maintainDocumentStoreAuthorization command

Use the maintainDocumentStoreAuthorization command to add or remove users and groups from the authorization role for managing and working with the IBM BPM document store.

Prerequisites

If you configured IBM® Business Process Manager to use an external Enterprise Content Management server, this command can still be used to assign permissions to a user with the EmbeddedECMTechnicalUser role. Security configuration for other users and groups is handled by the FileNet P8 Platform. See Update object store with new users and groups.

By default, the user who is resolved by the EmbeddedECMTechnicalUser BPM role is the only user authorized to manage the domain and the default object store. The command ensures that the last remaining user or group cannot be removed.

The maintainDocumentStoreAuthorization command is run by using the AdminTask object of the wsadmin scripting client.

The following conditions must be met:

  • The command must be run on the deployment manager node.
  • One or more application cluster members must be running.
  • Run the command in connected mode. Do not specify the wsadmin -conntype none option.
  • You must connect to the deployment manager with a user ID that has WebSphere Application Server operator privileges.

Before you run this command, review the task topic "Administering the technical user for the IBM BPM document store."

If you change the technical user then a change to the application settings of IBM_BPM_DocStoreAdmin is required to allow the new technical user to access the IBM Administrative Console for Content Platform Engine.

Location

Start the wsadmin scripting client from the profile_root/bin directory of the deployment manager profile (or the stand-alone server profile of IBM BPM Express). The maintainDocumentStoreAuthorization command does not write to a log file. It directly responds with a message. However, the wsadmin scripting client always writes a profile_root/logs/wsadmin.traceout log file where you find exception stack traces and other information.

Syntax

maintainDocumentStoreAuthorization
-serverName server_name
-nodeName node_name
-clusterName cluster_name
-deName deployment_environment_name
-add distinguished_name
-remove distinguished_name
-list

Parameters

-serverName server_name
A required parameter that specifies the server name of the IBM BPM document store. If you specify the -serverName parameter, you must also specify the -nodeName parameter.
-nodeName node_name
A required parameter that specifies the node name of the IBM BPM document store. If you specify the -nodeName parameter, you must also specify the -serverName parameter.
-clusterName cluster_name
A required parameter that specifies the cluster name of the IBM BPM document store.
-deName deployment_environment_name
A required parameter that specifies the deployment environment name of the IBM BPM document store.
-add distinguished_name
A required parameter that specifies the distinguished name of the user or group for which you want to grant access to the IBM BPM document store.
Tip: This also grants the specified user or group full control access to the necessary case system objects that are stored in the object store.
-remove distinguished_name
A required parameter that specifies the distinguished name of a user or group for which you want to revoke access to the IBM BPM document store.
Tip: This also revokes access to the case system objects that are granted by the -add option.
-list
A required parameter that specifies that the current access control list is displayed for the IBM BPM document store.

You must specify the -clusterName parameter, or the -deName parameter, or both the -serverName and -nodeName parameters. As an alternative to specifying any parameters, you can invoke the command on a target object of type BPMDeploymentEnvironment, ServerCluster, or Server.

You must also specify one of the following parameters:

  • -add
  • -remove
  • -list

Examples

Note: The examples are for illustrative purposes only. They include variable values and are not meant to be reused as snippets of code.
The following Jython example uses the maintainDocumentStoreAuthorization command to display the access control list of the IBM BPM document store for a specified node and server:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-nodeName', 'myNodeName', '-serverName', 'myServerName', '-list'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to grant access to the IBM BPM document store for a specified node and server:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-nodeName', 'myNodeName', '-serverName', 'myServerName', '-add', 'user_ID' | 'group_ID'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to revoke access to the IBM BPM document store for a specified node and server:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-nodeName', 'myNodeName', '-serverName', 'myServerName', '-remove', 'user_ID' | 'group_ID'])
The following Jython example uses the maintainDocumentStoreAuthorization command to display the access control list of the IBM BPM document store for a specified cluster:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-clusterName', 'myClusterName', '-list'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to grant access to the IBM BPM document store for a specified cluster:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-clusterName', 'myClusterName', '-add', 'user_ID' | 'group_ID'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to revoke access to the IBM BPM document store for a specified cluster:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-clusterName', 'myClusterName', '-remove', 'user_ID' | 'group_ID'])
The following Jython example uses the maintainDocumentStoreAuthorization command to display the access control list of the IBM BPM document store for a specified deployment environment:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-deName', 'myDeName', '-list'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to grant access to the IBM BPM document store for a specified deployment environment:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-deName', 'myDeName', '-add', 'user_ID' | 'group_ID'])
The following Jython example uses the maintainDocumentStoreAuthorization command to specify the distinguished name of a user or group for which you want to revoke access to the IBM BPM document store for a specified deployment environment:
wsadmin -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization(['-deName', 'myDeName', '-remove', 'user_ID' | 'group_ID'])
The following Jython example invokes the maintainDocumentStoreAuthorization command on a specified target object:
wsadmin -user admin -password admin -lang jython
wsadmin>server = AdminConfig.getid('/Cell:/Node:myNodeName/Server:myServerName')
wsadmin>AdminTask.maintainDocumentStoreAuthorization(server, '[-add user_ID | group_ID]')
The following Jython example invokes the maintainDocumentStoreAuthorization command on a specified target object:
wsadmin -user admin -password admin -lang jython
wsadmin>cluster = AdminConfig.getid('/Cell:/ServerCluster:myClusterName')
wsadmin>AdminTask.maintainDocumentStoreAuthorization(cluster, ['-add', 'user_ID' | 'group_ID'])
The following Jython example invokes the maintainDocumentStoreAuthorization command on a specified target object:
wsadmin -user admin -password admin -lang jython
wsadmin>de = AdminConfig.getid('/Cell:/BPMCellConfigExtension:/BPMDeploymentEnvironment:myDeName/")
wsadmin>AdminTask.maintainDocumentStoreAuthorization(de, ['-add', 'user_ID' | 'group_ID'])
The following Jython example illustrates how to establish a SOAP connection to the Process Center server and return detailed information about Server01:
Important: In a network deployment environment, use the port configured for the application cluster member that runs the Process Server or Process Center applications. To determine the correct port number, see the WebSphere® Application Server administrative console Ports collection page (click Servers > Server Types > WebSphere application servers > server_name > Communications > Ports, and find the value for SOAP_CONNECTOR_ADDRESS).
wsadmin -conntype SOAP -port 8880 -host ProcessCenterServer01.mycompany.com -user admin -password admin -lang jython
wsadmin>AdminTask.maintainDocumentStoreAuthorization('[-nodeName Node1 -serverName server1 -list]')
The following output is provided:
Authorization on the domain for the IBM BPM document store\r\nCWTDS2034I: Access is granted to the IBM BPM document store domain
'uid=deadmin,o=defaultWIMFileBasedRealm' with access mask '459,267'
Authorization on the object store for the IBM BPM document store\r\nCWTDS2035I: Access is granted to the IBM BPM document
store object store 'uid=deadmin,o=defaultWIMFileBasedRealm' with access mask '838,205,440'
Parent topic: Commands (wsadmin scripting)
Related information:
Administering the technical user for the IBM BPM document store