Specifying Process Federation Server user authorizations on Kubernetes
When Process Federation Server is installed as part of the ICP4ACluster Custom Resource, the operator defines a default set of authorizations for Process Federation Server users, that you can customize depending on your needs.
Default authorizations for Process Federation Server users
- pfs_configuration.admin_user_id: id(s) of the administrator user(s)
- pfs_configuration.admin_group_id: id(s) of the administrator group(s)
See Mapping management roles for Liberty
The following table lists the default authorizations that are sets for Process Federation Server users when running in Kubernetes.
Roles | Users and groups |
---|---|
administrator | Admin users and/or the admin groups if they are defined in the Custom Resource |
restrictedBpmuser | None |
bpmuser | All authenticated users |
createSharedSavedSearch | All authenticated users |
adminSavedSearch | Admin users and/or the admin groups if they are defined in the Custom Resource |
adminSharedSavedSearch | Admin users and/or the admin groups if they are defined in the Custom Resource |
doNotCreateSavedSearch | None |
For more information about the different roles and the corresponding granted authorizations, see Federated systems and authorization for saved searches.
Defining your own set of authorizations
The syntax to reference a group or a user in authorizations differs depending on whether you installed a stand-alone IBM Business Automation Workflow or IBM Cloud Pak for Business Automation:
- For stand-alone IBM Business Automation
Workflow on containers, the syntax is
access-id="user:o=defaultWIMFileBasedRealm/USER_ID"
andaccess-id="group:o=defaultWIMFileBasedRealm/GROUP_ID"
as currently documented. - V21.0.3 For version
21.0.3 of IBM Cloud Pak for Business
Automation
the syntax is
access-id="user:jwtrealm/USER_ID"
andaccess-id="group:jwtrealm/GROUP_ID"
. - V21.0.2 For version
21.0.2 and earlier of IBM Cloud Pak for Business
Automation, the syntax is
access-id="user:o=defaultWIMFileBasedRealm/USER_ID"
andaccess-id="group:o=defaultWIMFileBasedRealm/GROUP_ID"
as currently documented.
- Create a Kubernetes secret that contains an .xml file to be mounted as a
configuration drop-in for the Process Federation Server server (for
example, use the key authorizations.xml in your
secret):
For more information about the different roles and the corresponding granted authorizations, see Federated systems and authorization for saved searches.kind: Secret apiVersion: v1 metadata: name: <name-of-your-secret> namespace: <icp4ba-namespace> type: Opaque stringData: authorizations.xml: |- <?xml version="1.0" encoding="UTF-8"?> <server description="IBM Process Federation Server Config Dropin"> <administrator-role> <user-access-id>[...]</user-access-id> [...] <group-access-id>[...]</group-access-id> </administrator-role> <authorization-roles id="com.ibm.bpm.federated.rest.authorization"> <security-role name="restrictedBpmuser"> [...] </security-role> <security-role name="bpmuser"> [...] </security-role> <security-role name="createSharedSavedSearch"> [...] </security-role> <security-role name="adminSharedSavedSearch"> [...] </security-role> <security-role name="adminSavedSearch"> [...] </security-role> <security-role name="doNotCreateSavedSearch"> [...] </security-role> </authorization-roles> </server>
- To reference a user in the .xml file, and assign this user a role, use one of the following syntaxes:
<user name="USER_NAME" access-id="user:jwtrealm/USER_ID" />
where<user name="USER_NAME" access-id="user:o=defaultWIMFileBasedRealm/USER_ID" />
USER_NAME
andUSER_ID
are respectively the user's name and identifier. -
To reference a group, use one of the following syntaxes:
<group name="GROUP_NAME" access-id="group:jwtrealm/GROUP_ID"/>
where<group name="GROUP_NAME" access-id="group:o=defaultWIMFileBasedRealm/GROUP_ID"/>
GROUP_NAME
andGROUP_ID
are respectively the group's name and identifier. -
You can also use
<special-subject type="ALL_AUTHENTICATED_USERS"/>
entries to assign a role to all Process Federation Server users. - The syntax for the administrator role slightly differs, and is documented in Mapping management roles for Liberty.
- Define the following values in the ICP4ACluster Custom Resource:
This step ensures that no default authorizations are defined for the Process Federation Server server by the ICP4ACluster Custom Resource, and that all the .xml files defined in the Kubernetes secretpfs_configuration: enable_default_security_roles: false config_dropins_overrides_secret: <name-of-your-secret>
<name-of-your-secret>
, including the one that defines the authorizations, will be mounted in the config dropins directory of the Process Federation Server server, and properly added to the Process Federation Server server configuration.