+
+    unit_test_elements = None
+    unit_test_elements_array = extension_elements.xpath(
+        "//spiffworkflow:unitTests",
+        namespaces={"spiffworkflow": "http://spiffworkflow.org/bpmn/schema/1.0/core"},
+    )
+    if len(unit_test_elements_array) == 0:
+        unit_test_elements = spiff_element_maker("unitTests")
+        extension_elements.append(unit_test_elements)
+    else:
+        unit_test_elements = unit_test_elements_array[0]
+
+    fuzz = "".join(
+        random.choice(string.ascii_uppercase + string.digits)  # noqa: S311
+        for _ in range(7)
+    )
+    unit_test_id = f"unit_test_{fuzz}"
+
+    input_json_element = spiff_element_maker("inputJson", json.dumps(input_json))
+    expected_output_json_element = spiff_element_maker(
+        "expectedOutputJson", json.dumps(expected_output_json)
+    )
+    unit_test_element = spiff_element_maker("unitTest", id=unit_test_id)
+    unit_test_element.append(input_json_element)
+    unit_test_element.append(expected_output_json_element)
+    unit_test_elements.append(unit_test_element)
+    SpecFileService.update_file(
+        process_model, file.name, etree.tostring(bpmn_etree_element)
+    )
+
+    return Response(json.dumps({"ok": True}), status=202, mimetype="application/json")
+
+
+def script_unit_test_run(
+    modified_process_model_identifier: str, body: Dict[str, Union[str, bool, int]]
+) -> flask.wrappers.Response:
+    """Script_unit_test_run."""
+    # FIXME: We should probably clear this somewhere else but this works
+    current_app.config["THREAD_LOCAL_DATA"].process_instance_id = None
+    current_app.config["THREAD_LOCAL_DATA"].spiff_step = None
+
+    python_script = _get_required_parameter_or_raise("python_script", body)
+    input_json = _get_required_parameter_or_raise("input_json", body)
+    expected_output_json = _get_required_parameter_or_raise(
+        "expected_output_json", body
+    )
+
+    result = ScriptUnitTestRunner.run_with_script_and_pre_post_contexts(
+        python_script, input_json, expected_output_json
+    )
+    return make_response(jsonify(result), 200)
--- a/src/spiffworkflow_backend/routes/secrets_controller.py
+++ b/src/spiffworkflow_backend/routes/secrets_controller.py
@ -0,0 +1,67 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+from typing import Dict
+from typing import Optional
+
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+
+from spiffworkflow_backend.models.secret_model import SecretModel
+from spiffworkflow_backend.models.secret_model import SecretModelSchema
+from spiffworkflow_backend.models.user import UserModel
+from spiffworkflow_backend.services.secret_service import SecretService
+from spiffworkflow_backend.services.user_service import UserService
+
+
+def secret_show(key: str) -> Optional[str]:
+    """Secret_show."""
+    return SecretService.get_secret(key)
+
+
+def secret_list(
+    page: int = 1,
+    per_page: int = 100,
+) -> Response:
+    """Secret_list."""
+    secrets = (
+        SecretModel.query.order_by(SecretModel.key)
+        .join(UserModel)
+        .add_columns(
+            UserModel.username,
+        )
+        .paginate(page=page, per_page=per_page, error_out=False)
+    )
+    response_json = {
+        "results": secrets.items,
+        "pagination": {
+            "count": len(secrets.items),
+            "total": secrets.total,
+            "pages": secrets.pages,
+        },
+    }
+    return make_response(jsonify(response_json), 200)
+
+
+def secret_create(body: Dict) -> Response:
+    """Add secret."""
+    secret_model = SecretService().add_secret(body["key"], body["value"], g.user.id)
+    return Response(
+        json.dumps(SecretModelSchema().dump(secret_model)),
+        status=201,
+        mimetype="application/json",
+    )
+
+
+def secret_update(key: str, body: dict) -> Response:
+    """Update secret."""
+    SecretService().update_secret(key, body["value"], g.user.id)
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+
+
+def secret_delete(key: str) -> Response:
+    """Delete secret."""
+    current_user = UserService.current_user()
+    SecretService.delete_secret(key, current_user.id)
+    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
--- a/src/spiffworkflow_backend/routes/service_tasks_controller.py
+++ b/src/spiffworkflow_backend/routes/service_tasks_controller.py
@ -0,0 +1,49 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+
+import flask.wrappers
+import werkzeug
+from flask import current_app
+from flask import g
+from flask import redirect
+from flask import request
+from flask.wrappers import Response
+
+from spiffworkflow_backend.routes.user import verify_token
+from spiffworkflow_backend.services.secret_service import SecretService
+from spiffworkflow_backend.services.service_task_service import ServiceTaskService
+
+
+def service_task_list() -> flask.wrappers.Response:
+    """Service_task_list."""
+    available_connectors = ServiceTaskService.available_connectors()
+    return Response(
+        json.dumps(available_connectors), status=200, mimetype="application/json"
+    )
+
+
+def authentication_list() -> flask.wrappers.Response:
+    """Authentication_list."""
+    available_authentications = ServiceTaskService.authentication_list()
+    response_json = {
+        "results": available_authentications,
+        "connector_proxy_base_url": current_app.config["CONNECTOR_PROXY_URL"],
+        "redirect_url": f"{current_app.config['SPIFFWORKFLOW_BACKEND_URL']}/v1.0/authentication_callback",
+    }
+
+    return Response(json.dumps(response_json), status=200, mimetype="application/json")
+
+
+def authentication_callback(
+    service: str,
+    auth_method: str,
+) -> werkzeug.wrappers.Response:
+    """Authentication_callback."""
+    verify_token(request.args.get("token"), force_run=True)
+    response = request.args["response"]
+    SecretService().update_secret(
+        f"{service}/{auth_method}", response, g.user.id, create_if_not_exists=True
+    )
+    return redirect(
+        f"{current_app.config['SPIFFWORKFLOW_FRONTEND_URL']}/admin/configuration"
+    )
--- a/src/spiffworkflow_backend/routes/tasks_controller.py
+++ b/src/spiffworkflow_backend/routes/tasks_controller.py
@ -0,0 +1,563 @@
+"""APIs for dealing with process groups, process models, and process instances."""
+import json
+import os
+import uuid
+from typing import Any
+from typing import Dict
+from typing import Optional
+from typing import TypedDict
+from typing import Union
+
+import flask.wrappers
+import jinja2
+from flask import g
+from flask import jsonify
+from flask import make_response
+from flask.wrappers import Response
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
+from SpiffWorkflow.task import TaskState
+from sqlalchemy import and_
+from sqlalchemy import asc
+from sqlalchemy import desc
+from sqlalchemy import func
+from sqlalchemy.orm import aliased
+
+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceStatus
+from spiffworkflow_backend.models.process_model import ProcessModelInfo
+from spiffworkflow_backend.models.user import UserModel
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _find_principal_or_raise,
+)
+from spiffworkflow_backend.routes.process_api_blueprint import (
+    _find_process_instance_by_id_or_raise,
+)
+from spiffworkflow_backend.routes.process_api_blueprint import _get_process_model
+from spiffworkflow_backend.services.authorization_service import AuthorizationService
+from spiffworkflow_backend.services.file_system_service import FileSystemService
+from spiffworkflow_backend.services.process_instance_processor import (
+    ProcessInstanceProcessor,
+)
+from spiffworkflow_backend.services.process_instance_service import (
+    ProcessInstanceService,
+)
+from spiffworkflow_backend.services.process_model_service import ProcessModelService
+from spiffworkflow_backend.services.spec_file_service import SpecFileService
+
+
+class TaskDataSelectOption(TypedDict):
+    """TaskDataSelectOption."""
+
+    value: str
+    label: str
+
+
+class ReactJsonSchemaSelectOption(TypedDict):
+    """ReactJsonSchemaSelectOption."""
+
+    type: str
+    title: str
+    enum: list[str]
+
+
+# TODO: see comment for before_request
+# @process_api_blueprint.route("/v1.0/tasks", methods=["GET"])
+def task_list_my_tasks(page: int = 1, per_page: int = 100) -> flask.wrappers.Response:
+    """Task_list_my_tasks."""
+    principal = _find_principal_or_raise()
+    human_tasks = (
+        HumanTaskModel.query.order_by(desc(HumanTaskModel.id))  # type: ignore
+        .join(ProcessInstanceModel)
+        .join(HumanTaskUserModel)
+        .filter_by(user_id=principal.user_id)
+        .filter(HumanTaskModel.completed == False)  # noqa: E712
+        # just need this add_columns to add the process_model_identifier. Then add everything back that was removed.
+        .add_columns(
+            ProcessInstanceModel.process_model_identifier,
+            ProcessInstanceModel.process_model_display_name,
+            ProcessInstanceModel.status,
+            HumanTaskModel.task_name,
+            HumanTaskModel.task_title,
+            HumanTaskModel.task_type,
+            HumanTaskModel.task_status,
+            HumanTaskModel.task_id,
+            HumanTaskModel.id,
+            HumanTaskModel.process_model_display_name,
+            HumanTaskModel.process_instance_id,
+        )
+        .paginate(page=page, per_page=per_page, error_out=False)
+    )
+    tasks = [HumanTaskModel.to_task(human_task) for human_task in human_tasks.items]
+
+    response_json = {
+        "results": tasks,
+        "pagination": {
+            "count": len(human_tasks.items),
+            "total": human_tasks.total,
+            "pages": human_tasks.pages,
+        },
+    }
+
+    return make_response(jsonify(response_json), 200)
+
+
+def task_list_for_my_open_processes(
+    page: int = 1, per_page: int = 100
+) -> flask.wrappers.Response:
+    """Task_list_for_my_open_processes."""
+    return _get_tasks(page=page, per_page=per_page)
+
+
+def task_list_for_me(page: int = 1, per_page: int = 100) -> flask.wrappers.Response:
+    """Task_list_for_me."""
+    return _get_tasks(
+        processes_started_by_user=False,
+        has_lane_assignment_id=False,
+        page=page,
+        per_page=per_page,
+    )
+
+
+def task_list_for_my_groups(
+    user_group_identifier: Optional[str] = None, page: int = 1, per_page: int = 100
+) -> flask.wrappers.Response:
+    """Task_list_for_my_groups."""
+    return _get_tasks(
+        user_group_identifier=user_group_identifier,
+        processes_started_by_user=False,
+        page=page,
+        per_page=per_page,
+    )
+
+
+def task_show(process_instance_id: int, task_id: str) -> flask.wrappers.Response:
+    """Task_show."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+
+    if process_instance.status == ProcessInstanceStatus.suspended.value:
+        raise ApiError(
+            error_code="error_suspended",
+            message="The process instance is suspended",
+            status_code=400,
+        )
+
+    process_model = _get_process_model(
+        process_instance.process_model_identifier,
+    )
+
+    human_task = HumanTaskModel.query.filter_by(
+        process_instance_id=process_instance_id, task_id=task_id
+    ).first()
+    if human_task is None:
+        raise (
+            ApiError(
+                error_code="no_human_task",
+                message=(
+                    f"Cannot find a task to complete for task id '{task_id}' and"
+                    f" process instance {process_instance_id}."
+                ),
+                status_code=500,
+            )
+        )
+
+    form_schema_file_name = ""
+    form_ui_schema_file_name = ""
+    spiff_task = _get_spiff_task_from_process_instance(task_id, process_instance)
+    extensions = spiff_task.task_spec.extensions
+
+    if "properties" in extensions:
+        properties = extensions["properties"]
+        if "formJsonSchemaFilename" in properties:
+            form_schema_file_name = properties["formJsonSchemaFilename"]
+        if "formUiSchemaFilename" in properties:
+            form_ui_schema_file_name = properties["formUiSchemaFilename"]
+    processor = ProcessInstanceProcessor(process_instance)
+    task = ProcessInstanceService.spiff_task_to_api_task(processor, spiff_task)
+    task.data = spiff_task.data
+    task.process_model_display_name = process_model.display_name
+    task.process_model_identifier = process_model.id
+
+    process_model_with_form = process_model
+    refs = SpecFileService.get_references_for_process(process_model_with_form)
+    all_processes = [i.identifier for i in refs]
+    if task.process_identifier not in all_processes:
+        bpmn_file_full_path = (
+            ProcessInstanceProcessor.bpmn_file_full_path_from_bpmn_process_identifier(
+                task.process_identifier
+            )
+        )
+        relative_path = os.path.relpath(
+            bpmn_file_full_path, start=FileSystemService.root_path()
+        )
+        process_model_relative_path = os.path.dirname(relative_path)
+        process_model_with_form = (
+            ProcessModelService.get_process_model_from_relative_path(
+                process_model_relative_path
+            )
+        )
+
+    if task.type == "User Task":
+        if not form_schema_file_name:
+            raise (
+                ApiError(
+                    error_code="missing_form_file",
+                    message=(
+                        "Cannot find a form file for process_instance_id:"
+                        f" {process_instance_id}, task_id: {task_id}"
+                    ),
+                    status_code=400,
+                )
+            )
+
+        form_contents = _prepare_form_data(
+            form_schema_file_name,
+            task.data,
+            process_model_with_form,
+        )
+
+        try:
+            # form_contents is a str
+            form_dict = json.loads(form_contents)
+        except Exception as exception:
+            raise (
+                ApiError(
+                    error_code="error_loading_form",
+                    message=(
+                        f"Could not load form schema from: {form_schema_file_name}."
+                        f" Error was: {str(exception)}"
+                    ),
+                    status_code=400,
+                )
+            ) from exception
+
+        if task.data:
+            _update_form_schema_with_task_data_as_needed(form_dict, task.data)
+
+        if form_contents:
+            task.form_schema = form_dict
+
+        if form_ui_schema_file_name:
+            ui_form_contents = _prepare_form_data(
+                form_ui_schema_file_name,
+                task.data,
+                process_model_with_form,
+            )
+            if ui_form_contents:
+                task.form_ui_schema = ui_form_contents
+
+    if task.properties and task.data and "instructionsForEndUser" in task.properties:
+        if task.properties["instructionsForEndUser"]:
+            task.properties["instructionsForEndUser"] = _render_jinja_template(
+                task.properties["instructionsForEndUser"], task.data
+            )
+    return make_response(jsonify(task), 200)
+
+
+def process_data_show(
+    process_instance_id: int,
+    process_data_identifier: str,
+    modified_process_model_identifier: str,
+) -> flask.wrappers.Response:
+    """Process_data_show."""
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    processor = ProcessInstanceProcessor(process_instance)
+    all_process_data = processor.get_data()
+    process_data_value = None
+    if process_data_identifier in all_process_data:
+        process_data_value = all_process_data[process_data_identifier]
+
+    return make_response(
+        jsonify(
+            {
+                "process_data_identifier": process_data_identifier,
+                "process_data_value": process_data_value,
+            }
+        ),
+        200,
+    )
+
+
+def task_submit(
+    process_instance_id: int,
+    task_id: str,
+    body: Dict[str, Any],
+    terminate_loop: bool = False,
+) -> flask.wrappers.Response:
+    """Task_submit_user_data."""
+    principal = _find_principal_or_raise()
+    process_instance = _find_process_instance_by_id_or_raise(process_instance_id)
+    if not process_instance.can_submit_task():
+        raise ApiError(
+            error_code="process_instance_not_runnable",
+            message=(
+                f"Process Instance ({process_instance.id}) has status "
+                f"{process_instance.status} which does not allow tasks to be submitted."
+            ),
+            status_code=400,
+        )
+
+    processor = ProcessInstanceProcessor(process_instance)
+    spiff_task = _get_spiff_task_from_process_instance(
+        task_id, process_instance, processor=processor
+    )
+    AuthorizationService.assert_user_can_complete_spiff_task(
+        process_instance.id, spiff_task, principal.user
+    )
+
+    if spiff_task.state != TaskState.READY:
+        raise (
+            ApiError(
+                error_code="invalid_state",
+                message="You may not update a task unless it is in the READY state.",
+                status_code=400,
+            )
+        )
+
+    if terminate_loop and spiff_task.is_looping():
+        spiff_task.terminate_loop()
+
+    human_task = HumanTaskModel.query.filter_by(
+        process_instance_id=process_instance_id, task_id=task_id, completed=False
+    ).first()
+    if human_task is None:
+        raise (
+            ApiError(
+                error_code="no_human_task",
+                message=(
+                    f"Cannot find a task to complete for task id '{task_id}' and"
+                    f" process instance {process_instance_id}."
+                ),
+                status_code=500,
+            )
+        )
+
+    ProcessInstanceService.complete_form_task(
+        processor=processor,
+        spiff_task=spiff_task,
+        data=body,
+        user=g.user,
+        human_task=human_task,
+    )
+
+    # If we need to update all tasks, then get the next ready task and if it a multi-instance with the same
+    # task spec, complete that form as well.
+    # if update_all:
+    #     last_index = spiff_task.task_info()["mi_index"]
+    #     next_task = processor.next_task()
+    #     while next_task and next_task.task_info()["mi_index"] > last_index:
+    #         __update_task(processor, next_task, form_data, user)
+    #         last_index = next_task.task_info()["mi_index"]
+    #         next_task = processor.next_task()
+
+    next_human_task_assigned_to_me = (
+        HumanTaskModel.query.filter_by(
+            process_instance_id=process_instance_id, completed=False
+        )
+        .order_by(asc(HumanTaskModel.id))  # type: ignore
+        .join(HumanTaskUserModel)
+        .filter_by(user_id=principal.user_id)
+        .first()
+    )
+    if next_human_task_assigned_to_me:
+        return make_response(
+            jsonify(HumanTaskModel.to_task(next_human_task_assigned_to_me)), 200
+        )
+
+    return Response(json.dumps({"ok": True}), status=202, mimetype="application/json")
+
+
+def _get_tasks(
+    processes_started_by_user: bool = True,
+    has_lane_assignment_id: bool = True,
+    page: int = 1,
+    per_page: int = 100,
+    user_group_identifier: Optional[str] = None,
+) -> flask.wrappers.Response:
+    """Get_tasks."""
+    user_id = g.user.id
+
+    # use distinct to ensure we only get one row per human task otherwise
+    # we can get back multiple for the same human task row which throws off
+    # pagination later on
+    # https://stackoverflow.com/q/34582014/6090676
+    human_tasks_query = (
+        db.session.query(HumanTaskModel)
+        .group_by(HumanTaskModel.id)  # type: ignore
+        .outerjoin(GroupModel, GroupModel.id == HumanTaskModel.lane_assignment_id)
+        .join(ProcessInstanceModel)
+        .join(UserModel, UserModel.id == ProcessInstanceModel.process_initiator_id)
+        .filter(HumanTaskModel.completed == False)  # noqa: E712
+    )
+
+    assigned_user = aliased(UserModel)
+    if processes_started_by_user:
+        human_tasks_query = (
+            human_tasks_query.filter(
+                ProcessInstanceModel.process_initiator_id == user_id
+            )
+            .outerjoin(
+                HumanTaskUserModel,
+                HumanTaskModel.id == HumanTaskUserModel.human_task_id,
+            )
+            .outerjoin(assigned_user, assigned_user.id == HumanTaskUserModel.user_id)
+        )
+    else:
+        human_tasks_query = human_tasks_query.filter(
+            ProcessInstanceModel.process_initiator_id != user_id
+        ).join(
+            HumanTaskUserModel,
+            and_(
+                HumanTaskUserModel.user_id == user_id,
+                HumanTaskModel.id == HumanTaskUserModel.human_task_id,
+            ),
+        )
+        if has_lane_assignment_id:
+            if user_group_identifier:
+                human_tasks_query = human_tasks_query.filter(
+                    GroupModel.identifier == user_group_identifier
+                )
+            else:
+                human_tasks_query = human_tasks_query.filter(
+                    HumanTaskModel.lane_assignment_id.is_not(None)  # type: ignore
+                )
+        else:
+            human_tasks_query = human_tasks_query.filter(HumanTaskModel.lane_assignment_id.is_(None))  # type: ignore
+
+    human_tasks = (
+        human_tasks_query.add_columns(
+            ProcessInstanceModel.process_model_identifier,
+            ProcessInstanceModel.status.label("process_instance_status"),  # type: ignore
+            ProcessInstanceModel.updated_at_in_seconds,
+            ProcessInstanceModel.created_at_in_seconds,
+            UserModel.username.label("process_initiator_username"),  # type: ignore
+            GroupModel.identifier.label("assigned_user_group_identifier"),
+            HumanTaskModel.task_name,
+            HumanTaskModel.task_title,
+            HumanTaskModel.process_model_display_name,
+            HumanTaskModel.process_instance_id,
+            func.group_concat(assigned_user.username.distinct()).label(
+                "potential_owner_usernames"
+            ),
+        )
+        .order_by(desc(HumanTaskModel.id))  # type: ignore
+        .paginate(page=page, per_page=per_page, error_out=False)
+    )
+
+    response_json = {
+        "results": human_tasks.items,
+        "pagination": {
+            "count": len(human_tasks.items),
+            "total": human_tasks.total,
+            "pages": human_tasks.pages,
+        },
+    }
+
+    return make_response(jsonify(response_json), 200)
+
+
+def _prepare_form_data(
+    form_file: str, task_data: Union[dict, None], process_model: ProcessModelInfo
+) -> str:
+    """Prepare_form_data."""
+    if task_data is None:
+        return ""
+
+    file_contents = SpecFileService.get_data(process_model, form_file).decode("utf-8")
+    return _render_jinja_template(file_contents, task_data)
+
+
+def _render_jinja_template(unprocessed_template: str, data: dict[str, Any]) -> str:
+    """Render_jinja_template."""
+    jinja_environment = jinja2.Environment(
+        autoescape=True, lstrip_blocks=True, trim_blocks=True
+    )
+    template = jinja_environment.from_string(unprocessed_template)
+    return template.render(**data)
+
+
+def _get_spiff_task_from_process_instance(
+    task_id: str,
+    process_instance: ProcessInstanceModel,
+    processor: Union[ProcessInstanceProcessor, None] = None,
+) -> SpiffTask:
+    """Get_spiff_task_from_process_instance."""
+    if processor is None:
+        processor = ProcessInstanceProcessor(process_instance)
+    task_uuid = uuid.UUID(task_id)
+    spiff_task = processor.bpmn_process_instance.get_task(task_uuid)
+
+    if spiff_task is None:
+        raise (
+            ApiError(
+                error_code="empty_task",
+                message="Processor failed to obtain task.",
+                status_code=500,
+            )
+        )
+    return spiff_task
+
+
+# originally from: https://bitcoden.com/answers/python-nested-dictionary-update-value-where-any-nested-key-matches
+def _update_form_schema_with_task_data_as_needed(
+    in_dict: dict, task_data: dict
+) -> None:
+    """Update_nested."""
+    for k, value in in_dict.items():
+        if "anyOf" == k:
+            # value will look like the array on the right of "anyOf": ["options_from_task_data_var:awesome_options"]
+            if isinstance(value, list):
+                if len(value) == 1:
+                    first_element_in_value_list = value[0]
+                    if isinstance(first_element_in_value_list, str):
+                        if first_element_in_value_list.startswith(
+                            "options_from_task_data_var:"
+                        ):
+                            task_data_var = first_element_in_value_list.replace(
+                                "options_from_task_data_var:", ""
+                            )
+
+                            if task_data_var not in task_data:
+                                raise (
+                                    ApiError(
+                                        error_code="missing_task_data_var",
+                                        message=(
+                                            "Task data is missing variable:"
+                                            f" {task_data_var}"
+                                        ),
+                                        status_code=500,
+                                    )
+                                )
+
+                            select_options_from_task_data = task_data.get(task_data_var)
+                            if isinstance(select_options_from_task_data, list):
+                                if all(
+                                    "value" in d and "label" in d
+                                    for d in select_options_from_task_data
+                                ):
+
+                                    def map_function(
+                                        task_data_select_option: TaskDataSelectOption,
+                                    ) -> ReactJsonSchemaSelectOption:
+                                        """Map_function."""
+                                        return {
+                                            "type": "string",
+                                            "enum": [task_data_select_option["value"]],
+                                            "title": task_data_select_option["label"],
+                                        }
+
+                                    options_for_react_json_schema_form = list(
+                                        map(map_function, select_options_from_task_data)
+                                    )
+
+                                    in_dict[k] = options_for_react_json_schema_form
+        elif isinstance(value, dict):
+            _update_form_schema_with_task_data_as_needed(value, task_data)
+        elif isinstance(value, list):
+            for o in value:
+                if isinstance(o, dict):
+                    _update_form_schema_with_task_data_as_needed(o, task_data)
--- a/src/spiffworkflow_backend/routes/user.py
+++ b/src/spiffworkflow_backend/routes/user.py
@ -67,16 +67,19 @@ def verify_token(
                        user_model = get_user_from_decoded_internal_token(decoded_token)
                    except Exception as e:
                        current_app.logger.error(
-                            f"Exception in verify_token getting user from decoded internal token. {e}"
+                            "Exception in verify_token getting user from decoded"
+                            f" internal token. {e}"
                        )
            elif "iss" in decoded_token.keys():
                try:
                    if AuthenticationService.validate_id_token(token):
                        user_info = decoded_token
-                except ApiError as ae:  # API Error is only thrown in the token is outdated.
+                except (
+                    ApiError
+                ) as ae:  # API Error is only thrown in the token is outdated.
                    # Try to refresh the token
                    user = UserService.get_user_by_service_and_service_id(
-                        "open_id", decoded_token["sub"]
+                        decoded_token["iss"], decoded_token["sub"]
                    )
                    if user:
                        refresh_token = AuthenticationService.get_refresh_token(user.id)
@ -105,10 +108,12 @@ def verify_token(
                    ) from e

