Security of IBM® Business Process Manager and
applications depends on securing the runtime environment and securing
applications.
Securing the IBM Business Process Manager runtime
environment involves enabling administrative security, enabling application
security, creating profiles with security, and restricting access
to critical functions to selected users.
Securing an application
includes authenticating users, implementing access control for operations
and resources, and providing data integrity and privacy.
IBM Business Process Manager security
is based on the WebSphere® Application Server version
7.0 security.
For detailed information about security, see the WebSphere Application Server Network Deployment Information
Center.
Security tasks can be broadly divided into those concerning the
administration of security in the IBM Business Process Manager environment
and those that are related to the applications running in IBM Business Process Manager. The
security of the server environment is central to the security of applications,
and therefore the two sides should not be thought of in isolation.
Securing the environment involves enabling administrative security,
enabling application security, creating profiles with security, and
restricting access to critical functions to selected users.
To secure an application, consider the following aspects:
- Authentication of users. A user or a process that invokes an application
must be authenticated. With a single sign on, a user can provide authentication
data once and then pass this authentication information to downstream
components.
- Access control. The authenticated user must have permission to
perform the operation.
- Data integrity and privacy. The data that is accessed by an application
must be secured so that no unauthorized party can view or modify it
in any way.
The rest of this section describes the security considerations
at various stages of operation of the IBM Business Process Manager environment.
IBM Business Process Manager security
is built on
WebSphere Application Server 7.0 security. Considerations that are specific
to
IBM Business Process Manager are
listed.
The following list provides an overview of the tasks you perform
when securing
IBM Business Process Manager.
For detailed instructions, refer to the related
tasks.- Consider security when you install IBM Business Process Manager.
- Secure your environment before installation.
- Prepare the operating system for installation of IBM Business Process Manager.
- Prepare your environment after installation.
- Ensure that security is turned on for your stand-alone or deployment
environment installation.
- Ensure that Administrative security is turned on.
- Ensure that Application security is turned on.
- If required, turn on Java™ 2 security.
- Use the Security Configuration wizard in the administrative console
to configure security options.
- Set up a secure authentication mechanism and user account repository.
- Assign user names and passwords to important business integration
authentication aliases.
- Assign users to appropriate administrative security roles.
- Assign users and groups to appropriate internal
groups (using the Process Admin Console) so that IBM Process Center, IBM Process Portal,
and other tools can be accessed by those users and groups.
- Set up security for specific IBM Business Process Manager components.
For example, use the Security Roles widget to set up role-based access
control for timetables in the Business Calendars widget.
- Secure the applications that you deploy to your process server
environment.
- Develop your applications in Integration Designer using
all appropriate security features.
- Deploy your applications to your IBM Business Process Manager environment.
- Assign users or groups to appropriate security roles to control
access to the newly deployed application.
- Maintain the security of your IBM Business Process Manager environment.