Comments (2)
  • Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

1 varun959 commented Permalink

Hi Martin,
If BPM is integrated with Active Directory (for user store sync), would you recommend creating BPM process specific groups in AD or within BPM itself and why, especially when these groups are meant only for usage within BPM and not for any other enterprise business application.
Thanks,
Varun

2 MartinKeen commented Permalink

Thanks for your comment. I asked around with some of our IBM BPM experts. The general concensus is there is no right or wrong answer when it comes to creating groups in a user registry versus in BPM internally.

 
There are some advantages to a user registry. Using the groups in their chosen user registry - such as AD - is a common approach, so that you don't have to deploy a new snapshot - or spend time in the process admin console - every time group membership changes.
 
A couple of other things to consider:
1) LDAP administrators are hesistant to pollute LDAP with too many application specific groups. So create groups that are not meant for reuse locally in the BPM system
2) BPM internal groups can be maintained from within BPM - even using JavaScript APIs. If you need to avoid manipulation of group membership, e.g. by a human service in a different process app, then you'll need to create the groups in LDAP. Imagine Process Center authorization who can see which process apps in Process Center Console. If I am authorized to create new process apps, I can create one that adds my userids to many groups - including those that grant access to other process apps. On Process Server, there is much less of a concern of course.