                if (
-                    user_info is not None and "error" not in user_info
+                    user_info is not None
+                    and "error" not in user_info
+                    and "iss" in user_info
                ):  # not sure what to test yet
                    user_model = (
-                        UserModel.query.filter(UserModel.service == "open_id")
+                        UserModel.query.filter(UserModel.service == user_info["iss"])
                        .filter(UserModel.service_id == user_info["sub"])
                        .first()
                    )
@ -293,7 +298,6 @@ def get_decoded_token(token: str) -> Optional[Dict]:
    try:
        decoded_token = jwt.decode(token, options={"verify_signature": False})
    except Exception as e:
-        print(f"Exception in get_token_type: {e}")
        raise ApiError(
            error_code="invalid_token", message="Cannot decode token."
        ) from e
@ -341,9 +345,5 @@ def get_user_from_decoded_internal_token(decoded_token: dict) -> Optional[UserMo
    )
    if user:
        return user
-    user = UserModel(
-        username=service_id,
-        service=service,
-        service_id=service_id,
-    )
+    user = UserService.create_user(service_id, service, service_id)
    return user
--- a/src/spiffworkflow_backend/routes/user_blueprint.py
+++ b/src/spiffworkflow_backend/routes/user_blueprint.py
@ -26,6 +26,7 @@ user_blueprint = Blueprint("main", __name__)
 #     user = UserService.create_user('internal', username)
 #     return Response(json.dumps({"id": user.id}), status=201, mimetype=APPLICATION_JSON)

+
 # def _create_user(username):
 #     user = UserModel.query.filter_by(username=username).first()
 #     if user is not None:
--- a/src/spiffworkflow_backend/routes/users_controller.py
+++ b/src/spiffworkflow_backend/routes/users_controller.py
@ -0,0 +1,26 @@
+"""Users_controller."""
+import flask
+from flask import g
+from flask import jsonify
+from flask import make_response
+
+from spiffworkflow_backend.models.user import UserModel
+
+
+def user_search(username_prefix: str) -> flask.wrappers.Response:
+    """User_search."""
+    found_users = UserModel.query.filter(UserModel.username.like(f"{username_prefix}%")).all()  # type: ignore
+
+    response_json = {
+        "users": found_users,
+        "username_prefix": username_prefix,
+    }
+    return make_response(jsonify(response_json), 200)
+
+
+def user_group_list_for_current_user() -> flask.wrappers.Response:
+    """User_group_list_for_current_user."""
+    groups = g.user.groups
+    # TODO: filter out the default group and have a way to know what is the default group
+    group_identifiers = [i.identifier for i in groups if i.identifier != "everybody"]
+    return make_response(jsonify(sorted(group_identifiers)), 200)
--- a/src/spiffworkflow_backend/scripts/add_user_to_group.py
+++ b/src/spiffworkflow_backend/scripts/add_user_to_group.py
@ -1,43 +0,0 @@
-"""Get_env."""
-from typing import Any
-
-from spiffworkflow_backend.models.group import GroupModel
-from spiffworkflow_backend.models.group import GroupNotFoundError
-from spiffworkflow_backend.models.script_attributes_context import (
-    ScriptAttributesContext,
-)
-from spiffworkflow_backend.models.user import UserModel
-from spiffworkflow_backend.models.user import UserNotFoundError
-from spiffworkflow_backend.scripts.script import Script
-from spiffworkflow_backend.services.user_service import UserService
-
-
-class AddUserToGroup(Script):
-    """AddUserToGroup."""
-
-    def get_description(self) -> str:
-        """Get_description."""
-        return """Add a given user to a given group."""
-
-    def run(
-        self,
-        script_attributes_context: ScriptAttributesContext,
-        *args: Any,
-        **kwargs: Any,
-    ) -> Any:
-        """Run."""
-        username = args[0]
-        group_identifier = args[1]
-        user = UserModel.query.filter_by(username=username).first()
-        if user is None:
-            raise UserNotFoundError(
-                f"Script 'add_user_to_group' could not find a user with username: {username}"
-            )
-
-        group = GroupModel.query.filter_by(identifier=group_identifier).first()
-        if group is None:
-            raise GroupNotFoundError(
-                f"Script 'add_user_to_group' could not find group with identifier '{group_identifier}'."
-            )
-
-        UserService.add_user_to_group(user, group)
--- a/src/spiffworkflow_backend/scripts/delete_process_instances_with_criteria.py
+++ b/src/spiffworkflow_backend/scripts/delete_process_instances_with_criteria.py
@ -0,0 +1,63 @@
+"""Delete_process_instances_with_criteria."""
+from time import time
+from typing import Any
+
+from flask_bpmn.models.db import db
+from sqlalchemy import or_
+
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.models.spiff_step_details import SpiffStepDetailsModel
+from spiffworkflow_backend.scripts.script import Script
+
+
+class DeleteProcessInstancesWithCriteria(Script):
+    """DeleteProcessInstancesWithCriteria."""
+
+    def get_description(self) -> str:
+        """Get_description."""
+        return "Delete process instances that match the provided criteria,"
+
+    def run(
+        self,
+        script_attributes_context: ScriptAttributesContext,
+        *args: Any,
+        **kwargs: Any,
+    ) -> Any:
+        """Run."""
+        criteria_list = args[0]
+
+        delete_criteria = []
+        delete_time = time()
+
+        for criteria in criteria_list:
+            delete_criteria.append(
+                (ProcessInstanceModel.process_model_identifier == criteria["name"])
+                & ProcessInstanceModel.status.in_(criteria["status"])  # type: ignore
+                & (
+                    ProcessInstanceModel.updated_at_in_seconds
+                    < (delete_time - criteria["last_updated_delta"])
+                )
+            )
+
+        results = (
+            ProcessInstanceModel.query.filter(or_(*delete_criteria)).limit(100).all()
+        )
+        rows_affected = len(results)
+
+        if rows_affected > 0:
+            ids_to_delete = list(map(lambda r: r.id, results))  # type: ignore
+
+            step_details = SpiffStepDetailsModel.query.filter(
+                SpiffStepDetailsModel.process_instance_id.in_(ids_to_delete)  # type: ignore
+            ).all()
+
+            for deletion in step_details:
+                db.session.delete(deletion)
+            for deletion in results:
+                db.session.delete(deletion)
+            db.session.commit()
+
+        return rows_affected
--- a/src/spiffworkflow_backend/scripts/fact_service.py
+++ b/src/spiffworkflow_backend/scripts/fact_service.py
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class FactService(Script):
    """FactService."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Just your basic class that can pull in data from a few api endpoints and
@ -30,7 +35,10 @@ class FactService(Script):
        if fact == "cat":
            details = "The cat in the hat"  # self.get_cat()
        elif fact == "norris":
-            details = "Chuck Norris doesn’t read books. He stares them down until he gets the information he wants."
+            details = (
+                "Chuck Norris doesn’t read books. He stares them down until he gets the"
+                " information he wants."
+            )
        elif fact == "buzzword":
            details = "Move the Needle."  # self.get_buzzword()
        else:
--- a/src/spiffworkflow_backend/scripts/get_all_permissions.py
+++ b/src/spiffworkflow_backend/scripts/get_all_permissions.py
@ -0,0 +1,71 @@
+"""Get_env."""
+from collections import OrderedDict
+from typing import Any
+
+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
+from spiffworkflow_backend.models.permission_target import PermissionTargetModel
+from spiffworkflow_backend.models.principal import PrincipalModel
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.scripts.script import Script
+
+
+class GetAllPermissions(Script):
+    """GetAllPermissions."""
+
+    def get_description(self) -> str:
+        """Get_description."""
+        return """Get all permissions currently in the system."""
+
+    def run(
+        self,
+        script_attributes_context: ScriptAttributesContext,
+        *args: Any,
+        **kwargs: Any,
+    ) -> Any:
+        """Run."""
+        permission_assignments = (
+            PermissionAssignmentModel.query.join(
+                PrincipalModel,
+                PrincipalModel.id == PermissionAssignmentModel.principal_id,
+            )
+            .join(GroupModel, GroupModel.id == PrincipalModel.group_id)
+            .join(
+                PermissionTargetModel,
+                PermissionTargetModel.id
+                == PermissionAssignmentModel.permission_target_id,
+            )
+            .add_columns(
+                PermissionAssignmentModel.permission,
+                PermissionTargetModel.uri,
+                GroupModel.identifier.label("group_identifier"),
+            )
+        )
+
+        permissions: OrderedDict[tuple[str, str], list[str]] = OrderedDict()
+        for pa in permission_assignments:
+            permissions.setdefault((pa.group_identifier, pa.uri), []).append(
+                pa.permission
+            )
+
+        def replace_suffix(string: str, old: str, new: str) -> str:
+            """Replace_suffix."""
+            if string.endswith(old):
+                return string[: -len(old)] + new
+            return string
+
+        # sort list of strings based on a specific order
+        def sort_by_order(string_list: list, order: list) -> list:
+            """Sort_by_order."""
+            return sorted(string_list, key=lambda x: order.index(x))
+
+        return [
+            {
+                "group_identifier": k[0],
+                "uri": replace_suffix(k[1], "%", "*"),
+                "permissions": sort_by_order(v, ["create", "read", "update", "delete"]),
+            }
+            for k, v in permissions.items()
+        ]
--- a/src/spiffworkflow_backend/scripts/get_current_user.py
+++ b/src/spiffworkflow_backend/scripts/get_current_user.py
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetCurrentUser(Script):
    """GetCurrentUser."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Return the current user."""
--- a/src/spiffworkflow_backend/scripts/get_env.py
+++ b/src/spiffworkflow_backend/scripts/get_env.py
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetEnv(Script):
    """GetEnv."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Returns the current environment - ie testing, staging, production."""
--- a/src/spiffworkflow_backend/scripts/get_frontend_url.py
+++ b/src/spiffworkflow_backend/scripts/get_frontend_url.py
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetFrontendUrl(Script):
    """GetFrontendUrl."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Return the url to the frontend."""
--- a/src/spiffworkflow_backend/scripts/get_group_members.py
+++ b/src/spiffworkflow_backend/scripts/get_group_members.py
@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetGroupMembers(Script):
    """GetGroupMembers."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Return the list of usernames of the users in the given group."""
@ -27,7 +32,8 @@ class GetGroupMembers(Script):
        group = GroupModel.query.filter_by(identifier=group_identifier).first()
        if group is None:
            raise GroupNotFoundError(
-                f"Script 'get_group_members' could not find group with identifier '{group_identifier}'."
+                "Script 'get_group_members' could not find group with identifier"
+                f" '{group_identifier}'."
            )

        usernames = [u.username for u in group.users]
--- a/src/spiffworkflow_backend/scripts/get_localtime.py
+++ b/src/spiffworkflow_backend/scripts/get_localtime.py
@ -14,6 +14,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetLocaltime(Script):
    """GetLocaltime."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Converts a Datetime object into a Datetime object for a specific timezone.
--- a/src/spiffworkflow_backend/scripts/get_process_info.py
+++ b/src/spiffworkflow_backend/scripts/get_process_info.py
@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetProcessInfo(Script):
    """GetProcessInfo."""

