In IBM® Business
Process Manager V8.0.1.1,
you can limit Process Designer Inspector
actions on certain types of server.
About this task
In
IBM Business
Process Manager V8.0.0
and V8.0.1, someone with administrative authority for a process application
can use the
Process Designer Inspector
to inspect a process from that process application on any connected
server. They can use the Inspector to stop the process or run tasks.
Version 8.0.1.1 allows the organization to restrict Inspector actions
on particular connected servers. For example, an organization can
allow only users in the tw_admins group to use the Inspector on production
servers.
Note: These restrictions do not apply to process
applications in IBM Process
Center.
Procedure
- Add an <inspector> element in the <authoring-environment> section
of the 100Custom.xml server configuration file.
- Add one or more <target-server> elements. The <target-server> element describes the
server where the restrictions are applied.
- Optional: To apply the restrictions to a particular
type of server, add a type attribute to the <target-server> element. The type attribute can be "development", "test", "staging",
or "production".
- Optional: To apply the restrictions to a specific
server, add a name attribute to the <target-server> element.
- Optional: Add one <default-action-policy> element
to a<target-server> element.
- Add one or more <action> elements to
the <default-action-policy> element. The <action> element
describes a particular Inspector action and the roles that are allowed
to perform that action.
- Add a type attribute to the <action> element. You can use the following values for the type attribute:
- ACTION_VIEW_INSTANCE - Only the specified roles can view process
instances.
- ACTION_RUN_PROCESS - Only the specified roles can run processes.
- ACTION_MANAGE_INSTANCE - Only the specified roles can manage process
instances by suspending, resuming, stopping, or deleting instances.
- ACTION_RUN_TASK - Only the specified roles can run or debug tasks.
- ACTION_CHANGE_VARIABLE - Only the specified roles can change variables.
- Add one or more <role> elements to
the <action> element. The <role> element
specifies the group that the user must be a part of to perform the
parent action. The <role> element can contain
only one role, and that role must correspond to a group that is defined
in Process Center.
Example
Here is an example that restricts all of the Inspector
actions on servers of type production:
<inspector>
<target-server type="production">
<default-action-policy>
<action type="ACTION_VIEW_INSTANCE">
<role>tw_admins</role>
</action>
<action type="ACTION_RUN_PROCESS">
<role>tw_admins</role>
</action>
<action type="ACTION_MANAGE_INSTANCE">
<role>tw_admins</role>
</action>
<action type="ACTION_RUN_TASK">
<role>tw_admins</role>
</action>
<action type="ACTION_CHANGE_VARIABLE">
<role>tw_admins</role>
</action>
</default-action-policy>
</target-server>
</inspector>
If an <action> type
is not specified or is empty, there are no restrictions for the user
on that action. The organization might determine that a process author
can use the Inspector to view instances on a staging server but not
allow the user to modify the running processes in any way. Assuming
that a user has administrative rights to the process application,
you can add the following lines to the 100Custom.xml file.
You can add more roles for particular servers or types of server,
as shown in this example:
<inspector>
<target-server type="staging">
<default-action-policy>
<action type="ACTION_VIEW_INSTANCE">
<!-- No Restrictions -->
</action>
<action type="ACTION_RUN_PROCESS">
<role>tw_admins</role>
<role>staging_admins</role>
</action>
. . .
</default-action-policy>
</target-server>
</inspector>