Creating and managing groups

If you have configured IBM® Business Process Manager to work with an external security provider, you can view the groups from that external provider in the Process Admin Console, but you cannot edit the external groups. You can, however, add users and groups from your external provider to any IBM BPM security groups that you create. You can also combine accounts from different providers into one group.

Before you begin

Note: To create and maintain groups, log in as an administrative user, such as the default administrative user account, or an account that you added during installation that has administrator privileges. If you added a new administrative user, the user is added to the tw_admins user group. Members in the administrators group, by default, tw_admins can administer Process Servers, Performance Data Warehouses, and internal users and groups.

About this task

The default installation of IBM Business Process Manager provides a federated repository that contains the WebSphere® Application Server file registry. To implement an external security provider, which uses a different user registry than the WebSphere Application Server file registry, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

See the related links at the bottom of this topic for more information about registries and external security providers.

Note: Groups created in IBM Business Process Manager cannot be edited in WebSphere Application Server and groups created in WebSphere Application Server cannot be edited in IBM Business Process Manager.

Security considerations for IBM Business Process Manager

Users and groups created in the WebSphere Application Server administrative console are stored in the file registry.
Internal users and groups are managed through the Process Admin Console.

For a list of IBM Business Process Manager default security groups, see IBM Business Process Manager default group types.

Procedure

To create a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, click New Group.
4. In the Create Group window, enter a name and a description for the group, then click Save.
The group appears in the list and new members can be added.
To add members to a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group that you want to update.
5. Click Add Members next to the selected group.
6. In the Add Users and Groups window, enter the name of the user or group that you want to add in the Search for Name field. You can enter part of the name and the window displays all accounts that match.
  Tip: * is the only recognized wildcard character supported for the Search for Name field.
The added users and groups now show as members of the selected group.
(Deprecated): To designate a Team Manager group for a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group for which you want to designate a Team Manager.
5. Enter a partial or complete group name in the Team Manager Group (deprecated) field, and then select the group that you want from the list.
Important: Using team manager groups is deprecated. The new Team Performance dashboard available in IBM Process Portal requires that you define teams and team managers using Process Designer, as described in the following topics: Creating a team and Defining team managers.
To remove users from a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group that you want to update. The Process Admin Console lists the members of the group.
5. Click Remove for the users and groups that you want to remove.
The removed users and groups are no longer displayed in the list of members and are removed from the selected group.
To delete a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. In the list of groups displayed, click Remove for the group that you want to delete.
The group is removed from the list and is no longer available.

To return a list of members of a nested group for an LDAP repository:

Run the following command:

$AdminTask setIdMgrCustomProperty { -id Ldap Repository Id -name com.ibm.ws.wim.adapter.ldap.returnNestedNonGroupMembers -value true}

For example:

wsadmin>$AdminTask setIdMgrCustomProperty { -id LDAP1 -name com.ibm.ws.wim.adapt er.ldap.returnNestedNonGroupMembers -value true}

Save the changes and exit.
```
wsadmin>$AdminConfig save
wsadmin> exit
```
Restart the server.