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
    def get_description(self) -> str:
        """Get_description."""
        return """Returns a dictionary of information about the currently running process."""
@ -23,5 +28,7 @@ class GetProcessInfo(Script):
        """Run."""
        return {
            "process_instance_id": script_attributes_context.process_instance_id,
-            "process_model_identifier": script_attributes_context.process_model_identifier,
+            "process_model_identifier": (
+                script_attributes_context.process_model_identifier
+            ),
        }
--- a/src/spiffworkflow_backend/scripts/get_secret.py
+++ b/src/spiffworkflow_backend/scripts/get_secret.py
@ -0,0 +1,25 @@
+"""Get_secret."""
+from typing import Any
+
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.scripts.script import Script
+from spiffworkflow_backend.services.secret_service import SecretService
+
+
+class GetSecret(Script):
+    """GetSecret."""
+
+    def get_description(self) -> str:
+        """Get_description."""
+        return """Returns the value for a previously configured secret."""
+
+    def run(
+        self,
+        script_attributes_context: ScriptAttributesContext,
+        *args: Any,
+        **kwargs: Any
+    ) -> Any:
+        """Run."""
+        return SecretService.get_secret(args[0]).value
--- a/src/spiffworkflow_backend/scripts/refresh_permissions.py
+++ b/src/spiffworkflow_backend/scripts/refresh_permissions.py
@ -0,0 +1,39 @@
+"""Get_env."""
+from typing import Any
+
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.scripts.script import Script
+from spiffworkflow_backend.services.authorization_service import AuthorizationService
+
+
+class RefreshPermissions(Script):
+    """RefreshPermissions."""
+
+    def get_description(self) -> str:
+        """Get_description."""
+        return """Add permissions using a dict.
+            group_info: [
+                {
+                    'name': group_identifier,
+                    'users': array_of_users,
+                    'permissions': [
+                        {
+                            'actions': array_of_actions - create, read, etc,
+                            'uri': target_uri
+                        }
+                    ]
+                }
+            ]
+            """
+
+    def run(
+        self,
+        script_attributes_context: ScriptAttributesContext,
+        *args: Any,
+        **kwargs: Any,
+    ) -> Any:
+        """Run."""
+        group_info = args[0]
+        AuthorizationService.refresh_permissions(group_info)
--- a/src/spiffworkflow_backend/scripts/script.py
+++ b/src/spiffworkflow_backend/scripts/script.py
@ -10,9 +10,12 @@ from typing import Callable

 from flask_bpmn.api.api_error import ApiError

+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceNotFoundError
 from spiffworkflow_backend.models.script_attributes_context import (
    ScriptAttributesContext,
 )
+from spiffworkflow_backend.services.authorization_service import AuthorizationService

 # Generally speaking, having some global in a flask app is TERRIBLE.
 # This is here, because after loading the application this will never change under
@ -20,6 +23,10 @@ from spiffworkflow_backend.models.script_attributes_context import (
 SCRIPT_SUB_CLASSES = None


+class ScriptUnauthorizedForUserError(Exception):
+    """ScriptUnauthorizedForUserError."""
+
+
 class Script:
    """Provides an abstract class that defines how scripts should work, this must be extended in all Script Tasks."""

@ -43,6 +50,15 @@ class Script:
            + "does not properly implement the run function.",
        )

+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """It seems safer to default to True and make safe functions opt in for any user to run them.
+
+        To give access to script for a given user, add a 'create' permission with following target-uri:
+            '/can-run-privileged-script/{script_name}'
+        """
+        return True
+
    @staticmethod
    def generate_augmented_list(
        script_attributes_context: ScriptAttributesContext,
@ -71,18 +87,52 @@ class Script:
            that we created.
            """
            instance = subclass()
-            return lambda *ar, **kw: subclass.run(
-                instance,
-                script_attributes_context,
-                *ar,
-                **kw,
-            )
+
+            def check_script_permission() -> None:
+                """Check_script_permission."""
+                if subclass.requires_privileged_permissions():
+                    script_function_name = get_script_function_name(subclass)
+                    uri = f"/can-run-privileged-script/{script_function_name}"
+                    process_instance = ProcessInstanceModel.query.filter_by(
+                        id=script_attributes_context.process_instance_id
+                    ).first()
+                    if process_instance is None:
+                        raise ProcessInstanceNotFoundError(
+                            "Could not find a process instance with id"
+                            f" '{script_attributes_context.process_instance_id}' when"
+                            f" running script '{script_function_name}'"
+                        )
+                    user = process_instance.process_initiator
+                    has_permission = AuthorizationService.user_has_permission(
+                        user=user, permission="create", target_uri=uri
+                    )
+                    if not has_permission:
+                        raise ScriptUnauthorizedForUserError(
+                            f"User {user.username} does not have access to run"
+                            f" privileged script '{script_function_name}'"
+                        )
+
+            def run_script_if_allowed(*ar: Any, **kw: Any) -> Any:
+                """Run_script_if_allowed."""
+                check_script_permission()
+                return subclass.run(
+                    instance,
+                    script_attributes_context,
+                    *ar,
+                    **kw,
+                )
+
+            return run_script_if_allowed
+
+        def get_script_function_name(subclass: type[Script]) -> str:
+            """Get_script_function_name."""
+            return subclass.__module__.split(".")[-1]

        execlist = {}
        subclasses = Script.get_all_subclasses()
        for x in range(len(subclasses)):
            subclass = subclasses[x]
-            execlist[subclass.__module__.split(".")[-1]] = make_closure(
+            execlist[get_script_function_name(subclass)] = make_closure(
                subclass, script_attributes_context=script_attributes_context
            )
        return execlist
@ -101,7 +151,7 @@ class Script:
        """_get_all_subclasses."""
        # hackish mess to make sure we have all the modules loaded for the scripts
        pkg_dir = os.path.dirname(__file__)
-        for (_module_loader, name, _ispkg) in pkgutil.iter_modules([pkg_dir]):
+        for _module_loader, name, _ispkg in pkgutil.iter_modules([pkg_dir]):
            importlib.import_module("." + name, __package__)

        """Returns a list of all classes that extend this class."""
--- a/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
+++ b/src/spiffworkflow_backend/services/acceptance_test_fixtures.py
@ -29,7 +29,6 @@ def load_acceptance_test_fixtures() -> list[ProcessInstanceModel]:
    # suspended - 6 hours ago
    process_instances = []
    for i in range(len(statuses)):
-
        process_instance = ProcessInstanceService.create_process_instance_from_process_model_identifier(
            test_process_model_id, user
        )
--- a/src/spiffworkflow_backend/services/authentication_service.py
+++ b/src/spiffworkflow_backend/services/authentication_service.py
@ -52,12 +52,15 @@ class AuthenticationService:
    @classmethod
    def open_id_endpoint_for_name(cls, name: str) -> str:
        """All openid systems provide a mapping of static names to the full path of that endpoint."""
+        openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
        if name not in AuthenticationService.ENDPOINT_CACHE:
-            request_url = f"{cls.server_url()}/.well-known/openid-configuration"
-            response = requests.get(request_url)
+            response = requests.get(openid_config_url)
            AuthenticationService.ENDPOINT_CACHE = response.json()
        if name not in AuthenticationService.ENDPOINT_CACHE:
-            raise Exception(f"Unknown OpenID Endpoint: {name}")
+            raise Exception(
+                f"Unknown OpenID Endpoint: {name}. Tried to get from"
+                f" {openid_config_url}"
+            )
        return AuthenticationService.ENDPOINT_CACHE.get(name, "")

    @staticmethod
@ -93,7 +96,7 @@ class AuthenticationService:
            + f"?state={state}&"
            + "response_type=code&"
            + f"client_id={self.client_id()}&"
-            + "scope=openid&"
+            + "scope=openid profile email&"
            + f"redirect_uri={return_redirect_url}"
        )
        return login_redirect_url
--- a/src/spiffworkflow_backend/services/authorization_service.py
+++ b/src/spiffworkflow_backend/services/authorization_service.py
@ -1,10 +1,14 @@
 """Authorization_service."""
 import inspect
 import re
+from dataclasses import dataclass
 from hashlib import sha256
 from hmac import compare_digest
 from hmac import HMAC
+from typing import Any
 from typing import Optional
+from typing import Set
+from typing import TypedDict
 from typing import Union

 import jwt
@ -19,8 +23,9 @@ from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 from sqlalchemy import or_
 from sqlalchemy import text

-from spiffworkflow_backend.models.active_task import ActiveTaskModel
+from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
 from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
 from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
 from spiffworkflow_backend.models.permission_target import PermissionTargetModel
 from spiffworkflow_backend.models.principal import MissingPrincipalError
@ -37,14 +42,48 @@ class PermissionsFileNotSetError(Exception):
    """PermissionsFileNotSetError."""


-class ActiveTaskNotFoundError(Exception):
-    """ActiveTaskNotFoundError."""
+class HumanTaskNotFoundError(Exception):
+    """HumanTaskNotFoundError."""


 class UserDoesNotHaveAccessToTaskError(Exception):
    """UserDoesNotHaveAccessToTaskError."""


+class InvalidPermissionError(Exception):
+    """InvalidPermissionError."""
+
+
+@dataclass
+class PermissionToAssign:
+    """PermissionToAssign."""
+
+    permission: str
+    target_uri: str
+
+
+# the relevant permissions are the only API methods that are currently available for each path prefix.
+# if we add further API methods, we'll need to evaluate whether they should be added here.
+PATH_SEGMENTS_FOR_PERMISSION_ALL = [
+    {"path": "/logs", "relevant_permissions": ["read"]},
+    {
+        "path": "/process-instances",
+        "relevant_permissions": ["create", "read", "delete"],
+    },
+    {"path": "/process-instance-suspend", "relevant_permissions": ["create"]},
+    {"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
+    {"path": "/task-data", "relevant_permissions": ["read", "update"]},
+    {"path": "/process-data", "relevant_permissions": ["read"]},
+]
+
+
+class DesiredPermissionDict(TypedDict):
+    """DesiredPermissionDict."""
+
+    group_identifiers: Set[str]
+    permission_assignments: list[PermissionAssignmentModel]
+
+
 class AuthorizationService:
    """Determine whether a user has permission to perform their request."""

@ -75,6 +114,7 @@ class AuthorizationService:
    ) -> bool:
        """Has_permission."""
        principal_ids = [p.id for p in principals]
+        target_uri_normalized = target_uri.removeprefix(V1_API_PATH_PREFIX)

        permission_assignments = (
            PermissionAssignmentModel.query.filter(
@ -84,10 +124,13 @@ class AuthorizationService:
            .join(PermissionTargetModel)
            .filter(
                or_(
-                    text(f"'{target_uri}' LIKE permission_target.uri"),
+                    text(f"'{target_uri_normalized}' LIKE permission_target.uri"),
                    # to check for exact matches as well
                    # see test_user_can_access_base_path_when_given_wildcard_permission unit test
-                    text(f"'{target_uri}' = replace(permission_target.uri, '/%', '')"),
+                    text(
+                        f"'{target_uri_normalized}' ="
+                        " replace(replace(permission_target.uri, '/%', ''), ':%', '')"
+                    ),
                )
            )
            .all()
@ -127,17 +170,15 @@ class AuthorizationService:
        return cls.has_permission(principals, permission, target_uri)

    @classmethod
-    def delete_all_permissions_and_recreate(cls) -> None:
-        """Delete_all_permissions_and_recreate."""
+    def delete_all_permissions(cls) -> None:
+        """Delete_all_permissions_and_recreate.  EXCEPT For permissions for the current user?"""
        for model in [PermissionAssignmentModel, PermissionTargetModel]:
            db.session.query(model).delete()

        # cascading to principals doesn't seem to work when attempting to delete all so do it like this instead
        for group in GroupModel.query.all():
            db.session.delete(group)
-
        db.session.commit()
-        cls.import_permissions_from_yaml_file()

    @classmethod
    def associate_user_with_group(cls, user: UserModel, group: GroupModel) -> None:
@ -155,12 +196,13 @@ class AuthorizationService:
    @classmethod
    def import_permissions_from_yaml_file(
        cls, raise_if_missing_user: bool = False
-    ) -> None:
+    ) -> DesiredPermissionDict:
        """Import_permissions_from_yaml_file."""
        if current_app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"] is None:
            raise (
                PermissionsFileNotSetError(
-                    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME needs to be set in order to import permissions"
+                    "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME needs to be set in"
+                    " order to import permissions"
                )
            )

@ -169,13 +211,16 @@ class AuthorizationService:
            permission_configs = yaml.safe_load(file)

        default_group = None
+        unique_user_group_identifiers: Set[str] = set()
        if "default_group" in permission_configs:
            default_group_identifier = permission_configs["default_group"]
            default_group = GroupService.find_or_create_group(default_group_identifier)
+            unique_user_group_identifiers.add(default_group_identifier)

        if "groups" in permission_configs:
            for group_identifier, group_config in permission_configs["groups"].items():
                group = GroupService.find_or_create_group(group_identifier)
+                unique_user_group_identifiers.add(group_identifier)
                for username in group_config["users"]:
                    user = UserModel.query.filter_by(username=username).first()
                    if user is None:
@ -188,26 +233,25 @@ class AuthorizationService:
                        continue
                    cls.associate_user_with_group(user, group)

+        permission_assignments = []
        if "permissions" in permission_configs:
            for _permission_identifier, permission_config in permission_configs[
                "permissions"
            ].items():
                uri = permission_config["uri"]
-                uri_with_percent = re.sub(r"\*", "%", uri)
-                permission_target = PermissionTargetModel.query.filter_by(
-                    uri=uri_with_percent
-                ).first()
-                if permission_target is None:
-                    permission_target = PermissionTargetModel(uri=uri_with_percent)
-                    db.session.add(permission_target)
-                    db.session.commit()
+                permission_target = cls.find_or_create_permission_target(uri)

                for allowed_permission in permission_config["allowed_permissions"]:
                    if "groups" in permission_config:
                        for group_identifier in permission_config["groups"]:
                            group = GroupService.find_or_create_group(group_identifier)
-                            cls.create_permission_for_principal(
-                                group.principal, permission_target, allowed_permission
+                            unique_user_group_identifiers.add(group_identifier)
+                            permission_assignments.append(
+                                cls.create_permission_for_principal(
+                                    group.principal,
+                                    permission_target,
+                                    allowed_permission,
+                                )
                            )
                    if "users" in permission_config:
                        for username in permission_config["users"]:
@ -218,14 +262,35 @@ class AuthorizationService:
                                    .filter(UserModel.username == username)
                                    .first()
                                )
-                                cls.create_permission_for_principal(
-                                    principal, permission_target, allowed_permission
+                                permission_assignments.append(
+                                    cls.create_permission_for_principal(
+                                        principal, permission_target, allowed_permission
+                                    )
                                )

        if default_group is not None:
            for user in UserModel.query.all():
                cls.associate_user_with_group(user, default_group)

+        return {
+            "group_identifiers": unique_user_group_identifiers,
+            "permission_assignments": permission_assignments,
+        }
+
+    @classmethod
+    def find_or_create_permission_target(cls, uri: str) -> PermissionTargetModel:
+        """Find_or_create_permission_target."""
+        uri_with_percent = re.sub(r"\*", "%", uri)
+        target_uri_normalized = uri_with_percent.removeprefix(V1_API_PATH_PREFIX)
+        permission_target: Optional[PermissionTargetModel] = (
+            PermissionTargetModel.query.filter_by(uri=target_uri_normalized).first()
+        )
+        if permission_target is None:
+            permission_target = PermissionTargetModel(uri=target_uri_normalized)
+            db.session.add(permission_target)
+            db.session.commit()
+        return permission_target
+
    @classmethod
    def create_permission_for_principal(
        cls,
@ -234,13 +299,13 @@ class AuthorizationService:
        permission: str,
    ) -> PermissionAssignmentModel:
        """Create_permission_for_principal."""
-        permission_assignment: Optional[
-            PermissionAssignmentModel
-        ] = PermissionAssignmentModel.query.filter_by(
-            principal_id=principal.id,
-            permission_target_id=permission_target.id,
-            permission=permission,
-        ).first()
+        permission_assignment: Optional[PermissionAssignmentModel] = (
+            PermissionAssignmentModel.query.filter_by(
+                principal_id=principal.id,
+                permission_target_id=permission_target.id,
+                permission=permission,
+            ).first()
+        )
        if permission_assignment is None:
            permission_assignment = PermissionAssignmentModel(
                principal_id=principal.id,
@ -340,7 +405,10 @@ class AuthorizationService:

        raise ApiError(
            error_code="unauthorized",
-            message=f"User {g.user.username} is not authorized to perform requested action: {permission_string} - {request.path}",
+            message=(
+                f"User {g.user.username} is not authorized to perform requested action:"
+                f" {permission_string} - {request.path}"
+            ),
            status_code=403,
        )

@ -419,7 +487,10 @@ class AuthorizationService:
        except jwt.InvalidTokenError as exception:
            raise ApiError(
                "token_invalid",
-                "The Authentication token you provided is invalid. You need a new token. ",
+                (
+                    "The Authentication token you provided is invalid. You need a new"
+                    " token. "
+                ),
            ) from exception

