This topic applies only to the IBM Business Process Manager Advanced configuration.

Deploying secure applications

Deploying applications that have security constraints (secured applications) is similar to deploying applications with no security constraints. The only difference is that you might need to assign users and groups to roles for a secured application, which requires that you have the correct active user registry. If you are installing a secured application, roles would have been defined in the application. If delegation was required in the application, RunAs roles also are defined and a valid user name and password must be provided.

Before you begin

Before you perform this task, verify that you have designed, developed, and assembled an application with all the relevant security configurations. For more information about these tasks, see the Integration Designer information center.

About this task

One of the required steps to deploy secured applications is to assign users and groups to the roles that were defined when the application was constructed. This task is completed as part of the step entitled, "Map security roles to users or groups". If an assembly tool was employed, this assignment might have been completed in advance. In that case, you can confirm the mapping by completing this step. You can add new users and groups and modify existing information during this step.

If a RunAs role has been defined in the application, the application will invoke methods using an identity setup during deployment. Use the RunAs role to specify the identity under which the downstream invocations are made. For example, if the RunAs role is assigned user "bob", and the client, "alice", is invoking a servlet (with delegation set) that calls the enterprise beans, the method on the enterprise beans is invoked with "bob" as the identity.

As part of the deployment process, one of the steps is to assign or modify users to the RunAs roles. This step is entitled, "Map RunAs roles to users". Use this step to assign new users or modify existing users to RunAs roles when the delegation policy is set to SpecifiedIdentity.

The steps described in the Procedure section are common for both deploying an application and modifying an existing application. If the application contains roles, you see the Map security roles to users or groups link during application deployment and also during managing applications, as a link in the Additional properties section.

Procedure

Go to the installed application that requires users to be mapped to the roles.
Complete the steps that are required for installing applications before the step entitled, "Map security roles to users or groups".
Assign users and groups to roles.
Map users to RunAs roles if RunAs roles exist in the application.
Click Correct use of System Identity to specify RunAs roles, if needed.
Complete this action if the application has delegation set to use system identity, which is applicable to enterprise beans only. System identity uses the IBM® Business Process Manager security server ID to invoke downstream methods. Use this ID with caution because this ID has more privileges than other identities in accessing IBM Business Process Manager internal methods. This task is provided to make sure that the deployer is aware that the methods listed in the page have system identity set up for delegation and to correct them if necessary. If no changes are necessary, skip this task.
Complete the remaining non-security related steps to finish installing and deploying the application.

What to do next

After a secured application is deployed, verify that you can access the resources in the application with the correct credentials. For example, if your application has a protected web module, make sure only the users that you assigned to the roles can use the application.