Batch processor user accounts
Plan and configure the user accounts required to run batch activities.
There are several different user accounts necessary for running batch activities. Each of these user accounts serves a different purpose during the execution of a batch activity and each account has specific security requirements.
- WebSphere® Application Server and application authentication user
The WebSphere Application Server and application authentication user account must be specified for each batch processor instance in the $home/properties/sas.client.props file’s
com.ibm.CORBA.loginUserid
andcom.ibm.CORBA.loginPassword
properties.InfoSphere® MDM administrative security and application security are always enabled. Accordingly, this user account must be authenticated by the application server. The user (or user group that it belongs to) must be mapped to the InfoSphere MDM application role ServiceConsumer.
By default, InfoSphere MDM runs with Trusted Client Mode enabled for batch operations, meaning that this user account must belong to one of the user groups specified in the configuration item /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/roles. This configuration item is a comma-separated list of all trusted roles.
- Task management user
The task management user account must be specified for each batch processor instance in the $home/properties/Batch.properties file’s
job.requesterName
property.The user name in the
job.requesterName
property is used as the requester user in transactions. This user name is used to replace the <<requesterName>> placeholder in transaction job templates.The task management user must:
- Be a valid InfoSphere MDM application user.
- Belong to the proper InfoSphere MDM application user groups.
- Comply with all InfoSphere MDM application security rules.
Note: If the configuration item /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/enabled is set to false (it is true by default), then the task management user account will be overridden by the user account for WebSphere Application Server and application authentication.- Transaction request user
The transaction request user must be specified in the XML
requesterName
tag of individual XML transaction requests or the transaction templates of job definitions.This user name is used as the requester of the individual transactions in a batch activity. The transaction request user must:
- Be a valid InfoSphere MDM application user.
- Belong to the proper InfoSphere MDM application user groups.
- Comply with all InfoSphere MDM application security rules.
Note: If the configuration /IBM/DWLCommonServices/Security/TrustedClientMode/Batch/enabled is set to false (it is true by default), then the transaction request user account will be overridden by the user account for WebSphere Application Server and application authentication.- MDM database user
The MDM database user is be specified in the for each batch processor instance in the $home/properties/Batch.properties file’s
mdm.database.uri
property. This credential is only used if you use themdm.database.uri
property to specify a type 4 JDBC database connection URI.When the
mdm.database.uri
property is set to use a data source to connect to the MDM database, the MDM database user is defined in the data source.This user requires permission to access MDM database tables.