    @staticmethod
@ -429,53 +500,69 @@ class AuthorizationService:
        user: UserModel,
    ) -> bool:
        """Assert_user_can_complete_spiff_task."""
-        active_task = ActiveTaskModel.query.filter_by(
+        human_task = HumanTaskModel.query.filter_by(
            task_name=spiff_task.task_spec.name,
            process_instance_id=process_instance_id,
        ).first()
-        if active_task is None:
-            raise ActiveTaskNotFoundError(
-                f"Could find an active task with task name '{spiff_task.task_spec.name}'"
+        if human_task is None:
+            raise HumanTaskNotFoundError(
+                f"Could find an human task with task name '{spiff_task.task_spec.name}'"
                f" for process instance '{process_instance_id}'"
            )

-        if user not in active_task.potential_owners:
+        if user not in human_task.potential_owners:
            raise UserDoesNotHaveAccessToTaskError(
-                f"User {user.username} does not have access to update task'{spiff_task.task_spec.name}'"
-                f" for process instance '{process_instance_id}'"
+                f"User {user.username} does not have access to update"
+                f" task'{spiff_task.task_spec.name}' for process instance"
+                f" '{process_instance_id}'"
            )
        return True

    @classmethod
    def create_user_from_sign_in(cls, user_info: dict) -> UserModel:
        """Create_user_from_sign_in."""
+        """Name, family_name, given_name, middle_name, nickname, preferred_username,"""
+        """Profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. """
+        """Email."""
        is_new_user = False
        user_model = (
-            UserModel.query.filter(UserModel.service == "open_id")
+            UserModel.query.filter(UserModel.service == user_info["iss"])
            .filter(UserModel.service_id == user_info["sub"])
            .first()
        )
+        email = display_name = username = ""
+        if "email" in user_info:
+            username = user_info["email"]
+            email = user_info["email"]
+        else:  # we fall back to the sub, which may be very ugly.
+            username = user_info["sub"] + "@" + user_info["iss"]
+
+        if "preferred_username" in user_info:
+            display_name = user_info["preferred_username"]
+        elif "nickname" in user_info:
+            display_name = user_info["nickname"]
+        elif "name" in user_info:
+            display_name = user_info["name"]

        if user_model is None:
            current_app.logger.debug("create_user in login_return")
            is_new_user = True
-            name = username = email = ""
-            if "name" in user_info:
-                name = user_info["name"]
-            if "username" in user_info:
-                username = user_info["username"]
-            elif "preferred_username" in user_info:
-                username = user_info["preferred_username"]
-            if "email" in user_info:
-                email = user_info["email"]
            user_model = UserService().create_user(
-                service="open_id",
-                service_id=user_info["sub"],
-                name=name,
                username=username,
+                service=user_info["iss"],
+                service_id=user_info["sub"],
                email=email,
+                display_name=display_name,
            )

+        else:
+            # Update with the latest information
+            user_model.username = username
+            user_model.email = email
+            user_model.display_name = display_name
+            user_model.service = user_info["iss"]
+            user_model.service_id = user_info["sub"]
+
        # this may eventually get too slow.
        # when it does, be careful about backgrounding, because
        # the user will immediately need permissions to use the site.
@ -485,11 +572,255 @@ class AuthorizationService:
        cls.import_permissions_from_yaml_file()

        if is_new_user:
-            UserService.add_user_to_active_tasks_if_appropriate(user_model)
+            UserService.add_user_to_human_tasks_if_appropriate(user_model)

        # this cannot be None so ignore mypy
        return user_model  # type: ignore

+    @classmethod
+    def get_permissions_to_assign(
+        cls,
+        permission_set: str,
+        process_related_path_segment: str,
+        target_uris: list[str],
+    ) -> list[PermissionToAssign]:
+        """Get_permissions_to_assign."""
+        permissions = permission_set.split(",")
+        if permission_set == "all":
+            permissions = ["create", "read", "update", "delete"]
+
+        permissions_to_assign: list[PermissionToAssign] = []
+
+        # we were thinking that if you can start an instance, you ought to be able to view your own instances.
+        if permission_set == "start":
+            target_uri = f"/process-instances/{process_related_path_segment}"
+            permissions_to_assign.append(
+                PermissionToAssign(permission="create", target_uri=target_uri)
+            )
+            target_uri = f"/process-instances/for-me/{process_related_path_segment}"
+            permissions_to_assign.append(
+                PermissionToAssign(permission="read", target_uri=target_uri)
+            )
+
+        else:
+            if permission_set == "all":
+                for path_segment_dict in PATH_SEGMENTS_FOR_PERMISSION_ALL:
+                    target_uri = (
+                        f"{path_segment_dict['path']}/{process_related_path_segment}"
+                    )
+                    relevant_permissions = path_segment_dict["relevant_permissions"]
+                    for permission in relevant_permissions:
+                        permissions_to_assign.append(
+                            PermissionToAssign(
+                                permission=permission, target_uri=target_uri
+                            )
+                        )
+
+            for target_uri in target_uris:
+                for permission in permissions:
+                    permissions_to_assign.append(
+                        PermissionToAssign(permission=permission, target_uri=target_uri)
+                    )
+
+        return permissions_to_assign
+
+    @classmethod
+    def set_basic_permissions(cls) -> list[PermissionToAssign]:
+        """Set_basic_permissions."""
+        permissions_to_assign: list[PermissionToAssign] = []
+        permissions_to_assign.append(
+            PermissionToAssign(
+                permission="read", target_uri="/process-instances/for-me"
+            )
+        )
+        permissions_to_assign.append(
+            PermissionToAssign(permission="read", target_uri="/processes")
+        )
+        permissions_to_assign.append(
+            PermissionToAssign(permission="read", target_uri="/service-tasks")
+        )
+        permissions_to_assign.append(
+            PermissionToAssign(
+                permission="read", target_uri="/user-groups/for-current-user"
+            )
+        )
+        permissions_to_assign.append(
+            PermissionToAssign(
+                permission="read", target_uri="/process-instances/find-by-id/*"
+            )
+        )
+
+        for permission in ["create", "read", "update", "delete"]:
+            permissions_to_assign.append(
+                PermissionToAssign(
+                    permission=permission, target_uri="/process-instances/reports/*"
+                )
+            )
+            permissions_to_assign.append(
+                PermissionToAssign(permission=permission, target_uri="/tasks/*")
+            )
+        return permissions_to_assign
+
+    @classmethod
+    def set_process_group_permissions(
+        cls, target: str, permission_set: str
+    ) -> list[PermissionToAssign]:
+        """Set_process_group_permissions."""
+        permissions_to_assign: list[PermissionToAssign] = []
+        process_group_identifier = (
+            target.removeprefix("PG:").replace("/", ":").removeprefix(":")
+        )
+        process_related_path_segment = f"{process_group_identifier}:*"
+        if process_group_identifier == "ALL":
+            process_related_path_segment = "*"
+        target_uris = [
+            f"/process-groups/{process_related_path_segment}",
+            f"/process-models/{process_related_path_segment}",
+        ]
+        permissions_to_assign = permissions_to_assign + cls.get_permissions_to_assign(
+            permission_set, process_related_path_segment, target_uris
+        )
+        return permissions_to_assign
+
+    @classmethod
+    def set_process_model_permissions(
+        cls, target: str, permission_set: str
+    ) -> list[PermissionToAssign]:
+        """Set_process_model_permissions."""
+        permissions_to_assign: list[PermissionToAssign] = []
+        process_model_identifier = (
+            target.removeprefix("PM:").replace("/", ":").removeprefix(":")
+        )
+        process_related_path_segment = f"{process_model_identifier}/*"
+
+        if process_model_identifier == "ALL":
+            process_related_path_segment = "*"
+
+        target_uris = [f"/process-models/{process_related_path_segment}"]
+        permissions_to_assign = permissions_to_assign + cls.get_permissions_to_assign(
+            permission_set, process_related_path_segment, target_uris
+        )
+        return permissions_to_assign
+
+    @classmethod
+    def explode_permissions(
+        cls, permission_set: str, target: str
+    ) -> list[PermissionToAssign]:
+        """Explodes given permissions to and returns list of PermissionToAssign objects.
+
+        These can be used to then iterate through and inserted into the database.
+        Target Macros:
+            ALL
+                * gives access to ALL api endpoints - useful to give admin-like permissions
+            PG:[process_group_identifier]
+                * affects given process-group and all sub process-groups and process-models
+            PM:[process_model_identifier]
+                * affects given process-model
+            BASIC
+                * Basic access to complete tasks and use the site
+
+        Permission Macros:
+            all
+                * create, read, update, delete
+            start
+                * create process-instances (aka instantiate or start a process-model)
+                * only works with PG and PM target macros
+        """
+        permissions_to_assign: list[PermissionToAssign] = []
+        permissions = permission_set.split(",")
+        if permission_set == "all":
+            permissions = ["create", "read", "update", "delete"]
+
+        if target.startswith("PG:"):
+            permissions_to_assign += cls.set_process_group_permissions(
+                target, permission_set
+            )
+        elif target.startswith("PM:"):
+            permissions_to_assign += cls.set_process_model_permissions(
+                target, permission_set
+            )
+        elif permission_set == "start":
+            raise InvalidPermissionError(
+                "Permission 'start' is only available for macros PM and PG."
+            )
+
+        elif target.startswith("BASIC"):
+            permissions_to_assign += cls.set_basic_permissions()
+        elif target == "ALL":
+            for permission in permissions:
+                permissions_to_assign.append(
+                    PermissionToAssign(permission=permission, target_uri="/*")
+                )
+        elif target.startswith("/"):
+            for permission in permissions:
+                permissions_to_assign.append(
+                    PermissionToAssign(permission=permission, target_uri=target)
+                )
+        else:
+            raise InvalidPermissionError(
+                f"Target uri '{target}' with permission set '{permission_set}' is"
+                " invalid. The target uri must either be a macro of PG, PM, BASIC, or"
+                " ALL or an api uri."
+            )
+
+        return permissions_to_assign
+
+    @classmethod
+    def add_permission_from_uri_or_macro(
+        cls, group_identifier: str, permission: str, target: str
+    ) -> list[PermissionAssignmentModel]:
+        """Add_permission_from_uri_or_macro."""
+        group = GroupService.find_or_create_group(group_identifier)
+        permissions_to_assign = cls.explode_permissions(permission, target)
+        permission_assignments = []
+        for permission_to_assign in permissions_to_assign:
+            permission_target = cls.find_or_create_permission_target(
+                permission_to_assign.target_uri
+            )
+            permission_assignments.append(
+                cls.create_permission_for_principal(
+                    group.principal, permission_target, permission_to_assign.permission
+                )
+            )
+        return permission_assignments
+
+    @classmethod
+    def refresh_permissions(cls, group_info: list[dict[str, Any]]) -> None:
+        """Adds new permission assignments and deletes old ones."""
+        initial_permission_assignments = PermissionAssignmentModel.query.all()
+        result = cls.import_permissions_from_yaml_file()
+        desired_permission_assignments = result["permission_assignments"]
+        desired_group_identifiers = result["group_identifiers"]
+
+        for group in group_info:
+            group_identifier = group["name"]
+            for username in group["users"]:
+                GroupService.add_user_to_group_or_add_to_waiting(
+                    username, group_identifier
+                )
+                desired_group_identifiers.add(group_identifier)
+            for permission in group["permissions"]:
+                for crud_op in permission["actions"]:
+                    desired_permission_assignments.extend(
+                        cls.add_permission_from_uri_or_macro(
+                            group_identifier=group_identifier,
+                            target=permission["uri"],
+                            permission=crud_op,
+                        )
+                    )
+                    desired_group_identifiers.add(group_identifier)
+
+        for ipa in initial_permission_assignments:
+            if ipa not in desired_permission_assignments:
+                db.session.delete(ipa)
+
+        groups_to_delete = GroupModel.query.filter(
+            GroupModel.identifier.not_in(desired_group_identifiers)
+        ).all()
+        for gtd in groups_to_delete:
+            db.session.delete(gtd)
+        db.session.commit()
+

 class KeycloakAuthorization:
    """Interface with Keycloak server."""
--- a/src/spiffworkflow_backend/services/file_system_service.py
+++ b/src/spiffworkflow_backend/services/file_system_service.py
@ -40,10 +40,9 @@ class FileSystemService:
    @staticmethod
    def root_path() -> str:
        """Root_path."""
-        # fixme: allow absolute files
        dir_name = current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]
-        app_root = current_app.root_path
-        return os.path.abspath(os.path.join(app_root, "..", dir_name))
+        # ensure this is a string - thanks mypy...
+        return os.path.abspath(os.path.join(dir_name, ""))

    @staticmethod
    def id_string_to_relative_path(id_string: str) -> str:
--- a/src/spiffworkflow_backend/services/git_service.py
+++ b/src/spiffworkflow_backend/services/git_service.py
@ -100,6 +100,7 @@ class GitService:
            branch_name_to_use,
            git_username,
            git_email,
+            current_app.config["GIT_USER_PASSWORD"],
        ]
        return cls.run_shell_command_to_get_stdout(shell_command)

@ -172,13 +173,15 @@ class GitService:

        if "repository" not in webhook or "clone_url" not in webhook["repository"]:
            raise InvalidGitWebhookBodyError(
-                f"Cannot find required keys of 'repository:clone_url' from webhook body: {webhook}"
+                "Cannot find required keys of 'repository:clone_url' from webhook"
+                f" body: {webhook}"
            )

        clone_url = webhook["repository"]["clone_url"]
        if clone_url != current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"]:
            raise GitCloneUrlMismatchError(
-                f"Configured clone url does not match clone url from webhook: {clone_url}"
+                "Configured clone url does not match clone url from webhook:"
+                f" {clone_url}"
            )

        if "ref" not in webhook:
@ -188,8 +191,8 @@ class GitService:

        if current_app.config["GIT_BRANCH"] is None:
            raise MissingGitConfigsError(
-                "Missing config for GIT_BRANCH. "
-                "This is required for updating the repository as a result of the webhook"
+                "Missing config for GIT_BRANCH. This is required for updating the"
+                " repository as a result of the webhook"
            )

        ref = webhook["ref"]
--- a/src/spiffworkflow_backend/services/group_service.py
+++ b/src/spiffworkflow_backend/services/group_service.py
@ -4,6 +4,7 @@ from typing import Optional
 from flask_bpmn.models.db import db

 from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.services.user_service import UserService


@ -22,3 +23,15 @@ class GroupService:
            db.session.commit()
            UserService.create_principal(group.id, id_column_name="group_id")
        return group
+
+    @classmethod
+    def add_user_to_group_or_add_to_waiting(
+        cls, username: str, group_identifier: str
+    ) -> None:
+        """Add_user_to_group_or_add_to_waiting."""
+        group = cls.find_or_create_group(group_identifier)
+        user = UserModel.query.filter_by(username=username).first()
+        if user:
+            UserService.add_user_to_group(user, group)
+        else:
+            UserService.add_waiting_group_assignment(username, group)
--- a/src/spiffworkflow_backend/services/logging_service.py
+++ b/src/spiffworkflow_backend/services/logging_service.py
@ -122,7 +122,8 @@ def setup_logger(app: Flask) -> None:

    if upper_log_level_string not in log_levels:
        raise InvalidLogLevelError(
-            f"Log level given is invalid: '{upper_log_level_string}'. Valid options are {log_levels}"
+            f"Log level given is invalid: '{upper_log_level_string}'. Valid options are"
+            f" {log_levels}"
        )

    log_level = getattr(logging, upper_log_level_string)
@ -176,7 +177,8 @@ def setup_logger(app: Flask) -> None:
    spiff_logger = logging.getLogger("spiff")
    spiff_logger.setLevel(spiff_log_level)
    spiff_formatter = logging.Formatter(
-        "%(asctime)s | %(levelname)s | %(message)s | %(action)s | %(task_type)s | %(process)s | %(processName)s | %(process_instance_id)s"
+        "%(asctime)s | %(levelname)s | %(message)s | %(action)s | %(task_type)s |"
+        " %(process)s | %(processName)s | %(process_instance_id)s"
    )

    # if you add a handler to spiff, it will be used/inherited by spiff.metrics
--- a/src/spiffworkflow_backend/services/message_service.py
+++ b/src/spiffworkflow_backend/services/message_service.py
@ -145,8 +145,11 @@ class MessageService:
        if process_instance_receive is None:
            raise MessageServiceError(
                (
-                    f"Process instance cannot be found for queued message: {message_instance_receive.id}."
-                    f"Tried with id {message_instance_receive.process_instance_id}",
+                    (
+                        "Process instance cannot be found for queued message:"
+                        f" {message_instance_receive.id}.Tried with id"
+                        f" {message_instance_receive.process_instance_id}"
+                    ),
                )
            )

@ -182,7 +185,6 @@ class MessageService:
            )

        for message_instance_receive in message_instances_receive:
-
            # sqlalchemy supports select / where statements like active record apparantly
            # https://docs.sqlalchemy.org/en/14/core/tutorial.html#conjunctions
            message_correlation_select = (
--- a/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/src/spiffworkflow_backend/services/process_instance_processor.py
@ -17,6 +17,7 @@ from typing import Optional
 from typing import Tuple
 from typing import TypedDict
 from typing import Union
+from uuid import UUID

 import dateparser
 import pytz
@ -43,6 +44,9 @@ from SpiffWorkflow.spiff.serializer.task_spec_converters import (
    CallActivityTaskConverter,
 )
 from SpiffWorkflow.spiff.serializer.task_spec_converters import EndEventConverter
+from SpiffWorkflow.spiff.serializer.task_spec_converters import (
+    EventBasedGatewayConverter,
+)
 from SpiffWorkflow.spiff.serializer.task_spec_converters import (
    IntermediateCatchEventConverter,
 )
@ -65,11 +69,11 @@ from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 from SpiffWorkflow.task import TaskState
 from SpiffWorkflow.util.deep_merge import DeepMerge  # type: ignore

