Creating and maintaining users for a network deployment environment server

Use the Process Admin Console to create and configure user accounts for a deployment environment server. A deployment environment is an environment in which server processes, which are typically on different physical computer systems, are managed together.

Before you begin

  • Log in to the Process Admin Console.
    Notes:
    • To create and maintain users, log in as an administrative user, such as a user in the DeAdmin role. Do not remove the user or group assigned to the DeAdmin role. Only users and groups assigned to this role can administer servers and users.
    • To create users, you must have permission at the WebSphere Application Server level.
    Important: You cannot create a new user using the Process Admin Console if a user was created in the past with the same user name. Once a user has been created using the Process Admin Console, it is kept in the BPM system. Even if the user is subsequently deleted, the user entry is not removed from the BPM DB and the internal authorization system.
  • Make sure that administrative security is enabled. For more information, see Configuring administrative and application security.
  • Authorize users to manage other users in IBM® Business Process Manager. You can enable a user to add, delete, or modify other users in IBM Business Process Manager using one of the following methods:
    Note: IBM Business Process Manager recommends using the second method shown below.
    • Assign the user to the administrator role in WebSphere® Application Server.
      1. Add the user to the tw_admins group in the Process Admin Console. See, Creating and managing groups.
      2. Run the following command using the wsadmin tool.
        Note: The command cannot be run in local mode.
        INSTALL_HOME\AppServer\bin>wsadmin
WASX7209I: Connected to process "dmgr" on node Dmgr using SOAP connector;  The t
ype of process is: DeploymentManager
WASX7029I: For help, enter: "$Help help"
wsadmin>$AdminTask mapIdMgrUserToRole {-roleName IdMgrWriter -userId uid=tes_user,o=defaultWIMFileBasedRealm}
CWWIM5099I Command completed successfully.
wsadmin>$AdminConfig save
    • Assign the user to the WebSphere Application Server IdMgrWriter role. See Providing security.
    Refer to IdMgrConfig command group for the AdminTask object for more information on the WebSphere Application Server IdMgrWriter role.

About this task

During installation and profile creation on a deployment environment server, a file-based federated user repository is configured as the active user registry. You can change the default user repository by using the administrative console, or in the case of the Tivoli® Access Manager, by configuring the repository with the wsadmin command.
Restriction: A user name cannot have more than 64 characters.
Restriction: Specify unique user IDs for every user in the following groups:
  • WebSphere Application Server Virtual Member Manager (VMM) user repository security groups
  • Lightweight Directory Access Protocol (LDAP) user repository security groups
  • Internal IBM Business Process Manager custom user registries

Procedure

The procedure for creating and configuring user accounts in a network deployment environment varies according to the type of user registry that is implemented, and whether your deployment uses an external security provider.

Note: In the Server Admin area of the Process Admin Console, the User Management section in the User Management window displays only internal users, that is, users that exist in the file registry part of VMM.

Parent topic: Creating and maintaining users and groups