Enabling adding user registry groups of a user at login time for web applications

Edit online

When a user logs in to Business Automation Workflow web applications such as Process Portal, group membership is recalculated and can be cached for that user on the database, in order to keep accurate permission checks based on group memberships.

Before 23.0.1, this mechanism also added user registry groups to the database. This is now disabled by default for performance reasons, since such groups cannot occur in permission checks yet. You can use the add-user-registry-groups-to-db-on-login configuration property to re-enable the legacy behavior.

About this task

The add-user-registry-groups-to-db-on-login setting is used to disable or to enable adding user registry groups to the database during the group membership recalculation when a user logs in. If it is set to false (which is the default), the group membership recalculation only factors in groups that are already in the database. If it is set to true, groups that exist only in the user registry but not yet in the database are added to the database first. To change the value for the setting, you can override the value by adding or updating the setting in your 100Custom.xml files. For example, to add the setting to a 100Custom.xml file, add the following elements under the <properties> element and modify the value as needed:
<common>
  <security>
    <add-user-registry-groups-to-db-on-login merge="replace">false</add-user-registry-groups-to-db-on-login>
  </security>
</common>
For more information about the individual 100Custom.xml files that need to be updated and their locations, see Location of 100Custom configuration files.

Procedure

  •  Traditional: 
    To consistently and reliably change the value of the setting in all of the 100Custom.xml files in your Business Automation Workflow deployment environment, it is recommended to use the updateBPMConfig command as described in the following procedure:
    1. Stop the servers for Workflow Server and Workflow Center.
    2. Start the scripting client in disconnected mode as described in the topic updateBPMConfig command.
    3. Run the following commands to simultaneously update all affected servers:
      wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common' ] )
wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security' ] )
wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security/add-user-registry-groups-to-db-on-login', '-xNodeValue', true_or_false ] )
wsadmin> AdminConfig.save()
    4. Replace the true_or_false variable with either true or false.
    5. Restart the servers.

  •  Containers: 

    If you use containers, make changes to the 100Custom.xml file by following the procedure described at Customizing Business Automation Workflow properties.