-from spiffworkflow_backend.models.active_task import ActiveTaskModel
-from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
 from spiffworkflow_backend.models.file import File
 from spiffworkflow_backend.models.file import FileType
 from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
 from spiffworkflow_backend.models.message_correlation import MessageCorrelationModel
 from spiffworkflow_backend.models.message_correlation_message_instance import (
    MessageCorrelationMessageInstanceModel,
@ -151,6 +155,9 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
            "time": time,
            "decimal": decimal,
            "_strptime": _strptime,
+            "enumerate": enumerate,
+            "list": list,
+            "map": map,
        }

        # This will overwrite the standard builtins
@ -209,14 +216,14 @@ class CustomBpmnScriptEngine(PythonScriptEngine):  # type: ignore
        except Exception as exception:
            if task is None:
                raise ProcessInstanceProcessorError(
-                    "Error evaluating expression: "
-                    "'%s', exception: %s" % (expression, str(exception)),
+                    "Error evaluating expression: '%s', exception: %s"
+                    % (expression, str(exception)),
                ) from exception
            else:
                raise WorkflowTaskExecException(
                    task,
-                    "Error evaluating expression "
-                    "'%s', %s" % (expression, str(exception)),
+                    "Error evaluating expression '%s', %s"
+                    % (expression, str(exception)),
                ) from exception

    def execute(
@ -263,6 +270,7 @@ class ProcessInstanceProcessor:
            EndEventConverter,
            IntermediateCatchEventConverter,
            IntermediateThrowEventConverter,
+            EventBasedGatewayConverter,
            ManualTaskConverter,
            NoneTaskConverter,
            ReceiveTaskConverter,
@ -276,6 +284,7 @@ class ProcessInstanceProcessor:
        ]
    )
    _serializer = BpmnWorkflowSerializer(wf_spec_converter, version=SERIALIZER_VERSION)
+    _event_serializer = EventBasedGatewayConverter()

    PROCESS_INSTANCE_ID_KEY = "process_instance_id"
    VALIDATION_PROCESS_KEY = "validate_only"
@ -292,9 +301,7 @@ class ProcessInstanceProcessor:
        tld.spiff_step = process_instance_model.spiff_step

        # we want this to be the fully qualified path to the process model including all group subcomponents
-        current_app.config[
-            "THREAD_LOCAL_DATA"
-        ].process_model_identifier = (
+        current_app.config["THREAD_LOCAL_DATA"].process_model_identifier = (
            f"{process_instance_model.process_model_identifier}"
        )

@ -375,8 +382,10 @@ class ProcessInstanceProcessor:
        except MissingSpecError as ke:
            raise ApiError(
                error_code="unexpected_process_instance_structure",
-                message="Failed to deserialize process_instance"
-                " '%s'  due to a mis-placed or missing task '%s'"
+                message=(
+                    "Failed to deserialize process_instance"
+                    " '%s'  due to a mis-placed or missing task '%s'"
+                )
                % (self.process_model_identifier, str(ke)),
            ) from ke

@ -392,7 +401,10 @@ class ProcessInstanceProcessor:
            raise (
                ApiError(
                    "process_model_not_found",
-                    f"The given process model was not found: {process_model_identifier}.",
+                    (
+                        "The given process model was not found:"
+                        f" {process_model_identifier}."
+                    ),
                )
            )
        spec_files = SpecFileService.get_files(process_model_info)
@ -522,8 +534,11 @@ class ProcessInstanceProcessor:
                    potential_owner_ids.append(lane_owner_user.id)
            self.raise_if_no_potential_owners(
                potential_owner_ids,
-                f"No users found in task data lane owner list for lane: {task_lane}. "
-                f"The user list used: {task.data['lane_owners'][task_lane]}",
+                (
+                    "No users found in task data lane owner list for lane:"
+                    f" {task_lane}. The user list used:"
+                    f" {task.data['lane_owners'][task_lane]}"
+                ),
            )
        else:
            group_model = GroupModel.query.filter_by(identifier=task_lane).first()
@ -558,7 +573,7 @@ class ProcessInstanceProcessor:
            "spiff_step": self.process_instance_model.spiff_step or 1,
            "task_json": task_json,
            "timestamp": round(time.time()),
-            "completed_by_user_id": self.current_user().id,
+            # "completed_by_user_id": self.current_user().id,
        }

    def spiff_step_details(self) -> SpiffStepDetailsModel:
@ -569,17 +584,10 @@ class ProcessInstanceProcessor:
            spiff_step=details_mapping["spiff_step"],
            task_json=details_mapping["task_json"],
            timestamp=details_mapping["timestamp"],
-            completed_by_user_id=details_mapping["completed_by_user_id"],
+            # completed_by_user_id=details_mapping["completed_by_user_id"],
        )
        return details_model

-    def save_spiff_step_details(self, active_task: ActiveTaskModel) -> None:
-        """SaveSpiffStepDetails."""
-        details_model = self.spiff_step_details()
-        details_model.lane_assignment_id = active_task.lane_assignment_id
-        db.session.add(details_model)
-        db.session.commit()
-
    def extract_metadata(self, process_model_info: ProcessModelInfo) -> None:
        """Extract_metadata."""
        metadata_extraction_paths = process_model_info.metadata_extraction_paths
@ -615,6 +623,29 @@ class ProcessInstanceProcessor:
                db.session.add(pim)
                db.session.commit()

+    def get_subprocesses_by_child_task_ids(self) -> dict:
+        """Get all subprocess ids based on the child task ids.
+
+        This is useful when trying to link the child task of a call activity back to
+        the call activity that called it to get the appropriate data. For example, if you
+        have a call activity "Log" that you call twice within the same process, the Hammer log file
+        activity within the Log process will get called twice. They will potentially have different
+        task data. We want to be able to differentiate those two activities.
+
+        subprocess structure in the json:
+            "subprocesses": { [subprocess_task_id]: "tasks" : { [task_id]: [bpmn_task_details] }}
+
+        Also note that subprocess_task_id might in fact be a call activity, because spiff treats
+        call activities like subprocesses in terms of the serialization.
+        """
+        bpmn_json = json.loads(self.serialize())
+        subprocesses_by_child_task_ids = {}
+        if "subprocesses" in bpmn_json:
+            for subprocess_id, subprocess_details in bpmn_json["subprocesses"].items():
+                for task_id in subprocess_details["tasks"]:
+                    subprocesses_by_child_task_ids[task_id] = subprocess_id
+        return subprocesses_by_child_task_ids
+
    def save(self) -> None:
        """Saves the current state of this processor to the database."""
        self.process_instance_model.bpmn_json = self.serialize()
@ -637,7 +668,7 @@ class ProcessInstanceProcessor:
        db.session.add(self.process_instance_model)
        db.session.commit()

-        active_tasks = ActiveTaskModel.query.filter_by(
+        human_tasks = HumanTaskModel.query.filter_by(
            process_instance_id=self.process_instance_model.id
        ).all()
        ready_or_waiting_tasks = self.get_all_ready_or_waiting_tasks()
@ -668,14 +699,14 @@ class ProcessInstanceProcessor:
                    if "formUiSchemaFilename" in properties:
                        ui_form_file_name = properties["formUiSchemaFilename"]

-                active_task = None
-                for at in active_tasks:
+                human_task = None
+                for at in human_tasks:
                    if at.task_id == str(ready_or_waiting_task.id):
-                        active_task = at
-                        active_tasks.remove(at)
+                        human_task = at
+                        human_tasks.remove(at)

-                if active_task is None:
-                    active_task = ActiveTaskModel(
+                if human_task is None:
+                    human_task = HumanTaskModel(
                        process_instance_id=self.process_instance_model.id,
                        process_model_display_name=process_model_display_name,
                        form_file_name=form_file_name,
@ -687,23 +718,118 @@ class ProcessInstanceProcessor:
                        task_status=ready_or_waiting_task.get_state_name(),
                        lane_assignment_id=potential_owner_hash["lane_assignment_id"],
                    )
-                    db.session.add(active_task)
+                    db.session.add(human_task)
                    db.session.commit()

                    for potential_owner_id in potential_owner_hash[
                        "potential_owner_ids"
                    ]:
-                        active_task_user = ActiveTaskUserModel(
-                            user_id=potential_owner_id, active_task_id=active_task.id
+                        human_task_user = HumanTaskUserModel(
+                            user_id=potential_owner_id, human_task_id=human_task.id
                        )
-                        db.session.add(active_task_user)
+                        db.session.add(human_task_user)
                    db.session.commit()

-        if len(active_tasks) > 0:
-            for at in active_tasks:
-                db.session.delete(at)
+        if len(human_tasks) > 0:
+            for at in human_tasks:
+                at.completed = True
+                db.session.add(at)
            db.session.commit()

+    def serialize_task_spec(self, task_spec: SpiffTask) -> Any:
+        """Get a serialized version of a task spec."""
+        # The task spec is NOT actually a SpiffTask, it is the task spec attached to a SpiffTask
+        # Not sure why mypy accepts this but whatever.
+        return self._serializer.spec_converter.convert(task_spec)
+
+    def send_bpmn_event(self, event_data: dict[str, Any]) -> None:
+        """Send an event to the workflow."""
+        payload = event_data.pop("payload", None)
+        event_definition = self._event_serializer.restore(event_data)
+        if payload is not None:
+            event_definition.payload = payload
+        current_app.logger.info(
+            f"Event of type {event_definition.event_type} sent to process instance"
+            f" {self.process_instance_model.id}"
+        )
+        self.bpmn_process_instance.catch(event_definition)
+        self.do_engine_steps(save=True)
+
+    def add_step(self, step: Union[dict, None] = None) -> None:
+        """Add a spiff step."""
+        if step is None:
+            step = self.spiff_step_details_mapping()
+        db.session.add(SpiffStepDetailsModel(**step))
+        db.session.commit()
+
+    def manual_complete_task(self, task_id: str, execute: bool) -> None:
+        """Mark the task complete optionally executing it."""
+        spiff_task = self.bpmn_process_instance.get_task(UUID(task_id))
+        if execute:
+            current_app.logger.info(
+                f"Manually executing Task {spiff_task.task_spec.name} of process"
+                f" instance {self.process_instance_model.id}"
+            )
+            spiff_task.complete()
+        else:
+            spiff_logger = logging.getLogger("spiff")
+            spiff_logger.info(
+                f"Skipped task {spiff_task.task_spec.name}", extra=spiff_task.log_info()
+            )
+            spiff_task._set_state(TaskState.COMPLETED)
+            for child in spiff_task.children:
+                child.task_spec._update(child)
+        self.bpmn_process_instance.last_task = spiff_task
+        self.increment_spiff_step()
+        self.add_step()
+        self.save()
+        # Saving the workflow seems to reset the status
+        self.suspend()
+
+    def reset_process(self, spiff_step: int) -> None:
+        """Reset a process to an earlier state."""
+        spiff_logger = logging.getLogger("spiff")
+        spiff_logger.info(
+            f"Process reset from step {spiff_step}",
+            extra=self.bpmn_process_instance.log_info(),
+        )
+
+        step_detail = (
+            db.session.query(SpiffStepDetailsModel)
+            .filter(
+                SpiffStepDetailsModel.process_instance_id
+                == self.process_instance_model.id,
+                SpiffStepDetailsModel.spiff_step == spiff_step,
+            )
+            .first()
+        )
+        if step_detail is not None:
+            self.increment_spiff_step()
+            self.add_step(
+                {
+                    "process_instance_id": self.process_instance_model.id,
+                    "spiff_step": self.process_instance_model.spiff_step or 1,
+                    "task_json": step_detail.task_json,
+                    "timestamp": round(time.time()),
+                }
+            )
+
+            dct = self._serializer.workflow_to_dict(self.bpmn_process_instance)
+            dct["tasks"] = step_detail.task_json["tasks"]
+            dct["subprocesses"] = step_detail.task_json["subprocesses"]
+            self.bpmn_process_instance = self._serializer.workflow_from_dict(dct)
+
+            # Cascade does not seems to work on filters, only directly through the session
+            tasks = self.bpmn_process_instance.get_tasks(TaskState.NOT_FINISHED_MASK)
+            rows = HumanTaskModel.query.filter(
+                HumanTaskModel.task_id.in_(str(t.id) for t in tasks)  # type: ignore
+            ).all()
+            for row in rows:
+                db.session.delete(row)
+
+            self.save()
+            self.suspend()
+
    @staticmethod
    def get_parser() -> MyCustomParser:
        """Get_parser."""
@ -738,14 +864,13 @@ class ProcessInstanceProcessor:
        """Bpmn_file_full_path_from_bpmn_process_identifier."""
        if bpmn_process_identifier is None:
            raise ValueError(
-                "bpmn_file_full_path_from_bpmn_process_identifier: bpmn_process_identifier is unexpectedly None"
+                "bpmn_file_full_path_from_bpmn_process_identifier:"
+                " bpmn_process_identifier is unexpectedly None"
            )

-        spec_reference = (
-            SpecReferenceCache.query.filter_by(identifier=bpmn_process_identifier)
-            .filter_by(type="process")
-            .first()
-        )
+        spec_reference = SpecReferenceCache.query.filter_by(
+            identifier=bpmn_process_identifier, type="process"
+        ).first()
        bpmn_file_full_path = None
        if spec_reference is None:
            bpmn_file_full_path = (
@ -762,7 +887,10 @@ class ProcessInstanceProcessor:
            raise (
                ApiError(
                    error_code="could_not_find_bpmn_process_identifier",
-                    message="Could not find the the given bpmn process identifier from any sources: %s"
+                    message=(
+                        "Could not find the the given bpmn process identifier from any"
+                        " sources: %s"
+                    )
                    % bpmn_process_identifier,
                )
            )
@ -786,7 +914,6 @@ class ProcessInstanceProcessor:

        new_bpmn_files = set()
        for bpmn_process_identifier in processor_dependencies_new:
-
            # ignore identifiers that spiff already knows about
            if bpmn_process_identifier in bpmn_process_identifiers_in_parser:
                continue
@ -829,7 +956,10 @@ class ProcessInstanceProcessor:
            raise (
                ApiError(
                    error_code="no_primary_bpmn_error",
-                    message="There is no primary BPMN process id defined for process_model %s"
+                    message=(
+                        "There is no primary BPMN process id defined for"
+                        " process_model %s"
+                    )
                    % process_model_info.id,
                )
            )
@ -890,7 +1020,10 @@ class ProcessInstanceProcessor:
            if not bpmn_message.correlations:
                raise ApiError(
                    "message_correlations_missing",
-                    f"Could not find any message correlations bpmn_message: {bpmn_message.name}",
+                    (
+                        "Could not find any message correlations bpmn_message:"
+                        f" {bpmn_message.name}"
+                    ),
                )

            message_correlations = []
@ -910,12 +1043,16 @@ class ProcessInstanceProcessor:
                    if message_correlation_property is None:
                        raise ApiError(
                            "message_correlations_missing_from_process",
-                            "Could not find a known message correlation with identifier:"
-                            f"{message_correlation_property_identifier}",
+                            (
+                                "Could not find a known message correlation with"
+                                f" identifier:{message_correlation_property_identifier}"
+                            ),
                        )
                    message_correlations.append(
                        {
-                            "message_correlation_property": message_correlation_property,
+                            "message_correlation_property": (
+                                message_correlation_property
+                            ),
                            "name": message_correlation_key,
                            "value": message_correlation_property_value,
                        }
@ -972,7 +1109,10 @@ class ProcessInstanceProcessor:
            if message_model is None:
                raise ApiError(
                    "invalid_message_name",
-                    f"Invalid message name: {waiting_task.task_spec.event_definition.name}.",
+                    (
+                        "Invalid message name:"
+                        f" {waiting_task.task_spec.event_definition.name}."
+                    ),
                )

            # Ensure we are only creating one message instance for each waiting message
@ -1179,11 +1319,20 @@ class ProcessInstanceProcessor:
        )
        return user_tasks  # type: ignore

-    def complete_task(self, task: SpiffTask, active_task: ActiveTaskModel) -> None:
+    def complete_task(
+        self, task: SpiffTask, human_task: HumanTaskModel, user: UserModel
+    ) -> None:
        """Complete_task."""
        self.increment_spiff_step()
        self.bpmn_process_instance.complete_task_from_id(task.id)
-        self.save_spiff_step_details(active_task)
+        human_task.completed_by_user_id = user.id
+        human_task.completed = True
+        db.session.add(human_task)
+        details_model = self.spiff_step_details()
+        db.session.add(details_model)
+
+        # this is the thing that actually commits the db transaction (on behalf of the other updates above as well)
+        self.save()

    def get_data(self) -> dict[str, Any]:
        """Get_data."""
--- a/src/spiffworkflow_backend/services/process_instance_report_service.py
+++ b/src/spiffworkflow_backend/services/process_instance_report_service.py
@ -1,14 +1,31 @@
 """Process_instance_report_service."""
+import re
 from dataclasses import dataclass
+from typing import Any
 from typing import Optional

 import sqlalchemy
+from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
+from sqlalchemy import and_
+from sqlalchemy import func
+from sqlalchemy import or_
+from sqlalchemy.orm import aliased
+from sqlalchemy.orm import selectinload

+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
+from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
+from spiffworkflow_backend.models.process_instance_metadata import (
+    ProcessInstanceMetadataModel,
+)
 from spiffworkflow_backend.models.process_instance_report import (
    ProcessInstanceReportModel,
 )
 from spiffworkflow_backend.models.user import UserModel
+from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
+from spiffworkflow_backend.services.process_model_service import ProcessModelService


@dataclass
@ -16,14 +33,17 @@ class ProcessInstanceReportFilter:
    """ProcessInstanceReportFilter."""

    process_model_identifier: Optional[str] = None
+    user_group_identifier: Optional[str] = None
    start_from: Optional[int] = None
    start_to: Optional[int] = None
    end_from: Optional[int] = None
    end_to: Optional[int] = None
    process_status: Optional[list[str]] = None
    initiated_by_me: Optional[bool] = None
+    has_terminal_status: Optional[bool] = None
    with_tasks_completed_by_me: Optional[bool] = None
-    with_tasks_completed_by_my_group: Optional[bool] = None
+    with_tasks_assigned_to_my_group: Optional[bool] = None
+    with_relation_to_me: Optional[bool] = None

    def to_dict(self) -> dict[str, str]:
        """To_dict."""
@ -31,6 +51,8 @@ class ProcessInstanceReportFilter:

        if self.process_model_identifier is not None:
            d["process_model_identifier"] = self.process_model_identifier
+        if self.user_group_identifier is not None:
+            d["user_group_identifier"] = self.user_group_identifier
        if self.start_from is not None:
            d["start_from"] = str(self.start_from)
        if self.start_to is not None:
@ -43,14 +65,18 @@ class ProcessInstanceReportFilter:
            d["process_status"] = ",".join(self.process_status)
        if self.initiated_by_me is not None:
            d["initiated_by_me"] = str(self.initiated_by_me).lower()
+        if self.has_terminal_status is not None:
+            d["has_terminal_status"] = str(self.has_terminal_status).lower()
        if self.with_tasks_completed_by_me is not None:
            d["with_tasks_completed_by_me"] = str(
                self.with_tasks_completed_by_me
            ).lower()
-        if self.with_tasks_completed_by_my_group is not None:
-            d["with_tasks_completed_by_my_group"] = str(
-                self.with_tasks_completed_by_my_group
+        if self.with_tasks_assigned_to_my_group is not None:
+            d["with_tasks_assigned_to_my_group"] = str(
+                self.with_tasks_assigned_to_my_group
            ).lower()
+        if self.with_relation_to_me is not None:
+            d["with_relation_to_me"] = str(self.with_relation_to_me).lower()

        return d

@ -58,6 +84,55 @@ class ProcessInstanceReportFilter:
 class ProcessInstanceReportService:
    """ProcessInstanceReportService."""

