IBM Business Process Manager security roles
IBM® Business Process Manager provides both default and optional security roles that represent a logical name for a set of principles. Roles allow users the option of defining as many user IDs and passwords as needed, depending on the level of fine-grained control required for their specific environment.
You must associate each role with an authentication alias. The
authentication alias is a configuration object that contains a single
user ID and password. You specify the authentication alias values
by using one of the following options. Review the bulleted list below
each option to ensure the best method for meeting your system requirements.
- Use the product launchpad for a typical installation. This method automatically creates the authentication aliases for the CellAdmin, DeAdmin, DbUser, and DbUserXAR roles. You enter one user ID and password for both the DbUser role and the DbUserXAR role.
- Use the BPMConfig command. This method requires
that you specify the authentication aliases for the CellAdmin, DeAdmin,
DbUser, DbUserXAR, and ProcessCenterUser roles.
- The ProcessCenterUser role is used for online process servers.
- You specify the authentication alias for the CellAdmin role only if the BPMConfig command is also being used to create the profile. If you use the BPMConfig command on existing profiles, the CellAdmin role's authentication alias is already configured.
- When you use this method, you can specify any of the other roles as needed for your environment.
- Use the administrative console's Deployment Environment wizard.
This method requires that you specify the authentication aliases for
the DeAdmin, DbUser, DbUserXAR, and ProcessCenterUser roles.
- The ProcessCenterUser role is used for online process servers.
- You enter one user ID and password for both the DbUser role and the DbUserXAR role.
- When you use this method, you cannot specify any other roles as needed for your environment.
- Use the manageprofiles command-line utility.
- You can specify the CellAdmin role's authentication alias only in the manageprofiles -adminAliasName parameter.
- The deployment environment is created after profile creation, so there are no deployment environment-level authentication aliases to configure during profile creation.
- Using the Profile Management Tool.
- The Profile Management Tool automatically associates the CellAdmin role to the CellAdminAlias authentication alias. It does not allow you to specify a different authentication alias.
The following diagram illustrates the role and authentication alias
relationships and how they are used in various IBM Business Process Manager scenarios.
- Each authentication alias only contains only one user ID and password.
- Each authentication alias can be mapped to one or more roles.
- Each scenario may require more than one role to complete the scenario.
- The following roles require additional steps
when you update the role to an authentication alias mapping:
- BPMAuthor - Add the user to the group defined as the author group in IBM Business Process Manager. The group is either the default tw_authors group, or the group defined by the bpmAuthorGroup property if the group has been modified.
- CellAdmin - Add the user to the administrator role in WebSphere® Application Server and to the groups defined as the admin and author groups in IBM Business Process Manager. The groups are either the tw_admins and tw_authors defaults, or the groups defined by the bpmAdminGroup properties and bpmAuthorGroup if the groups have been modified. For more information about the administrator role in WebSphere Application Server, see Security planning overview.
- DEAdmin - Add the user to the administrator, deployer and operator roles in WebSphere Application Server and to the groups defined as the admin and author groups in IBM Business Process Manager. The groups are either the tw_admins and tw_authors defaults, or the groups defined by the bpmAdminGroup properties and bpmAuthorGroup if the groups have been modified.
- SCADeploymentUser - Add the user to the deployer and operator roles in WebSphere Application Server.
- EmbeddedECMTechnicalUser - The technical user must have the WebSphere Application Server administrator role. There must be an authorized user assigned to this role at every point in the runtime process. Authorization in the IBM BPM document store refers to unique user Ids, so a user with the same name is not considered the same user. This is important if you intend to delete and recreate a user, or switch to a different user registry. See Administering the technical user for the IBM BPM document store.
To update the role to an authentication alias mapping:
- Log in to the administrative console.
- Click .
To make changes to the authentication alias, see Modifying authentication aliases.
Table 1 lists the required
roles for IBM Business Process Manager.
You must provide the values for these roles during installation and
configuration. Any additional software installed on your Process Server
might have additional roles.
IBM Business Process Manager Required roles | Description |
---|---|
CellAdmin | The cell administrator is the primary
administrator at the WebSphere Application
Server level.
A user assigned to this role during installation and configuration
has the following characteristics and capabilities:
Note: If you change the user ID and password in the authentication
alias that is mapped to the CellAdmin role, additional steps are required
when updating the role to an authentication alias mapping. See CellAdmin.
The
following characters are supported when specifying the cell administrator
user name and password:
|
DeAdmin | The deployment environment administrator
is the primary administrator at the IBM Business Process Manager level.
A user assigned to this role:
Note: If you change the user ID and password in the authentication
alias that is mapped to the DeAdmin role, additional steps are required
when updating the role to an authentication alias mapping. See DeAdmin.
The following
characters are supported when specifying the deployment environment
administrator user name and password:
|
DbUser | A user assigned to this role has access to the specified database. |
DbUserXAR | A user assigned to this role has authorization to do XA recovery. This user can also be assigned to the DbUser role. |
Table 2 lists the
optional roles for IBM Business Process Manager. If
you do not specify these roles during configuration, the same authentication
alias that is mapped to the DeAdmin role will be mapped to these.
IBM Business Process Manager Optional roles | Description |
---|---|
PerformanceDWUser | Required user to run the Performance Data Warehouse. |
ProcessServerUser | Process Server user for JMS queues that is used to authenticate with a JMS connection. |
ProcessCenterUser | This role maps to an authentication alias for a Process Center user who is authorized to connect from the Process Server to the Process Center. This user does not need any special permission in Process Center. |
BPMAdminJobUser | A user assigned to this role has the authority to perform the actions on the product activity log (PAL) Admin code. |
BPMAuthor | This role maps to an authentication alias for a user that requires the authority to access and deploy snapshots to the runtime Process Server and access that Process Server from the Process Inspector, which is located in IBM Process Designer. |
BPMUser | Authentication alias for BPM UserBPC_Auth_Alias. |
BPMWebserviceUser | Authentication alias for Anyonymous Webservice User. |
EventManagerUser | This role maps to an authentication alias for a user that is used as the run-as user for the Event Manager. |
RALUser | Authentication alias for RAL User. |
SCADeploymentUser | Authentication alias used to deploy SCA applications Note: If
you change the user ID and password in the authentication alias that
is mapped to the SCADeploymentUser role, additional steps are required
when updating the role to an authentication alias mapping. See SCADeploymentUser.
|
SCAUser | Authentication alias used by SCA to login to a secured SIBus. |
BPCUser | Business Process Choreographer JMS authentication alias. |
EmbeddedECMTechnicalUser | If user does not specify, this role is defaulted
during the installation. Note: If you change the user ID and password
in the authentication alias that is mapped to the EmbeddedECMTechnicalUser
role, additional steps are required when updating the role to an authentication
alias mapping. See EmbeddedECMTechnicalUser.
|