How to troubleshoot a BPM user authorization problem - Part II
Jia Tang 3100009WTC Visits (13676)
In some circumstances, you believe that a user belongs to the participant group/team/ad-hoc group directly or indirectly, but the membership records in IBM Business Process Manager (BPM) DB tables do not indicate it. Assuming it’s LDAP security provider configured within WebSphere Application Server (WAS) federated repository, which is the most typical client scenario:
Step 1. Check user-group membership on your LDAP server. Ensure the user and security group exist in LDAP server, and the user belongs to the target security group. If there is any problem, work with your system admin to fix it first.
Step 2. Check user-group membership on the IBM WAS (VMM) layer via WAS administrative console. If there is any problem, you need to check LDAP configuration, especially for the filter setting. IBM BPM synchronizes external user, group and membership information from IBM WAS VMM. So if the information in IBM WAS VMM does not exist, or is inaccurate, the behavior in BPM will be different from what you expect.
Step3. Check user-group membership on IBM BPM layer via IBM BPM Process Admin.
If the information in LDAP and WAS VMM are all correct, the most possible reason is missing synchronization. IBM Business Process Manager synchronizes external users, groups and membership based on the following triggers:
So if the external user, group or membership has not been synchronized, you may get authorization error. In order to resolving it, besides manually triggering it as described above, you can run the scripts below (for IBM BPM release before V8.5.5, you may need to apply some ifix to support the administrative scripts below):
Reference: See "Synchronizing users and groups" in the product documentation.
See "How to troubleshoot a BPM user authorization problem - Part I" for the other entry in this series.