IBM Business Process Manager security roles

IBM® Business Process Manager provides both default and optional security roles that represent a logical name for a set of principles. Roles allow users the option of defining as many user IDs and passwords as needed, depending on the level of fine-grained control required for their specific environment.

You must associate each role with an authentication alias. The authentication alias is a configuration object that contains a single user ID and password. You specify the authentication alias values by using one of the following options. Review the bulleted list below each option to ensure the best method for meeting your system requirements.
  • Use the product launchpad for a typical installation. This method automatically creates the authentication aliases for the CellAdmin, DeAdmin, DbUser, and DbUserXAR roles. You enter one user ID and password for both the DbUser role and the DbUserXAR role.
  • Use the BPMConfig command. This method requires that you specify the authentication aliases for the CellAdmin, DeAdmin, DbUser, DbUserXAR, and ProcessCenterUser roles.
    • The ProcessCenterUser role is used for online process servers.
    • You specify the authentication alias for the CellAdmin role only if the BPMConfig command is also being used to create the profile. If you use the BPMConfig command on existing profiles, the CellAdmin role's authentication alias is already configured.
    • When you use this method, you can specify any of the other roles as needed for your environment.
  • Use the administrative console's Deployment Environment wizard. This method requires that you specify the authentication aliases for the DeAdmin, DbUser, DbUserXAR, and ProcessCenterUser roles.
    • The ProcessCenterUser role is used for online process servers.
    • You enter one user ID and password for both the DbUser role and the DbUserXAR role.
    • When you use this method, you cannot specify any other roles as needed for your environment.
  • Use the manageprofiles command-line utility.
    • You can specify the CellAdmin role's authentication alias only in the manageprofiles -adminAliasName parameter.
    • The deployment environment is created after profile creation, so there are no deployment environment-level authentication aliases to configure during profile creation.
  • Using the Profile Management Tool.
    • The Profile Management Tool automatically associates the CellAdmin role to the CellAdminAlias authentication alias. It does not allow you to specify a different authentication alias.
The following diagram illustrates the role and authentication alias relationships and how they are used in various IBM Business Process Manager scenarios.
  • Each authentication alias only contains only one user ID and password.
  • Each authentication alias can be mapped to one or more roles.
  • Each scenario may require more than one role to complete the scenario.
  • The following roles require additional steps when you update the role to an authentication alias mapping:
    • BPMAuthor - Add the user to the group defined as the author group in IBM Business Process Manager. The group is either the default tw_authors group, or the group defined by the bpmAuthorGroup property if the group has been modified.
    • CellAdmin - Add the user to the administrator role in WebSphere® Application Server and to the groups defined as the admin and author groups in IBM Business Process Manager. The groups are either the tw_admins and tw_authors defaults, or the groups defined by the bpmAdminGroup properties and bpmAuthorGroup if the groups have been modified. For more information about the administrator role in WebSphere Application Server, see Security planning overview.
    • DEAdmin - Add the user to the administrator, deployer and operator roles in WebSphere Application Server and to the groups defined as the admin and author groups in IBM Business Process Manager. The groups are either the tw_admins and tw_authors defaults, or the groups defined by the bpmAdminGroup properties and bpmAuthorGroup if the groups have been modified.
    • SCADeploymentUser - Add the user to the deployer and operator roles in WebSphere Application Server.
    • EmbeddedECMTechnicalUser - There must be an authorized user assigned to this role at every point in the runtime process. Authorization in the IBM BPM document store refers to unique user Ids, so a user with the same name is not considered the same user. This is important if you intend to delete and recreate a user, or switch to a different user registry. See Administering the technical user for the IBM BPM document store.

An overview of the role and authentication alias relationship

To update the role to an authentication alias mapping:
  1. Log in to the administrative console.
  2. Click Servers > Deployment Environments > Deployment Environment Name > Related Items > Authentication Aliases.

To make changes to the authentication alias, see Modifying authentication aliases.

