Managing IBM Business Process Manager users, groups, and teams

IBM® Business Process Manager uses the WebSphere® Application Server file registry, which you can use to create and maintain IBM BPM users and groups as outlined in the following sections.

You can also use the WebSphere Application Server file registry with an external security provider (such as LDAP with Microsoft Active Directory) that you registered with the IBM BPM embedded application server.

The WebSphere Application Server file registry includes several default users and groups.

When you use the WebSphere Application Server file registry with an external provider, the users, and groups from both providers are available for selection from IBM BPM Standard components.

Teams are used to define groups of users who can perform tasks. A team can be either defined as a static list of users and groups, or it can be defined dynamically by a team retrieval service. You can assign a team of managers to each team to define which people in the organization can perform managerial actions for the team.

The following table describes where these user accounts and teams are made available in IBM BPM:
Task Interface To learn more
Granting access to the repository Process Center Console See Managing access to the Process Center repository.
Binding users to teams during process development Designer in Process Designer See Creating a team.
Defining who has managerial authority over a team Designer in Process Designer See Defining team managers.
Using services to define dynamic teams Designer in Process Designer See Using services to define dynamic teams.
Assigning an activity to a team Designer in Process Designer See Assigning activities.
Adding users and groups from an external provider to IBM BPM security groups Process Admin Console See Creating and managing groups.
Modifying existing teams at run time Process Admin Console See Configuring runtime teams.

IBM BPM does not lock user accounts after a configurable number of failed authentication attempts. Note that end user accounts are managed in a user repository (typically LDAP connected to Federated Repositories). IBM BPM is just one of many client systems to the user repository. The user repository is the system of records for the user accounts and therefore has to define rules such as password lock policy. For IBM Tivoli Directory Server, you can read more about password policies at http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ If you are using the IBM BPM Internal Security Provider, there is no policy for locking users after a number of failed authentication attempts.