Batch processor user accounts

Plan and configure the user accounts required to run batch activities.

There are several different user accounts necessary for running batch activities. Each of these user accounts serves a different purpose during the execution of a batch activity and each account has specific security requirements.

WebSphere® Application Server and application authentication user

The WebSphere Application Server and application authentication user account must be specified for each batch processor instance in the $home/properties/sas.client.props file’s com.ibm.CORBA.loginUserid and com.ibm.CORBA.loginPassword properties.

InfoSphere® MDM administrative security and application security are always enabled. Accordingly, this user account must be authenticated by the application server. The user (or user group that it belongs to) must be mapped to the InfoSphere MDM application role ServiceConsumer.

By default, InfoSphere MDM runs with Trusted Client Mode enabled for batch operations, meaning that this user account must belong to one of the user groups specified in the configuration item /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/roles. This configuration item is a comma-separated list of all trusted roles.

Task management user

The task management user account must be specified for each batch processor instance in the $home/properties/Batch.properties file’s job.requesterName property.

The user name in the job.requesterName property is used as the requester user in transactions. This user name is used to replace the <<requesterName>> placeholder in transaction job templates.

The task management user must:

  • Be a valid InfoSphere MDM application user.
  • Belong to the proper InfoSphere MDM application user groups.
  • Comply with all InfoSphere MDM application security rules.
Note: If the configuration item /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/enabled is set to false (it is true by default), then the task management user account will be overridden by the user account for WebSphere Application Server and application authentication.
Transaction request user

The transaction request user must be specified in the XML requesterName tag of individual XML transaction requests or the transaction templates of job definitions.

This user name is used as the requester of the individual transactions in a batch activity. The transaction request user must:

  • Be a valid InfoSphere MDM application user.
  • Belong to the proper InfoSphere MDM application user groups.
  • Comply with all InfoSphere MDM application security rules.
Note: If the configuration /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/enabled is set to false (it is true by default), then the transaction request user account will be overridden by the user account for WebSphere Application Server and application authentication.
MDM database user

The MDM database user is be specified in the for each batch processor instance in the $home/properties/Batch.properties file’s mdm.database.uri property. This credential is only used if you use the mdm.database.uri property to specify a type 4 JDBC database connection URI.

When the mdm.database.uri property is set to use a data source to connect to the MDM database, the MDM database user is defined in the data source.

This user requires permission to access MDM database tables.