Table 1 lists the required roles for IBM Business Process Manager. You must provide the values for these roles during installation and configuration. Any additional software installed on your Process Server might have additional roles.
Table 1. Required roles
IBM Business Process Manager Required roles Description
CellAdmin
The cell administrator is the primary administrator at the WebSphere Application Server level. A user assigned to this role during installation and configuration has the following characteristics and capabilities:
  • Has authorization in all deployment environments
  • Can assign other administrator roles
  • Is responsible for the administration of the cell and topology
  • Has access to all interfaces, enabling users to alter or delete all types of available library items and assets, including process applications and toolkits
  • This role also enables administration of Process Servers, Performance Data Warehouses, and internal users and groups
Note: If you change the user ID and password in the authentication alias that is mapped to the CellAdmin role, additional steps are required when updating the role to an authentication alias mapping. See CellAdmin.
The following characters are supported when specifying the cell administrator user name and password:
  • User name characters: a-zA-Z0-9!()-._`~@
  • Password characters: a-zA-Z0-9!()-.?[]_`~@
DeAdmin
The deployment environment administrator is the primary administrator at the IBM Business Process Manager level. A user assigned to this role:
  • Has authorization in their assigned deployment environments
  • Has administrative access to Process Center and Process Admin Console
  • Has access to all interfaces, enabling users to alter or delete all types of available library items and assets, including process applications and toolkits
  • This role also enables administration of Process Servers, Performance Data Warehouses, and internal users and groups
Note: If you change the user ID and password in the authentication alias that is mapped to the DeAdmin role, additional steps are required when updating the role to an authentication alias mapping. See DeAdmin.
The following characters are supported when specifying the deployment environment administrator user name and password:
  • User name characters: a-zA-Z0-9!()-._`~@
  • Password characters: a-zA-Z0-9!()-.?[]_`~@
DbUser

A user assigned to this role has access to the specified database.
DbUserXAR

A user assigned to this role has authorization to do XA recovery. This user can also be assigned to the DbUser role.
Table 2 lists the optional roles for IBM Business Process Manager. If you do not specify these roles during configuration, the same authentication alias that is mapped to the DeAdmin role will be mapped to these.
Table 2. Optional roles
IBM Business Process Manager Optional roles Description
PerformanceDWUser Required user to run the Performance Data Warehouse.
ProcessServerUser Process Server user for JMS queues that is used to authenticate with a JMS connection.
ProcessCenterUser This role maps to an authentication alias for a Process Center user who is authorized to connect from the Process Server to the Process Center. This user does not need any special permission in Process Center.
BPMAdminJobUser A user assigned to this role has the authority to perform the actions on the product activity log (PAL) Admin code.
BPMAuthor This role maps to an authentication alias for a user that requires the authority to access and deploy snapshots to the runtime Process Server and access that Process Server from the Process Inspector, which is located in IBM Process Designer.
BPMUser Authentication alias for BPM UserBPC_Auth_Alias.
BPMWebserviceUser Authentication alias for Anyonymous Webservice User.
EventManagerUser This role maps to an authentication alias for a user that is used as the run-as user for the Event Manager.
RALUser Authentication alias for RAL User.
SCADeploymentUser Authentication alias used to deploy SCA applications
Note: If you change the user ID and password in the authentication alias that is mapped to the SCADeploymentUser role, additional steps are required when updating the role to an authentication alias mapping. See SCADeploymentUser.
SCAUser Authentication alias used by SCA to login to a secured SIBus.
BPCUser Business Process Choreographer JMS authentication alias.
EmbeddedECMTechnicalUser If user does not specify, this role is defaulted during the installation.
Note: If you change the user ID and password in the authentication alias that is mapped to the EmbeddedECMTechnicalUser role, additional steps are required when updating the role to an authentication alias mapping. See EmbeddedECMTechnicalUser.
Parent topic: Reference information for IBM Business Process Manager