Granting write permission of files and directories to nonroot users for profile creation or augmentation

If you are not the user who installed the product, you must have write permission to selected directories within the IBM® Business Process Manager installation. The product installer can grant this permission or create a group with permission to create or augment profiles.

About this task

The product installer (who can be a root or nonroot user) can grant write permission to the appropriate IBM Business Process Manager files and directories to nonroot users. The nonroot users can then create profiles. Alternatively, the product installer can create a group for users who are authorized to create profiles or give individual users the authority to create profiles.

Nonroot users create their own profiles to manage their own environments. Typically, they manage environments for development purposes.

Nonroot users must store their profiles in their private directory structure, not in the installation_root/profiles directory of the product.

Restrictions:
  • IBM Business Process Manager does not support changing ownership of existing profiles from the product installer to nonroot users. A nonroot user cannot augment profiles owned by another user.
  • Mechanisms within the Profile Management Tool that suggest unique names and port values are disabled for nonroot users. The nonroot user must change the default field values in the Profile Management Tool for the profile name, node name, cell name, and port assignments. The product installer can assign nonroot users a range of values for each of the fields, and assign responsibility to the users for adhering to their assigned value ranges and for maintaining the integrity of their own definitions.

If you already created at least one profile, certain directories and files were created. You can skip the steps in this topic that create these directories and files. If no profile was previously created, you must complete the steps to create the required directories and files.

The following example task shows how to create a group that is authorized to create profiles. The terms "installer" and "product installer" refer to the user ID that installed IBM Business Process Manager. The installer can perform the following steps to create the profilers group and give the group appropriate permissions to create a profile.

Procedure

  1. Log in to the IBM Business Process Manager system as the product installer. The product installer can be a root or nonroot user.
  2. Using operating system commands, perform the following steps:
    1. Create a group named profilers, which will contain all users who can create profiles.
    2. Create a user named user1, who can create profiles.
    3. Add users product_installer and user1 to the profilers group.
  3. Log off and log back on as the installer to pick up the new group.
  4. If no profile exists, create the following directories as the installer:
    • Create the install_root/logs/manageprofiles directory:
      mkdir install_root/logs/manageprofiles
    • Create the install_root/properties/fsdb directory:
      mkdir install_root/properties/fsdb
  5. If no profile exists, create the profileRegistry.xml file as the installer. For this example, the file path is:
     install_root/properties/profileRegistry.xml
    Add the following information to the profileRegistry.xml file. The file must be encoded as UTF-8.
    <?xml version="1.0" encoding="UTF-8"?>
<profiles/>
  6. Check if the directory install_root/logs/config exists. If it does not exist, create the directory as the installer:
    • Create the install_root/logs/config directory:
      mkdir install_root/logs/config
  7. As the product installer, use operating system tools to change directory and file permissions. The following example assumes that the variable $WASHOME is the IBM Business Process Manager root installation directory /opt/IBM/WebSphere/AppServer. 
    export WASHOME=/opt/IBM/WebSphere/AppServer
echo $WASHOME
echo "Performing chggrp/chmod per WAS directions..."
chgrp profilers $WASHOME/logs/manageprofiles
chmod g+wr  $WASHOME/logs/manageprofiles
chgrp profilers $WASHOME/properties
chmod g+wr  $WASHOME/properties
chgrp profilers $WASHOME/properties/fsdb
chmod g+wr  $WASHOME/properties/fsdb
chgrp profilers $WASHOME/properties/profileRegistry.xml
chmod g+wr  $WASHOME/properties/profileRegistry.xml
chgrp -R profilers $WASHOME/profileTemplates
chgrp profilers $WASHOME/logs/config
chmod g+wr  $WASHOME/logs/config
chgrp -R profilers $WASHOME/configuration
chmod -R g+wr  $WASHOME/configuration
    Issue the following additional commands:
    chgrp profilers $WASHOME/properties/Profiles.menu
chmod  g+wr $WASHOME/properties/Profiles.menu
    You might have to change the permissions on additional files if the nonroot user encounters permission errors. For example, if the product installer authorizes a nonroot user to delete a profile, then the product installer might have to delete the following file:
    install_root/properties/profileRegistry.xml_LOCK
    Give write access to the nonroot user for the file to authorize the user to delete the file. If the nonroot user still cannot delete the profile, then the product installer can delete the profile.

Results

The installer created the profilers group and gave the group the correct permissions to the directories and files required for a nonroot user to create profiles.

What to do next

The nonroot user that belongs to the profilers group can create profiles in a directory that the nonroot user owns and to which the nonroot user has write permission. However, the nonroot user cannot create profiles in the installation root directory of the product.

The root user and the nonroot user can use the same tasks to manage profiles.

Parent topic: Installing IBM Business Process Manager Advanced using a custom installation and configuration path