Securing the IBM Business Process Manager runtime environment involves enabling administrative security, enabling application security, creating profiles with security, and restricting access to critical functions to selected users.
Securing an application includes authenticating users, implementing access control for operations and resources, and providing data integrity and privacy.
IBM Business Process Manager security is based on the WebSphere® Application Server version 7.0 security.
For detailed information about security, see the 
WebSphere Application Server Network Deployment Information
Center.
Security tasks can be broadly divided into those concerning the administration of security in the IBM Business Process Manager environment and those that are related to the applications running in IBM Business Process Manager. The security of the server environment is central to the security of applications, and therefore the two sides should not be thought of in isolation.
Securing the environment involves enabling administrative security, enabling application security, creating profiles with security, and restricting access to critical functions to selected users.
- Authentication of users. A user or a process that invokes an application must be authenticated. With a single sign on, a user can provide authentication data once and then pass this authentication information to downstream components.
- Access control. The authenticated user must have permission to perform the operation.
- Data integrity and privacy. The data that is accessed by an application must be secured so that no unauthorized party can view or modify it in any way.
The rest of this section describes the security considerations at various stages of operation of the IBM Business Process Manager environment.
- The administrative console page Business
Integration Security is unique to IBM Business Process Manager. You
display this page by expanding Security and
clicking Business Integration Security.
This page allows users to assign specific identities from their user registry to important business integration authentication aliases. In addition, you can administer your Business Process Choreographer security settings on this page.
- Application security is turned on by default in IBM Business Process Manager. This is not the case in WebSphere Application Server.
- IBM Business Process Manager contains a set of component-specific security roles.
- Consider security when you install IBM Business Process Manager.
- Secure your environment before installation.
- Prepare the operating system for installation of IBM Business Process Manager.
- Prepare your environment after installation.
- Ensure that security is turned on for your stand-alone or deployment
environment installation.
- Ensure that Administrative security is turned on.
- Ensure that Application security is turned on.
- If required, turn on Java™ 2 security.
- Use the Security Configuration wizard in the administrative console to configure security options.
- Set up a secure authentication mechanism and user account repository.
- Assign user names and passwords to important business integration authentication aliases.
- Assign users to appropriate administrative security roles.
- Assign users and groups to appropriate internal groups (using the Process Admin Console) so that IBM Process Center, IBM Process Portal, and other tools can be accessed by those users and groups.
- Set up security for specific IBM Business Process Manager components. For example, use the Security Roles widget to set up role-based access control for timetables in the Business Calendars widget.
- Secure the applications that you deploy to your process server
environment.
- Develop your applications in Integration Designer using all appropriate security features.
- Deploy your applications to your IBM Business Process Manager environment.
- Assign users or groups to appropriate security roles to control access to the newly deployed application.
- Maintain the security of your IBM Business Process Manager environment.