+    @classmethod
+    def system_metadata_map(cls, metadata_key: str) -> dict[str, Any]:
+        """System_metadata_map."""
+        # TODO replace with system reports that are loaded on launch (or similar)
+        temp_system_metadata_map = {
+            "default": {
+                "columns": cls.builtin_column_options(),
+                "filter_by": [],
+                "order_by": ["-start_in_seconds", "-id"],
+            },
+            "system_report_completed_instances_initiated_by_me": {
+                "columns": [
+                    {"Header": "id", "accessor": "id"},
+                    {
+                        "Header": "process_model_display_name",
+                        "accessor": "process_model_display_name",
+                    },
+                    {"Header": "start_in_seconds", "accessor": "start_in_seconds"},
+                    {"Header": "end_in_seconds", "accessor": "end_in_seconds"},
+                    {"Header": "status", "accessor": "status"},
+                ],
+                "filter_by": [
+                    {"field_name": "initiated_by_me", "field_value": True},
+                    {"field_name": "has_terminal_status", "field_value": True},
+                ],
+                "order_by": ["-start_in_seconds", "-id"],
+            },
+            "system_report_completed_instances_with_tasks_completed_by_me": {
+                "columns": cls.builtin_column_options(),
+                "filter_by": [
+                    {"field_name": "with_tasks_completed_by_me", "field_value": True},
+                    {"field_name": "has_terminal_status", "field_value": True},
+                ],
+                "order_by": ["-start_in_seconds", "-id"],
+            },
+            "system_report_completed_instances_with_tasks_completed_by_my_groups": {
+                "columns": cls.builtin_column_options(),
+                "filter_by": [
+                    {
+                        "field_name": "with_tasks_assigned_to_my_group",
+                        "field_value": True,
+                    },
+                    {"field_name": "has_terminal_status", "field_value": True},
+                ],
+                "order_by": ["-start_in_seconds", "-id"],
+            },
+        }
+        return temp_system_metadata_map[metadata_key]
+
    @classmethod
    def report_with_identifier(
        cls,
@ -82,50 +157,10 @@ class ProcessInstanceReportService:
        if process_instance_report is not None:
            return process_instance_report  # type: ignore

-        # TODO replace with system reports that are loaded on launch (or similar)
-        temp_system_metadata_map = {
-            "default": {
-                "columns": cls.builtin_column_options(),
-                "filter_by": [],
-                "order_by": ["-start_in_seconds", "-id"],
-            },
-            "system_report_instances_initiated_by_me": {
-                "columns": [
-                    {"Header": "id", "accessor": "id"},
-                    {
-                        "Header": "process_model_display_name",
-                        "accessor": "process_model_display_name",
-                    },
-                    {"Header": "start_in_seconds", "accessor": "start_in_seconds"},
-                    {"Header": "end_in_seconds", "accessor": "end_in_seconds"},
-                    {"Header": "status", "accessor": "status"},
-                ],
-                "filter_by": [{"field_name": "initiated_by_me", "field_value": True}],
-                "order_by": ["-start_in_seconds", "-id"],
-            },
-            "system_report_instances_with_tasks_completed_by_me": {
-                "columns": cls.builtin_column_options(),
-                "filter_by": [
-                    {"field_name": "with_tasks_completed_by_me", "field_value": True}
-                ],
-                "order_by": ["-start_in_seconds", "-id"],
-            },
-            "system_report_instances_with_tasks_completed_by_my_groups": {
-                "columns": cls.builtin_column_options(),
-                "filter_by": [
-                    {
-                        "field_name": "with_tasks_completed_by_my_group",
-                        "field_value": True,
-                    }
-                ],
-                "order_by": ["-start_in_seconds", "-id"],
-            },
-        }
-
        process_instance_report = ProcessInstanceReportModel(
            identifier=report_identifier,
            created_by_id=user.id,
-            report_metadata=temp_system_metadata_map[report_identifier],
+            report_metadata=cls.system_metadata_map(report_identifier),
        )

        return process_instance_report  # type: ignore
@ -164,27 +199,31 @@ class ProcessInstanceReportService:
            return filters[key].split(",") if key in filters else None

        process_model_identifier = filters.get("process_model_identifier")
+        user_group_identifier = filters.get("user_group_identifier")
        start_from = int_value("start_from")
        start_to = int_value("start_to")
        end_from = int_value("end_from")
        end_to = int_value("end_to")
        process_status = list_value("process_status")
        initiated_by_me = bool_value("initiated_by_me")
+        has_terminal_status = bool_value("has_terminal_status")
        with_tasks_completed_by_me = bool_value("with_tasks_completed_by_me")
-        with_tasks_completed_by_my_group = bool_value(
-            "with_tasks_completed_by_my_group"
-        )
+        with_tasks_assigned_to_my_group = bool_value("with_tasks_assigned_to_my_group")
+        with_relation_to_me = bool_value("with_relation_to_me")

        report_filter = ProcessInstanceReportFilter(
            process_model_identifier,
+            user_group_identifier,
            start_from,
            start_to,
            end_from,
            end_to,
            process_status,
            initiated_by_me,
+            has_terminal_status,
            with_tasks_completed_by_me,
-            with_tasks_completed_by_my_group,
+            with_tasks_assigned_to_my_group,
+            with_relation_to_me,
        )

        return report_filter
@ -194,20 +233,25 @@ class ProcessInstanceReportService:
        cls,
        process_instance_report: ProcessInstanceReportModel,
        process_model_identifier: Optional[str] = None,
+        user_group_identifier: Optional[str] = None,
        start_from: Optional[int] = None,
        start_to: Optional[int] = None,
        end_from: Optional[int] = None,
        end_to: Optional[int] = None,
        process_status: Optional[str] = None,
        initiated_by_me: Optional[bool] = None,
+        has_terminal_status: Optional[bool] = None,
        with_tasks_completed_by_me: Optional[bool] = None,
-        with_tasks_completed_by_my_group: Optional[bool] = None,
+        with_tasks_assigned_to_my_group: Optional[bool] = None,
+        with_relation_to_me: Optional[bool] = None,
    ) -> ProcessInstanceReportFilter:
        """Filter_from_metadata_with_overrides."""
        report_filter = cls.filter_from_metadata(process_instance_report)

        if process_model_identifier is not None:
            report_filter.process_model_identifier = process_model_identifier
+        if user_group_identifier is not None:
+            report_filter.user_group_identifier = user_group_identifier
        if start_from is not None:
            report_filter.start_from = start_from
        if start_to is not None:
@ -220,12 +264,16 @@ class ProcessInstanceReportService:
            report_filter.process_status = process_status.split(",")
        if initiated_by_me is not None:
            report_filter.initiated_by_me = initiated_by_me
+        if has_terminal_status is not None:
+            report_filter.has_terminal_status = has_terminal_status
        if with_tasks_completed_by_me is not None:
            report_filter.with_tasks_completed_by_me = with_tasks_completed_by_me
-        if with_tasks_completed_by_my_group is not None:
-            report_filter.with_tasks_completed_by_my_group = (
-                with_tasks_completed_by_my_group
+        if with_tasks_assigned_to_my_group is not None:
+            report_filter.with_tasks_assigned_to_my_group = (
+                with_tasks_assigned_to_my_group
            )
+        if with_relation_to_me is not None:
+            report_filter.with_relation_to_me = with_relation_to_me

        return report_filter

@ -241,9 +289,9 @@ class ProcessInstanceReportService:
            process_instance_dict = process_instance["ProcessInstanceModel"].serialized
            for metadata_column in metadata_columns:
                if metadata_column["accessor"] not in process_instance_dict:
-                    process_instance_dict[
-                        metadata_column["accessor"]
-                    ] = process_instance[metadata_column["accessor"]]
+                    process_instance_dict[metadata_column["accessor"]] = (
+                        process_instance[metadata_column["accessor"]]
+                    )

            results.append(process_instance_dict)
        return results
@ -268,3 +316,207 @@ class ProcessInstanceReportService:
            {"Header": "Username", "accessor": "username", "filterable": False},
            {"Header": "Status", "accessor": "status", "filterable": False},
        ]
+
+    @classmethod
+    def run_process_instance_report(
+        cls,
+        report_filter: ProcessInstanceReportFilter,
+        process_instance_report: ProcessInstanceReportModel,
+        user: UserModel,
+        page: int = 1,
+        per_page: int = 100,
+    ) -> dict:
+        """Run_process_instance_report."""
+        process_instance_query = ProcessInstanceModel.query
+        # Always join that hot user table for good performance at serialization time.
+        process_instance_query = process_instance_query.options(
+            selectinload(ProcessInstanceModel.process_initiator)
+        )
+
+        if report_filter.process_model_identifier is not None:
+            process_model = ProcessModelService.get_process_model(
+                f"{report_filter.process_model_identifier}",
+            )
+
+            process_instance_query = process_instance_query.filter_by(
+                process_model_identifier=process_model.id
+            )
+
+        # this can never happen. obviously the class has the columns it defines. this is just to appease mypy.
+        if (
+            ProcessInstanceModel.start_in_seconds is None
+            or ProcessInstanceModel.end_in_seconds is None
+        ):
+            raise (
+                ApiError(
+                    error_code="unexpected_condition",
+                    message="Something went very wrong",
+                    status_code=500,
+                )
+            )
+
+        if report_filter.start_from is not None:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.start_in_seconds >= report_filter.start_from
+            )
+        if report_filter.start_to is not None:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.start_in_seconds <= report_filter.start_to
+            )
+        if report_filter.end_from is not None:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.end_in_seconds >= report_filter.end_from
+            )
+        if report_filter.end_to is not None:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.end_in_seconds <= report_filter.end_to
+            )
+        if report_filter.process_status is not None:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.status.in_(report_filter.process_status)  # type: ignore
+            )
+
+        if report_filter.initiated_by_me is True:
+            process_instance_query = process_instance_query.filter_by(
+                process_initiator=user
+            )
+
+        if report_filter.has_terminal_status is True:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.status.in_(ProcessInstanceModel.terminal_statuses())  # type: ignore
+            )
+
+        if (
+            not report_filter.with_tasks_completed_by_me
+            and not report_filter.with_tasks_assigned_to_my_group
+            and report_filter.with_relation_to_me is True
+        ):
+            process_instance_query = process_instance_query.outerjoin(
+                HumanTaskModel
+            ).outerjoin(
+                HumanTaskUserModel,
+                and_(
+                    HumanTaskModel.id == HumanTaskUserModel.human_task_id,
+                    HumanTaskUserModel.user_id == user.id,
+                ),
+            )
+            process_instance_query = process_instance_query.filter(
+                or_(
+                    HumanTaskUserModel.id.is_not(None),
+                    ProcessInstanceModel.process_initiator_id == user.id,
+                )
+            )
+
+        if report_filter.with_tasks_completed_by_me is True:
+            process_instance_query = process_instance_query.filter(
+                ProcessInstanceModel.process_initiator_id != user.id
+            )
+            process_instance_query = process_instance_query.join(
+                HumanTaskModel,
+                and_(
+                    HumanTaskModel.process_instance_id == ProcessInstanceModel.id,
+                    HumanTaskModel.completed_by_user_id == user.id,
+                ),
+            )
+
+        if report_filter.with_tasks_assigned_to_my_group is True:
+            group_model_join_conditions = [
+                GroupModel.id == HumanTaskModel.lane_assignment_id
+            ]
+            if report_filter.user_group_identifier:
+                group_model_join_conditions.append(
+                    GroupModel.identifier == report_filter.user_group_identifier
+                )
+            process_instance_query = process_instance_query.join(HumanTaskModel)
+            process_instance_query = process_instance_query.join(
+                GroupModel, and_(*group_model_join_conditions)
+            )
+            process_instance_query = process_instance_query.join(
+                UserGroupAssignmentModel,
+                UserGroupAssignmentModel.group_id == GroupModel.id,
+            )
+            process_instance_query = process_instance_query.filter(
+                UserGroupAssignmentModel.user_id == user.id
+            )
+
+        instance_metadata_aliases = {}
+        stock_columns = ProcessInstanceReportService.get_column_names_for_model(
+            ProcessInstanceModel
+        )
+        for column in process_instance_report.report_metadata["columns"]:
+            if column["accessor"] in stock_columns:
+                continue
+            instance_metadata_alias = aliased(ProcessInstanceMetadataModel)
+            instance_metadata_aliases[column["accessor"]] = instance_metadata_alias
+
+            filter_for_column = None
+            if "filter_by" in process_instance_report.report_metadata:
+                filter_for_column = next(
+                    (
+                        f
+                        for f in process_instance_report.report_metadata["filter_by"]
+                        if f["field_name"] == column["accessor"]
+                    ),
+                    None,
+                )
+            isouter = True
+            conditions = [
+                ProcessInstanceModel.id == instance_metadata_alias.process_instance_id,
+                instance_metadata_alias.key == column["accessor"],
+            ]
+            if filter_for_column:
+                isouter = False
+                conditions.append(
+                    instance_metadata_alias.value == filter_for_column["field_value"]
+                )
+            process_instance_query = process_instance_query.join(
+                instance_metadata_alias, and_(*conditions), isouter=isouter
+            ).add_columns(
+                func.max(instance_metadata_alias.value).label(column["accessor"])
+            )
+
+        order_by_query_array = []
+        order_by_array = process_instance_report.report_metadata["order_by"]
+        if len(order_by_array) < 1:
+            order_by_array = ProcessInstanceReportModel.default_order_by()
+        for order_by_option in order_by_array:
+            attribute = re.sub("^-", "", order_by_option)
+            if attribute in stock_columns:
+                if order_by_option.startswith("-"):
+                    order_by_query_array.append(
+                        getattr(ProcessInstanceModel, attribute).desc()
+                    )
+                else:
+                    order_by_query_array.append(
+                        getattr(ProcessInstanceModel, attribute).asc()
+                    )
+            elif attribute in instance_metadata_aliases:
+                if order_by_option.startswith("-"):
+                    order_by_query_array.append(
+                        func.max(instance_metadata_aliases[attribute].value).desc()
+                    )
+                else:
+                    order_by_query_array.append(
+                        func.max(instance_metadata_aliases[attribute].value).asc()
+                    )
+        # return process_instance_query
+        process_instances = (
+            process_instance_query.group_by(ProcessInstanceModel.id)
+            .add_columns(ProcessInstanceModel.id)
+            .order_by(*order_by_query_array)
+            .paginate(page=page, per_page=per_page, error_out=False)
+        )
+        results = ProcessInstanceReportService.add_metadata_columns_to_process_instance(
+            process_instances.items, process_instance_report.report_metadata["columns"]
+        )
+        response_json = {
+            "report": process_instance_report,
+            "results": results,
+            "filters": report_filter.to_dict(),
+            "pagination": {
+                "count": len(results),
+                "total": process_instances.total,
+                "pages": process_instances.pages,
+            },
+        }
+        return response_json
--- a/src/spiffworkflow_backend/services/process_instance_service.py
+++ b/src/spiffworkflow_backend/services/process_instance_service.py
@ -2,13 +2,14 @@
 import time
 from typing import Any
 from typing import List
+from typing import Optional

 from flask import current_app
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore

-from spiffworkflow_backend.models.active_task import ActiveTaskModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceApi
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 from spiffworkflow_backend.models.process_instance import ProcessInstanceStatus
@ -17,6 +18,7 @@ from spiffworkflow_backend.models.task import MultiInstanceType
 from spiffworkflow_backend.models.task import Task
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
+from spiffworkflow_backend.services.git_service import GitCommandError
 from spiffworkflow_backend.services.git_service import GitService
 from spiffworkflow_backend.services.process_instance_processor import (
    ProcessInstanceProcessor,
@ -36,7 +38,10 @@ class ProcessInstanceService:
        user: UserModel,
    ) -> ProcessInstanceModel:
        """Get_process_instance_from_spec."""
-        current_git_revision = GitService.get_current_revision()
+        try:
+            current_git_revision = GitService.get_current_revision()
+        except GitCommandError:
+            current_git_revision = ""
        process_instance_model = ProcessInstanceModel(
            status=ProcessInstanceStatus.not_started.value,
            process_initiator=user,
@ -81,7 +86,8 @@ class ProcessInstanceService:
                db.session.add(process_instance)
                db.session.commit()
                error_message = (
-                    f"Error running waiting task for process_instance {process_instance.id}"
+                    "Error running waiting task for process_instance"
+                    f" {process_instance.id}"
                    + f"({process_instance.process_model_identifier}). {str(e)}"
                )
                current_app.logger.error(error_message)
@ -121,7 +127,7 @@ class ProcessInstanceService:
        if next_task_trying_again is not None:
            process_instance_api.next_task = (
                ProcessInstanceService.spiff_task_to_api_task(
-                    next_task_trying_again, add_docs_and_forms=True
+                    processor, next_task_trying_again, add_docs_and_forms=True
                )
            )

@ -174,7 +180,10 @@ class ProcessInstanceService:
                    else:
                        raise ApiError.from_task(
                            error_code="task_lane_user_error",
-                            message="Spiff Task %s lane user dict must have a key called 'value' with the user's uid in it."
+                            message=(
+                                "Spiff Task %s lane user dict must have a key called"
+                                " 'value' with the user's uid in it."
+                            )
                            % spiff_task.task_spec.name,
                            task=spiff_task,
                        )
@ -196,7 +205,7 @@ class ProcessInstanceService:
        spiff_task: SpiffTask,
        data: dict[str, Any],
        user: UserModel,
-        active_task: ActiveTaskModel,
+        human_task: HumanTaskModel,
    ) -> None:
        """All the things that need to happen when we complete a form.

