Synchronizing group membership by groups

The syncGroupMembershipForGroups and syncGroupMembershipForAllGroups commands trigger synchronization of group membership by groups between the WebSphere Application Server user registry and the IBM® BPM database.

Important: These commands might result in execution times that exceed the default timeout setting for wsadmin command execution. To change the default to allow for the execution time required in your environment, open the profile_root/properties/soap.client.props file and change the value for com.ibm.SOAP.requestTimeout to 0 , which means no timeout.

Tip: Consider executing these commands during idle time, as they might impose a high load on the system.

Note: Synchronization for group membership takes into account only users that are already in the IBM BPM database; that is, users that either have logged in to IBM BPM or have been synchronized to IBM BPM using one of the available user synchronization commands. All other users will not be considered by the synchronization commands to be group members. Consider carefully whether your setup is appropriate for the use of these commands.

To synchronize group membership by groups, use the following commands, which are located in the profile_root/bin directory, and are available for both Windows and Linux environments:

syncGroupMembershipForGroups.[bat|sh] [options...] groupName1 groupName2 ... groupNameN: Synchronizes group membership for the resolved (direct and indirect) user members of a set of specified groups

groupNameN is a list of group names the members of which are to be updated for membership.

Note: In the context of a group, the group membership is synchronized for the members of the group with respect to this group.

syncGroupMembershipForAllGroups.[bat|sh] [options...]: Synchronizes group membership for the user members of all available groups

Each command has the following options:

-?, -help: Displays the syntax of the command
-u <username>, -username <username>: The name of the admin user
-p <password>, -password <password>: The password of the user (unencrypted)
-host <host>: The host name of the AppTarget cluster member on which the admin task should be executed (must be used with port)
-port <port>: The SOAP port of the AppTarget cluster member on which the admin task should be executed

The output of the command indicates the number of synchronized groups.

In addition, the number of skipped groups is indicated, for each of the possible reasons for skipping:

The group is not available in the user registry
The group has a short name that occurs more than once in the user registry
The group is already defined with the same short name in IBM BPM as a non-security group (that is, a group created using the Process Admin Console)

If federated repositories are not configured for Websphere security, the Websphere user registry interface is used for execution.

If federated repositories are configured for WebSphere Application Server security, the Virtual Member Manager (VMM) of the Websphere module is accessed directly, which results in significantly better performance. Because of this, consider employing federated repositories.

If federated repositories are configured and VMM is used along with Lightweight Directory Access Protocol (LDAP) directories, apply the configuration described in Configuring VMM and IBM Business Process Manager for optimized group membership synchronization for VMM and IBM BPM, respectively.