How to troubleshoot a BPM user authorization problem - Part I
Jia Tang 3100009WTC Comment (1) Visits (13081)
Many IBM Business Process Manager (BPM) clients have reported that end users did not get expected authorization privileges while operating human service activities in BPD – “You are not authorized to …”
You first need to check the BPD design, and ensure the human service activity is actually supposed to be routed to the user.
Here are steps to check task assignment information in IBM BPM backend DB:
Step 1. Check the task ownership in the LSW_TASK table. Query the LSW_TASK table with the target TASK_ID as where clause (TASK_ID can be found in Process Inspector).
Step 2. If the task has been assigned to a specific user, the value of GROUP_ID will be -1, and there will be a serial of numbers in the USER_ID field. Then you can check if the USER_ID matches the user you want to run task with (Get USER_NAME or FULL_NAME via cross query LSW_USR_XREF table). If they do not match, by design the user can not view/claim/execute the task at all.
Step 3. If the task has NOT been claimed by user yet, the value of USER_ID field will be -1, and there will be a valid GROUP_ID. The group could be ad-hoc group, participant group or team (new term after IBM BPM 8.5.*). You can get the group’s GROUP_NAME, DISPLAY_NAME via cross query LSW_USR_GRP_XREF table. The GROUP_NAME is similar as below.
I will use a simple example to demonstrate how to confirm if target user is member of the group to which the task is assigned.
Task is assigned to team ‘teamA’ in Process Designer as below (in order to make it simple and clear, there is no team filter service to dynamically prevent certain users from being assigned to an activity)
For user ‘UserA’, the user-group membership can be found within IBM BPM DB table LSW_
For user ‘UserB’, who is a member of internal security group ‘GroupA’, the user-group membership can be confirmed via cross query, see tables below.
There may be much more complicated group-group memberships in real client scenarios, for example, security group ‘GroupA’ belongs to security group ‘GroupB’, and ‘GroupB’ is a member of team ‘teamA’, in that case, LSW_GRP_GRP_MEM_ EXPLODED _XREF could be used instead of LSW_GRP_GRP_MEM_ XREF, as that table contains nested membership information.
Note: It is NOT suggested that you do any manual change on IBM BPM backend DB without IBM support’s assistance. The above explanation is aimed to help you understand the user/group related backend DB tables, as well as the logic of IBM BPM task authorization.
See "How to troubleshoot a BPM user authorization problem - Part II" for the other entry in this series.