@ -210,7 +219,7 @@ class ProcessInstanceService:
        dot_dct = ProcessInstanceService.create_dot_dict(data)
        spiff_task.update_data(dot_dct)
        # ProcessInstanceService.post_process_form(spiff_task)  # some properties may update the data store.
-        processor.complete_task(spiff_task, active_task)
+        processor.complete_task(spiff_task, human_task, user=user)
        processor.do_engine_steps(save=True)

    @staticmethod
@ -277,7 +286,10 @@ class ProcessInstanceService:

    @staticmethod
    def spiff_task_to_api_task(
-        spiff_task: SpiffTask, add_docs_and_forms: bool = False
+        processor: ProcessInstanceProcessor,
+        spiff_task: SpiffTask,
+        add_docs_and_forms: bool = False,
+        calling_subprocess_task_id: Optional[str] = None,
    ) -> Task:
        """Spiff_task_to_api_task."""
        task_type = spiff_task.task_spec.spec_type
@ -311,6 +323,8 @@ class ProcessInstanceService:
        if spiff_task.parent:
            parent_id = spiff_task.parent.id

+        serialized_task_spec = processor.serialize_task_spec(spiff_task.task_spec)
+
        task = Task(
            spiff_task.id,
            spiff_task.task_spec.name,
@ -324,7 +338,9 @@ class ProcessInstanceService:
            process_identifier=spiff_task.task_spec._wf_spec.name,
            properties=props,
            parent=parent_id,
+            event_definition=serialized_task_spec.get("event_definition"),
            call_activity_process_identifier=call_activity_process_identifier,
+            calling_subprocess_task_id=calling_subprocess_task_id,
        )

        return task
--- a/src/spiffworkflow_backend/services/process_model_service.py
+++ b/src/spiffworkflow_backend/services/process_model_service.py
@ -13,6 +13,8 @@ from flask_bpmn.api.api_error import ApiError
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
    ProcessEntityNotFoundError,
 )
+from spiffworkflow_backend.interfaces import ProcessGroupLite
+from spiffworkflow_backend.interfaces import ProcessGroupLitesWithCache
 from spiffworkflow_backend.models.process_group import ProcessGroup
 from spiffworkflow_backend.models.process_group import ProcessGroupSchema
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
@ -146,7 +148,10 @@ class ProcessModelService(FileSystemService):
        if len(instances) > 0:
            raise ApiError(
                error_code="existing_instances",
-                message=f"We cannot delete the model `{process_model_id}`, there are existing instances that depend on it.",
+                message=(
+                    f"We cannot delete the model `{process_model_id}`, there are"
+                    " existing instances that depend on it."
+                ),
            )
        process_model = self.get_process_model(process_model_id)
        path = self.workflow_path(process_model)
@ -224,31 +229,46 @@ class ProcessModelService(FileSystemService):
            new_process_model_list = []
            for process_model in process_models:
                uri = f"/v1.0/process-instances/{process_model.id.replace('/', ':')}"
-                result = AuthorizationService.user_has_permission(
+                has_permission = AuthorizationService.user_has_permission(
                    user=user, permission="create", target_uri=uri
                )
-                if result:
+                if has_permission:
                    new_process_model_list.append(process_model)
            return new_process_model_list

        return process_models

    @classmethod
-    def get_parent_group_array(cls, process_identifier: str) -> list[dict]:
+    def get_parent_group_array_and_cache_it(
+        cls, process_identifier: str, process_group_cache: dict[str, ProcessGroup]
+    ) -> ProcessGroupLitesWithCache:
        """Get_parent_group_array."""
        full_group_id_path = None
-        parent_group_array = []
+        parent_group_array: list[ProcessGroupLite] = []
        for process_group_id_segment in process_identifier.split("/")[0:-1]:
            if full_group_id_path is None:
                full_group_id_path = process_group_id_segment
            else:
                full_group_id_path = os.path.join(full_group_id_path, process_group_id_segment)  # type: ignore
-            parent_group = ProcessModelService.get_process_group(full_group_id_path)
+            parent_group = process_group_cache.get(full_group_id_path, None)
+            if parent_group is None:
+                parent_group = ProcessModelService.get_process_group(full_group_id_path)
+
            if parent_group:
+                if full_group_id_path not in process_group_cache:
+                    process_group_cache[full_group_id_path] = parent_group
                parent_group_array.append(
                    {"id": parent_group.id, "display_name": parent_group.display_name}
                )
-        return parent_group_array
+        return {"cache": process_group_cache, "process_groups": parent_group_array}
+
+    @classmethod
+    def get_parent_group_array(cls, process_identifier: str) -> list[ProcessGroupLite]:
+        """Get_parent_group_array."""
+        parent_group_lites_with_cache = cls.get_parent_group_array_and_cache_it(
+            process_identifier, {}
+        )
+        return parent_group_lites_with_cache["process_groups"]

    @classmethod
    def get_process_groups(
@ -339,8 +359,11 @@ class ProcessModelService(FileSystemService):
            if len(problem_models) > 0:
                raise ApiError(
                    error_code="existing_instances",
-                    message=f"We cannot delete the group `{process_group_id}`, "
-                    f"there are models with existing instances inside the group. {problem_models}",
+                    message=(
+                        f"We cannot delete the group `{process_group_id}`, there are"
+                        " models with existing instances inside the group."
+                        f" {problem_models}"
+                    ),
                )
            shutil.rmtree(path)
        self.cleanup_process_group_display_order()
@ -392,7 +415,10 @@ class ProcessModelService(FileSystemService):
                if process_group is None:
                    raise ApiError(
                        error_code="process_group_could_not_be_loaded_from_disk",
-                        message=f"We could not load the process_group from disk from: {dir_path}",
+                        message=(
+                            "We could not load the process_group from disk from:"
+                            f" {dir_path}"
+                        ),
                    )
        else:
            process_group_id = dir_path.replace(FileSystemService.root_path(), "")
@ -457,7 +483,10 @@ class ProcessModelService(FileSystemService):
                if process_model_info is None:
                    raise ApiError(
                        error_code="process_model_could_not_be_loaded_from_disk",
-                        message=f"We could not load the process_model from disk with data: {data}",
+                        message=(
+                            "We could not load the process_model from disk with data:"
+                            f" {data}"
+                        ),
                    )
        else:
            if name is None:
--- a/src/spiffworkflow_backend/services/script_unit_test_runner.py
+++ b/src/spiffworkflow_backend/services/script_unit_test_runner.py
@ -112,7 +112,10 @@ class ScriptUnitTestRunner:
        except json.decoder.JSONDecodeError as ex:
            return ScriptUnitTestResult(
                result=False,
-                error=f"Failed to parse expectedOutputJson: {unit_test['expectedOutputJson']}: {str(ex)}",
+                error=(
+                    "Failed to parse expectedOutputJson:"
+                    f" {unit_test['expectedOutputJson']}: {str(ex)}"
+                ),
            )

        script = task.task_spec.script
--- a/src/spiffworkflow_backend/services/secret_service.py
+++ b/src/spiffworkflow_backend/services/secret_service.py
@ -44,8 +44,10 @@ class SecretService:
        except Exception as e:
            raise ApiError(
                error_code="create_secret_error",
-                message=f"There was an error creating a secret with key: {key} and value ending with: {value[:-4]}. "
-                f"Original error is {e}",
+                message=(
+                    f"There was an error creating a secret with key: {key} and value"
+                    f" ending with: {value[:-4]}. Original error is {e}"
+                ),
            ) from e
        return secret_model

@ -89,7 +91,9 @@ class SecretService:
        else:
            raise ApiError(
                error_code="update_secret_error",
-                message=f"Cannot update secret with key: {key}. Resource does not exist.",
+                message=(
+                    f"Cannot update secret with key: {key}. Resource does not exist."
+                ),
                status_code=404,
            )

@ -104,11 +108,16 @@ class SecretService:
            except Exception as e:
                raise ApiError(
                    error_code="delete_secret_error",
-                    message=f"Could not delete secret with key: {key}. Original error is: {e}",
+                    message=(
+                        f"Could not delete secret with key: {key}. Original error"
+                        f" is: {e}"
+                    ),
                ) from e
        else:
            raise ApiError(
                error_code="delete_secret_error",
-                message=f"Cannot delete secret with key: {key}. Resource does not exist.",
+                message=(
+                    f"Cannot delete secret with key: {key}. Resource does not exist."
+                ),
                status_code=404,
            )
--- a/src/spiffworkflow_backend/services/spec_file_service.py
+++ b/src/spiffworkflow_backend/services/spec_file_service.py
@ -192,7 +192,8 @@ class SpecFileService(FileSystemService):
        full_file_path = SpecFileService.full_file_path(process_model_info, file_name)
        if not os.path.exists(full_file_path):
            raise ProcessModelFileNotFoundError(
-                f"No file found with name {file_name} in {process_model_info.display_name}"
+                f"No file found with name {file_name} in"
+                f" {process_model_info.display_name}"
            )
        with open(full_file_path, "rb") as f_handle:
            spec_file_data = f_handle.read()
@ -314,8 +315,9 @@ class SpecFileService(FileSystemService):
            ).first()
            if message_model is None:
                raise ValidationException(
-                    f"Could not find message model with identifier '{message_model_identifier}'"
-                    f"Required by a Start Event in : {ref.file_name}"
+                    "Could not find message model with identifier"
+                    f" '{message_model_identifier}'Required by a Start Event in :"
+                    f" {ref.file_name}"
                )
            message_triggerable_process_model = (
                MessageTriggerableProcessModel.query.filter_by(
@ -335,7 +337,8 @@ class SpecFileService(FileSystemService):
                    != ref.process_model_id
                ):
                    raise ValidationException(
-                        f"Message model is already used to start process model {ref.process_model_id}"
+                        "Message model is already used to start process model"
+                        f" {ref.process_model_id}"
                    )

    @staticmethod
@ -353,8 +356,9 @@ class SpecFileService(FileSystemService):
                ).first()
                if message_model is None:
                    raise ValidationException(
-                        f"Could not find message model with identifier '{message_model_identifier}'"
-                        f"specified by correlation property: {cpre}"
+                        "Could not find message model with identifier"
+                        f" '{message_model_identifier}'specified by correlation"
+                        f" property: {cpre}"
                    )
                # fixme:  I think we are currently ignoring the correction properties.
                message_correlation_property = (
--- a/src/spiffworkflow_backend/services/user_service.py
+++ b/src/spiffworkflow_backend/services/user_service.py
@ -7,12 +7,15 @@ from flask import g
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db

-from spiffworkflow_backend.models.active_task import ActiveTaskModel
-from spiffworkflow_backend.models.active_task_user import ActiveTaskUserModel
 from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.human_task import HumanTaskModel
+from spiffworkflow_backend.models.human_task_user import HumanTaskUserModel
 from spiffworkflow_backend.models.principal import PrincipalModel
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
+from spiffworkflow_backend.models.user_group_assignment_waiting import (
+    UserGroupAssignmentWaitingModel,
+)


 class UserService:
@ -21,11 +24,11 @@ class UserService:
    @classmethod
    def create_user(
        cls,
+        username: str,
        service: str,
        service_id: str,
-        name: Optional[str] = "",
-        username: Optional[str] = "",
        email: Optional[str] = "",
+        display_name: Optional[str] = "",
    ) -> UserModel:
        """Create_user."""
        user_model: Optional[UserModel] = (
@ -41,8 +44,8 @@ class UserService:
                username=username,
                service=service,
                service_id=service_id,
-                name=name,
                email=email,
+                display_name=display_name,
            )
            db.session.add(user_model)

@ -55,6 +58,7 @@ class UserService:
                    message=f"Could not add user {username}",
                ) from e
            cls.create_principal(user_model.id)
+            UserService().apply_waiting_group_assignments(user_model)
            return user_model

        else:
@ -69,45 +73,12 @@ class UserService:
                )
            )

-    @classmethod
-    def find_or_create_user(
-        cls,
-        service: str,
-        service_id: str,
-        name: Optional[str] = None,
-        username: Optional[str] = None,
-        email: Optional[str] = None,
-    ) -> UserModel:
-        """Find_or_create_user."""
-        user_model: UserModel
-        try:
-            user_model = cls.create_user(
-                service=service,
-                service_id=service_id,
-                name=name,
-                username=username,
-                email=email,
-            )
-        except ApiError:
-            user_model = (
-                UserModel.query.filter(UserModel.service == service)
-                .filter(UserModel.service_id == service_id)
-                .first()
-            )
-        return user_model
-
    # Returns true if the current user is logged in.
    @staticmethod
    def has_user() -> bool:
        """Has_user."""
        return "token" in g and bool(g.token) and "user" in g and bool(g.user)

-    # Returns true if the given user uid is different from the current user's uid.
-    @staticmethod
-    def is_different_user(uid: str) -> bool:
-        """Is_different_user."""
-        return UserService.has_user() and uid is not None and uid is not g.user.uid
-
    @staticmethod
    def current_user() -> Any:
        """Current_user."""
@ -117,20 +88,6 @@ class UserService:
            )
        return g.user

-    @staticmethod
-    def in_list(uids: list[str]) -> bool:
-        """Returns true if the current user's id is in the given list of ids.
-
-        False if there is no user, or the user is not in the list.
-        """
-        if (
-            UserService.has_user()
-        ):  # If someone is logged in, lock tasks that don't belong to them.
-            user = UserService.current_user()
-            if user.uid in uids:
-                return True
-        return False
-
    @staticmethod
    def get_principal_by_user_id(user_id: int) -> PrincipalModel:
        """Get_principal_by_user_id."""
@ -173,8 +130,57 @@ class UserService:
    @classmethod
    def add_user_to_group(cls, user: UserModel, group: GroupModel) -> None:
        """Add_user_to_group."""
-        ugam = UserGroupAssignmentModel(user_id=user.id, group_id=group.id)
-        db.session.add(ugam)
+        exists = (
+            UserGroupAssignmentModel()
+            .query.filter_by(user_id=user.id)
+            .filter_by(group_id=group.id)
+            .count()
+        )
+        if not exists:
+            ugam = UserGroupAssignmentModel(user_id=user.id, group_id=group.id)
+            db.session.add(ugam)
+            db.session.commit()
+
+    @classmethod
+    def add_waiting_group_assignment(cls, username: str, group: GroupModel) -> None:
+        """Add_waiting_group_assignment."""
+        wugam = (
+            UserGroupAssignmentWaitingModel()
+            .query.filter_by(username=username)
+            .filter_by(group_id=group.id)
+            .first()
+        )
+        if not wugam:
+            wugam = UserGroupAssignmentWaitingModel(
+                username=username, group_id=group.id
+            )
+            db.session.add(wugam)
+            db.session.commit()
+        if wugam.is_match_all():
+            for user in UserModel.query.all():
+                cls.add_user_to_group(user, group)
+
+    @classmethod
+    def apply_waiting_group_assignments(cls, user: UserModel) -> None:
+        """Apply_waiting_group_assignments."""
+        waiting = (
+            UserGroupAssignmentWaitingModel()
+            .query.filter(UserGroupAssignmentWaitingModel.username == user.username)
+            .all()
+        )
+        for assignment in waiting:
+            cls.add_user_to_group(user, assignment.group)
+            db.session.delete(assignment)
+        wildcard = (
+            UserGroupAssignmentWaitingModel()
+            .query.filter(
+                UserGroupAssignmentWaitingModel.username
+                == UserGroupAssignmentWaitingModel.MATCH_ALL_USERS
+            )
+            .all()
+        )
+        for assignment in wildcard:
+            cls.add_user_to_group(user, assignment.group)
        db.session.commit()

