Administrative security roles

Several administrative security roles are provided as part of the IBM® Business Process Manager installation.

There are eight roles provided as part of the administrative console. These roles grant permission to ranges of functionality on the administrative console. When administrative security is enabled, a user must be mapped to one of these roles in order to access the administrative console.

The first user to log in to the server after installation is added to the administrator role.

Table 1. Administrative security roles
Administrative security role	Description
Monitor	A member of the monitor role can view the IBM Business Process Manager configuration and the current state of the server.
Configurator	A member of the configurator role can edit the IBM Business Process Manager configuration.
Operator	A member of the operator role has monitor privileges, plus the ability to modify the runtime state (that is, start and stop the server).
Administrator	The administrator role is a combination of configurator and operator roles plus additional privileges granted solely to the administrator role. Examples include: Modifying the server user ID and password Mapping users and groups to the administrator role The administrator also has the permission required to access sensitive information, such as: Lightweight Third Party Authentication (LTPA) passwords Keys
ISC Admins	This role is available only for administrative console users and not for wsadmin users. Users who are granted this role have administrator privileges for managing users and groups in the federated repositories. For example, a user of the ISC Admins role can complete the following tasks: Create, update, or delete users in the federated repositories configuration Create, update, or delete groups in the federated repositories configuration
Deployer	Users who are granted this role can perform both configuration actions and runtime operations on applications.
Admin Security Manager	Only users who are granted this role can map users to administrative roles. Also, when fine-grained administrative security is used, only users who are granted this role can manage authorization groups.
Auditor	Users who are granted this role can view and modify the configuration settings for the security auditing subsystem. Note: The auditor role includes the monitor role. This allows the auditor to view but not change the rest of the security configuration.

See Administrative roles in the WebSphere® Application Server information center for more information.

The server ID that is specified when you enable administrative security is automatically mapped to the administrator role. Users or groups can be added to and removed from the administrative roles at any time through the IBM Business Process Manager administrative console. However, a server restart is required for the changes to take effect.

Tip: Map a group or groups, rather than specific users, to administrative roles because it is more flexible and easier to administer. By mapping a group to an administrative role, adding or removing users to or from the group occurs outside of IBM Business Process Manager and does not require a server restart for the change to take effect.

The failed event manager can be operated by any user granted either the administrator or the operator role.

Selectors can be configured by any user granted either the administrator or the configurator role

In addition to mapping users or groups, a special-subject can also be mapped to the administrative roles. A special-subject is a generalization of a particular class of users.

The AllAuthenticated special-subject means that the access check of the administrative role ensures that the user making the request is at least authenticated.
The Everyone special-subject means that anyone, authenticated or not, can perform the action, as if security were not enabled.