Restricting Inspector actions for online Process Servers

You can limit Process Designer Inspector actions for specific Process Servers or environment types.

About this task

Someone with administrative authority for a process application can use the Process Designer Inspector to inspect a process from that process application on any connected server. They can use the Inspector to stop the process or run tasks. However, the organization can restrict Inspector actions on particular connected servers. For example, an organization can allow only users in the tw_admins group to use the Inspector on production servers.
Note: The following configuration steps should be completed only on the IBM® Process Center. The configuration applies only to online Process Servers that are viewed in the Process Designer Inspector.

Procedure

  1. Open the 100Custom.xml file.
    1. Go to the IBM Business Process Manager installation directory (install_root).
    2. Open the profiles directory and open the directory for the deployment manager profile. All configuration must be completed at the deployment manager level.
    3. Open the config directory and find the 100Custom.xml file.
      • on Windows operating systems, type: dir /s /b 100Custom.xml.
      • on Linux, AIX, and Solaris operating systems, type: find -name '100Custom.xml' -print.
  2. Add an <inspector> element in the <authoring-environment> section of the 100Custom.xml file. 
    <properties>
...
   <authoring-environment merge="mergeChildren">
   ...
   <inspector>
   </inspector>
   </authoring-environment>
</properties>
  3. Add one or more <target-server> elements. The <target-server> element describes the server where the restrictions are applied.
  4. Optional: To apply the restrictions to a particular type of server, add a type attribute to the <target-server> element. The type attribute can be "development", "test", "staging", or "production". To find out the type of a particular server, see Modifying the IBM Process Server environment type.
  5. Optional: To apply the restrictions to a specific server, add a name attribute to the <target-server> element.
  6. Optional: Add one <default-action-policy> element to a<target-server> element.

    To find out the name of a particular server, see Modifying the IBM Process Server environment type.

  7. Add one or more <action> elements to the <default-action-policy> element. The <action> element describes a particular Inspector action and the roles that are allowed to perform that action.
  8. Add a type attribute to the <action> element. You can use the following values for the type attribute:
    • ACTION_VIEW_INSTANCE - Only the specified roles can view process instances.
    • ACTION_RUN_PROCESS - Only the specified roles can run processes.
    • ACTION_MANAGE_INSTANCE - Only the specified roles can manage process instances by suspending, resuming, stopping, or deleting instances.
    • ACTION_RUN_TASK - Only the specified roles can run or debug tasks.
    • ACTION_CHANGE_VARIABLE - Only the specified roles can change variables.
  9. Add one or more <role> elements to the <action> element. The <role> element specifies the group that the user must be a part of to perform the parent action. The <role> element can contain only one role, and that role must correspond to a group that is defined in Process Center.

Example

Here is an example that restricts all of the Inspector actions on servers of type production:

<inspector>
   <target-server type="production">
      <default-action-policy>
         <action type="ACTION_VIEW_INSTANCE">
            <role>tw_admins</role>
         </action>
         <action type="ACTION_RUN_PROCESS">
            <role>tw_admins</role>
         </action>
         <action type="ACTION_MANAGE_INSTANCE">
            <role>tw_admins</role>
         </action>
         <action type="ACTION_RUN_TASK">
            <role>tw_admins</role>
         </action>
         <action type="ACTION_CHANGE_VARIABLE">
            <role>tw_admins</role>
         </action>
      </default-action-policy>
   </target-server>
</inspector>

If an <action> type is not specified or is empty, there are no restrictions for the user on that action. The organization might determine that a process author can use the Inspector to view instances on a staging server but not allow the user to modify the running processes in any way. Assuming that a user has administrative rights to the process application, you can add the following lines to the 100Custom.xml file. You can add more roles for particular servers or types of server, as shown in this example:

<inspector>
   <target-server name="my staging server">
      <default-action-policy>
         <action type="ACTION_VIEW_INSTANCE">
            <!-- No Restrictions -->
         </action>
         <action type="ACTION_RUN_PROCESS">
            <role>tw_admins</role>
            <role>staging_admins</role>
         </action>
         . . .
      </default-action-policy>
   </target-server>
</inspector>
Parent topic: The 99Local.xml and 100Custom.xml configuration files
Related information:
Running and debugging processes with the Inspector