Administering the technical user for the IBM BPM document store
When working with the IBM BPM document store, there are multiple scenarios that require a technical user (system user). The technical user is an identity that the system can use to act on its own. For example, a run-as technical user is required for creating default configurations for the domain, object store, and document class definition. A technical user is also required when IBM Business Process Manager connects to the IBM BPM document store using CMIS.
About this task
During the maintenance of a running system, the following tasks may need to be performed:
- Changing the password of the technical user
- Changing the technical user
- Changing the authentication alias for the technical user
- Reconfiguring the user registry
- Security configuration for IBM® BPM content store
These tasks are described in the following sections.
Changing the password of the technical user
The credentials of the technical user are saved in an authentication alias. The password of the technical user in the authentication alias must be changed together with the password in the user repository where the technical user is defined (such as FileRegistry or LDAP).Changing the technical user
To change the password or change the technical user, it is not sufficient to simply change the authentication alias. The IBM BPM document store is protected against access from unknown users. If a different technical user must be used, the user that will become the technical user must first be authorized. To accomplish this task, use the maintainDocumentStoreAuthorization admin command with the -add option to authorize the new user, as shown in the following example:AdminTask.maintainDocumentStoreAuthorization('[-deName myDEname -add cn=newTechnicalUser,o=defaultWIMFileBasedRealm]')
You can list the currently authorized principals by using the same admin command and the -list option, as shown in the following example:
AdminTask.maintainDocumentStoreAuthorization('[-deName myDEname -list]')
Alternatively, you can authorize groups to access the IBM BPM document store.
After the new technical user is authorized for the IBM BPM document store, you can modify the authentication alias with the new principal name and password of the technical user.
As a last step, you can remove the access of the old user using the maintainDocumentStoreAuthorization admin command and the -remove option, as shown in the following example:
AdminTask.maintainDocumentStoreAuthorization('[-deName myDEname -remove cn=oldTechnicalUser,o=defaultWIMFileBasedRealm]')
In the deployment environment configuration, you can also change the authentication alias that is mapped to the EmbeddedECMTechnicalUser role. After changing the authentication alias, you need to run the updateDocumentStoreApplication admin command to prevent the IBM BPM document store from using the old authentication alias:
AdminTask.updateDocumentStoreApplication('[-deName myDEname]')
Authorization to the IBM BPM document store is based on unique IDs. If the IBM BPM document store was initialized during initial server startup, only the same user (with the same unique ID) can manage the IBM BPM document store and access its documents. If you change your user registry configuration (for example, by removing the file-based repository in order to use only an LDAP server in federated repositories), a user with the same user ID and password in LDAP will not have access to the IBM BPM document store. This is also true if you simply delete a user and recreate one with the same user ID. In this situation, you lose access to the IBM BPM document store and you need to rollback the configuration change.
Duplicate users are not permitted in federated repositories, which means that you cannot connect to an LDAP server that contains the same users that you have in your file-based repository. You need to remove the file-based and add LDAP. A user in LDAP with the same user ID does not have access to the IBM BPM document store. As a result, you may choose to authorize all authenticated users to work with the IBM BPM document store for the duration of reconfiguration (while access has been shut down through the HTTP server).
You can use the special key word #AUTHENTICATED-USERS to authorize all users to the IBM BPM document store who successfully authenticate, as shown in the following example:
AdminTask.maintainDocumentStoreAuthorization('[-deName De1 -add #AUTHENTICATED-USERS]')
When
all users are allowed to communicate with the document store, remove
the user or group that is going to be deleted from the user repository. After this configuration has been completed, you can safely re-configure your user registry without losing access to the IBM BPM document store. After the configuration change is complete and the cell is restarted, you can authorize a new user and remove the #AUTHENTICATED-USERS entry.
Security configuration for IBM BPM content store
The IBM BPM content store is used for document attachments and case management applications. You can only develop case management applications with IBM Business Process Manager Advanced. When you add or remove an administrator, many objects and metadata need to be updated. For better efficiency, you should create a Lightweight Directory Access Protocol (LDAP) group as an administrator. Then you can use the LDAP and directory tools to add and remove administrators as needed; that is, by managing the LDAP group membership.