    @staticmethod
@ -192,15 +198,15 @@ class UserService:
        return None

    @classmethod
-    def add_user_to_active_tasks_if_appropriate(cls, user: UserModel) -> None:
-        """Add_user_to_active_tasks_if_appropriate."""
+    def add_user_to_human_tasks_if_appropriate(cls, user: UserModel) -> None:
+        """Add_user_to_human_tasks_if_appropriate."""
        group_ids = [g.id for g in user.groups]
-        active_tasks = ActiveTaskModel.query.filter(
-            ActiveTaskModel.lane_assignment_id.in_(group_ids)  # type: ignore
+        human_tasks = HumanTaskModel.query.filter(
+            HumanTaskModel.lane_assignment_id.in_(group_ids)  # type: ignore
        ).all()
-        for active_task in active_tasks:
-            active_task_user = ActiveTaskUserModel(
-                user_id=user.id, active_task_id=active_task.id
+        for human_task in human_tasks:
+            human_task_user = HumanTaskUserModel(
+                user_id=user.id, human_task_id=human_task.id
            )
-            db.session.add(active_task_user)
+            db.session.add(human_task_user)
            db.session.commit()
--- a/src/spiffworkflow_backend/templates/basic_with_user_task_template.bpmn
+++ b/src/spiffworkflow_backend/templates/basic_with_user_task_template.bpmn
@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:spiffworkflow="http://spiffworkflow.org/bpmn/schema/1.0/core" id="Definitions_96f6665" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="3.0.0-dev">
+  <bpmn:process id="natural_language_process_id_template" isExecutable="true">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_0gixxkm</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_0gixxkm" sourceRef="StartEvent_1" targetRef="present_form" />
+    <bpmn:userTask id="present_form" name="Present Form">
+      <bpmn:extensionElements>
+        <spiffworkflow:properties>
+          <spiffworkflow:property name="formJsonSchemaFilename" value="form-identifier-id-template-schema.json" />
+          <spiffworkflow:property name="formUiSchemaFilename" value="form-identifier-id-template-uischema.json" />
+        </spiffworkflow:properties>
+      </bpmn:extensionElements>
+      <bpmn:incoming>Flow_0gixxkm</bpmn:incoming>
+      <bpmn:outgoing>Flow_1oi9nsn</bpmn:outgoing>
+    </bpmn:userTask>
+    <bpmn:endEvent id="Event_003bxs1">
+      <bpmn:incoming>Flow_1oi9nsn</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1oi9nsn" sourceRef="present_form" targetRef="Event_003bxs1" />
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="natural_language_process_id_template">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0ajk9gf_di" bpmnElement="present_form">
+        <dc:Bounds x="270" y="137" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_003bxs1_di" bpmnElement="Event_003bxs1">
+        <dc:Bounds x="432" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0gixxkm_di" bpmnElement="Flow_0gixxkm">
+        <di:waypoint x="215" y="177" />
+        <di:waypoint x="270" y="177" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1oi9nsn_di" bpmnElement="Flow_1oi9nsn">
+        <di:waypoint x="370" y="177" />
+        <di:waypoint x="432" y="177" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
--- a/src/spiffworkflow_backend/templates/form-identifier-id-template-schema.json
+++ b/src/spiffworkflow_backend/templates/form-identifier-id-template-schema.json
@ -0,0 +1,6 @@
+{
+  "title": "{FORM_IDENTIFIER}",
+  "description": "",
+  "properties": {},
+  "required": []
+}
--- a/src/spiffworkflow_backend/templates/form-identifier-id-template-uischema.json
+++ b/src/spiffworkflow_backend/templates/form-identifier-id-template-uischema.json
@ -0,0 +1,3 @@
+{
+  "ui:order": []
+}
--- a/tests/data/data_object_test/data_object.bpmn
+++ b/tests/data/data_object_test/data_object.bpmn
@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" id="Definitions_96f6665" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="3.0.0-dev">
+  <bpmn:process id="Process_hjecbuk" isExecutable="true">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_0hnphp9</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_0hnphp9" sourceRef="StartEvent_1" targetRef="Activity_16lbvwu" />
+    <bpmn:scriptTask id="Activity_16lbvwu">
+      <bpmn:incoming>Flow_0hnphp9</bpmn:incoming>
+      <bpmn:outgoing>Flow_0amajxh</bpmn:outgoing>
+      <bpmn:dataOutputAssociation id="DataOutputAssociation_15x55ya">
+        <bpmn:targetRef>DataObjectReference_10g8dit</bpmn:targetRef>
+      </bpmn:dataOutputAssociation>
+      <bpmn:script>the_data_object_var = 'hey'</bpmn:script>
+    </bpmn:scriptTask>
+    <bpmn:sequenceFlow id="Flow_0amajxh" sourceRef="Activity_16lbvwu" targetRef="manual_task" />
+    <bpmn:endEvent id="Event_0ik0i72">
+      <bpmn:incoming>Flow_1ifqo6o</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1ifqo6o" sourceRef="manual_task" targetRef="Event_0ik0i72" />
+    <bpmn:manualTask id="manual_task">
+      <bpmn:incoming>Flow_0amajxh</bpmn:incoming>
+      <bpmn:outgoing>Flow_1ifqo6o</bpmn:outgoing>
+      <bpmn:property id="Property_0a8w16m" name="__targetRef_placeholder" />
+      <bpmn:dataInputAssociation id="DataInputAssociation_0iqtpwy">
+        <bpmn:sourceRef>DataObjectReference_10g8dit</bpmn:sourceRef>
+        <bpmn:targetRef>Property_0a8w16m</bpmn:targetRef>
+      </bpmn:dataInputAssociation>
+    </bpmn:manualTask>
+    <bpmn:dataObjectReference id="DataObjectReference_10g8dit" name="The Data Object Var" dataObjectRef="the_data_object_var" />
+    <bpmn:dataObject id="the_data_object_var" />
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Process_hjecbuk">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0wqvy5h_di" bpmnElement="Activity_16lbvwu">
+        <dc:Bounds x="290" y="137" width="100" height="80" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0ik0i72_di" bpmnElement="Event_0ik0i72">
+        <dc:Bounds x="652" y="159" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0keslpp_di" bpmnElement="manual_task">
+        <dc:Bounds x="470" y="137" width="100" height="80" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0hnphp9_di" bpmnElement="Flow_0hnphp9">
+        <di:waypoint x="215" y="177" />
+        <di:waypoint x="290" y="177" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_0amajxh_di" bpmnElement="Flow_0amajxh">
+        <di:waypoint x="390" y="177" />
+        <di:waypoint x="470" y="177" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1ifqo6o_di" bpmnElement="Flow_1ifqo6o">
+        <di:waypoint x="570" y="177" />
+        <di:waypoint x="652" y="177" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNShape id="DataObjectReference_10g8dit_di" bpmnElement="DataObjectReference_10g8dit">
+        <dc:Bounds x="412" y="275" width="36" height="50" />
+        <bpmndi:BPMNLabel>
+          <dc:Bounds x="390" y="332" width="81" height="27" />
+        </bpmndi:BPMNLabel>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="DataInputAssociation_0iqtpwy_di" bpmnElement="DataInputAssociation_0iqtpwy">
+        <di:waypoint x="448" y="275" />
+        <di:waypoint x="491" y="217" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="DataOutputAssociation_15x55ya_di" bpmnElement="DataOutputAssociation_15x55ya">
+        <di:waypoint x="371" y="217" />
+        <di:waypoint x="416" y="275" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
--- a/tests/data/error/script_error_with_task_data.bpmn
+++ b/tests/data/error/script_error_with_task_data.bpmn
@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:spiffworkflow="http://spiffworkflow.org/bpmn/schema/1.0/core" xmlns:modeler="http://camunda.org/schema/modeler/1.0" id="Definitions_1ny7jp4" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="5.0.0" modeler:executionPlatform="Camunda Platform" modeler:executionPlatformVersion="7.17.0">
+  <bpmn:process id="sample" isExecutable="true">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_10jwwqy</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_10jwwqy" sourceRef="StartEvent_1" targetRef="script_task_one" />
+    <bpmn:endEvent id="Event_1qb1u6a">
+      <bpmn:incoming>Flow_1axnzv6</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:scriptTask id="script_task_one" name="My Script" scriptFormat="python">
+      <bpmn:extensionElements>
+        <spiffworkflow:unitTests>
+          <spiffworkflow:unitTest id="ScriptTest_pass">
+            <spiffworkflow:inputJson>{
+  "current_user": {
+    "id": "2",
+    "username": "ciadmin1"
+  },
+  "num": 0
+}</spiffworkflow:inputJson>
+            <spiffworkflow:expectedOutputJson>{
+  "Mike": "Awesome",
+  "i": 2,
+  "current_user": {
+    "id": "2",
+    "username": "ciadmin1"
+  },
+  "num": 0,
+  "my_var": "whatwhat",
+  "person": "Kevin"
+}</spiffworkflow:expectedOutputJson>
+          </spiffworkflow:unitTest>
+          <spiffworkflow:unitTest id="ScriptTest_fail">
+            <spiffworkflow:inputJson>{}</spiffworkflow:inputJson>
+            <spiffworkflow:expectedOutputJson>{}</spiffworkflow:expectedOutputJson>
+          </spiffworkflow:unitTest>
+          <spiffworkflow:unitTest id="unit_test_5T42ZRC">
+            <spiffworkflow:inputJson>{"current_user": {"id": "1", "username": "kb"}}</spiffworkflow:inputJson>
+            <spiffworkflow:expectedOutputJson>{"Mike": "Awesome", "current_user": {"id": "1", "username": "kb"}, "heyhey": "https://demo.spiffworkflow.org", "i": 2, "members": [], "my_var": "whatwhat", "person": "Kevin"}</spiffworkflow:expectedOutputJson>
+          </spiffworkflow:unitTest>
+        </spiffworkflow:unitTests>
+      </bpmn:extensionElements>
+      <bpmn:incoming>Flow_10jwwqy</bpmn:incoming>
+      <bpmn:outgoing>Flow_1utkzvj</bpmn:outgoing>
+      <bpmn:script>my_var = 'THE VAR'</bpmn:script>
+    </bpmn:scriptTask>
+    <bpmn:sequenceFlow id="Flow_1utkzvj" sourceRef="script_task_one" targetRef="script_task_two" />
+    <bpmn:sequenceFlow id="Flow_1axnzv6" sourceRef="script_task_two" targetRef="Event_1qb1u6a" />
+    <bpmn:scriptTask id="script_task_two" name="Bad News Bears">
+      <bpmn:incoming>Flow_1utkzvj</bpmn:incoming>
+      <bpmn:outgoing>Flow_1axnzv6</bpmn:outgoing>
+      <bpmn:script>hey</bpmn:script>
+    </bpmn:scriptTask>
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="sample">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="132" y="102" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_1qb1u6a_di" bpmnElement="Event_1qb1u6a">
+        <dc:Bounds x="612" y="102" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_17ohe7r_di" bpmnElement="script_task_one">
+        <dc:Bounds x="241" y="80" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_03fze1z_di" bpmnElement="script_task_two">
+        <dc:Bounds x="420" y="80" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_10jwwqy_di" bpmnElement="Flow_10jwwqy">
+        <di:waypoint x="168" y="120" />
+        <di:waypoint x="241" y="120" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1utkzvj_di" bpmnElement="Flow_1utkzvj">
+        <di:waypoint x="341" y="120" />
+        <di:waypoint x="420" y="120" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1axnzv6_di" bpmnElement="Flow_1axnzv6">
+        <di:waypoint x="520" y="120" />
+        <di:waypoint x="612" y="120" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
--- a/tests/data/process_navigation/process_navigation.bpmn
+++ b/tests/data/process_navigation/process_navigation.bpmn
@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:spiffworkflow="http://spiffworkflow.org/bpmn/schema/1.0/core" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" id="Definitions_96f6665" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="3.0.0-dev">
+  <bpmn:collaboration id="Collaboration_1022bxx">
+    <bpmn:participant id="Participant_1gfxnts" processRef="Process_1oafp0t" />
+  </bpmn:collaboration>
+  <bpmn:process id="Process_1oafp0t" isExecutable="true">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_1l15rbh</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_1l15rbh" sourceRef="StartEvent_1" targetRef="Gateway_0n53kj7" />
+    <bpmn:eventBasedGateway id="Gateway_0n53kj7">
+      <bpmn:incoming>Flow_1l15rbh</bpmn:incoming>
+      <bpmn:outgoing>Flow_0d35i06</bpmn:outgoing>
+      <bpmn:outgoing>Flow_0tzaigt</bpmn:outgoing>
+      <bpmn:outgoing>Flow_1vld4r2</bpmn:outgoing>
+    </bpmn:eventBasedGateway>
+    <bpmn:sequenceFlow id="Flow_0d35i06" sourceRef="Gateway_0n53kj7" targetRef="Event_0xbr8bu" />
+    <bpmn:intermediateCatchEvent id="Event_0xbr8bu">
+      <bpmn:incoming>Flow_0d35i06</bpmn:incoming>
+      <bpmn:outgoing>Flow_1w3n49n</bpmn:outgoing>
+      <bpmn:messageEventDefinition id="MessageEventDefinition_1aazu62" messageRef="message_1" />
+    </bpmn:intermediateCatchEvent>
+    <bpmn:intermediateCatchEvent id="Event_0himdx6">
+      <bpmn:incoming>Flow_0tzaigt</bpmn:incoming>
+      <bpmn:outgoing>Flow_1q47ol8</bpmn:outgoing>
+      <bpmn:messageEventDefinition id="MessageEventDefinition_0oersqt" messageRef="message_2" />
+    </bpmn:intermediateCatchEvent>
+    <bpmn:sequenceFlow id="Flow_0tzaigt" sourceRef="Gateway_0n53kj7" targetRef="Event_0himdx6" />
+    <bpmn:sequenceFlow id="Flow_1vld4r2" sourceRef="Gateway_0n53kj7" targetRef="Event_0e4owa3" />
+    <bpmn:sequenceFlow id="Flow_13ai5vv" sourceRef="Event_0e4owa3" targetRef="Activity_0uum4kq" />
+    <bpmn:endEvent id="Event_0vmxgb9">
+      <bpmn:incoming>Flow_1q47ol8</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1q47ol8" sourceRef="Event_0himdx6" targetRef="Event_0vmxgb9" />
+    <bpmn:sequenceFlow id="Flow_1w3n49n" sourceRef="Event_0xbr8bu" targetRef="Event_174a838" />
+    <bpmn:endEvent id="Event_174a838">
+      <bpmn:incoming>Flow_1w3n49n</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1vwnf3n" sourceRef="Activity_0uum4kq" targetRef="Event_1ixib8a" />
+    <bpmn:intermediateCatchEvent id="Event_0e4owa3">
+      <bpmn:incoming>Flow_1vld4r2</bpmn:incoming>
+      <bpmn:outgoing>Flow_13ai5vv</bpmn:outgoing>
+      <bpmn:timerEventDefinition id="TimerEventDefinition_1fnogr9">
+        <bpmn:timeDuration xsi:type="bpmn:tFormalExpression">timedelta(hours=1)</bpmn:timeDuration>
+      </bpmn:timerEventDefinition>
+    </bpmn:intermediateCatchEvent>
+    <bpmn:manualTask id="Activity_0uum4kq" name="Any Task">
+      <bpmn:extensionElements>
+        <spiffworkflow:instructionsForEndUser>Click the button.</spiffworkflow:instructionsForEndUser>
+      </bpmn:extensionElements>
+      <bpmn:incoming>Flow_13ai5vv</bpmn:incoming>
+      <bpmn:outgoing>Flow_1vwnf3n</bpmn:outgoing>
+    </bpmn:manualTask>
+    <bpmn:endEvent id="Event_1ixib8a">
+      <bpmn:incoming>Flow_1vwnf3n</bpmn:incoming>
+    </bpmn:endEvent>
+  </bpmn:process>
+  <bpmn:message id="message_1" name="Message 1">
+    <bpmn:extensionElements>
+      <spiffworkflow:messageVariable>result</spiffworkflow:messageVariable>
+    </bpmn:extensionElements>
+  </bpmn:message>
+  <bpmn:message id="message_2" name="Message 2">
+    <bpmn:extensionElements>
+      <spiffworkflow:messageVariable>result</spiffworkflow:messageVariable>
+    </bpmn:extensionElements>
+  </bpmn:message>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Collaboration_1022bxx">
+      <bpmndi:BPMNShape id="Participant_1gfxnts_di" bpmnElement="Participant_1gfxnts" isHorizontal="true">
+        <dc:Bounds x="120" y="70" width="630" height="310" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="192" y="172" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Gateway_0yjcvjd_di" bpmnElement="Gateway_0n53kj7">
+        <dc:Bounds x="285" y="165" width="50" height="50" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0xbr8bu_di" bpmnElement="Event_0xbr8bu">
+        <dc:Bounds x="392" y="102" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0himdx6_di" bpmnElement="Event_0himdx6">
+        <dc:Bounds x="392" y="172" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0vmxgb9_di" bpmnElement="Event_0vmxgb9">
+        <dc:Bounds x="492" y="172" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_174a838_di" bpmnElement="Event_174a838">
+        <dc:Bounds x="492" y="102" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0e4owa3_di" bpmnElement="Event_0e4owa3">
+        <dc:Bounds x="392" y="272" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_104jmxm_di" bpmnElement="Activity_0uum4kq">
+        <dc:Bounds x="480" y="250" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_1ixib8a_di" bpmnElement="Event_1ixib8a">
+        <dc:Bounds x="662" y="272" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_1l15rbh_di" bpmnElement="Flow_1l15rbh">
+        <di:waypoint x="228" y="190" />
+        <di:waypoint x="285" y="190" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_0d35i06_di" bpmnElement="Flow_0d35i06">
+        <di:waypoint x="310" y="165" />
+        <di:waypoint x="310" y="120" />
+        <di:waypoint x="392" y="120" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_0tzaigt_di" bpmnElement="Flow_0tzaigt">
+        <di:waypoint x="335" y="190" />
+        <di:waypoint x="392" y="190" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1vld4r2_di" bpmnElement="Flow_1vld4r2">
+        <di:waypoint x="310" y="215" />
+        <di:waypoint x="310" y="290" />
+        <di:waypoint x="392" y="290" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_13ai5vv_di" bpmnElement="Flow_13ai5vv">
+        <di:waypoint x="428" y="290" />
+        <di:waypoint x="480" y="290" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1q47ol8_di" bpmnElement="Flow_1q47ol8">
+        <di:waypoint x="428" y="190" />
+        <di:waypoint x="492" y="190" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1w3n49n_di" bpmnElement="Flow_1w3n49n">
+        <di:waypoint x="428" y="120" />
+        <di:waypoint x="492" y="120" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1vwnf3n_di" bpmnElement="Flow_1vwnf3n">
+        <di:waypoint x="580" y="290" />
+        <di:waypoint x="662" y="290" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>
--- a/Show More
+++ b/Show More