Creating and managing groups

Edit online

If you use an external security provider, you can view the groups from that external provider in the Process Admin Console, but you cannot edit them. You can, however, add users and groups from your external provider to Business Automation Workflow internal groups that you create. You can also combine accounts from different providers into one group.

Before you begin

Note: To create and maintain groups, log in as an administrative user, such as the default administrative user account, or an account that you added during installation that has administrator privileges. If you added a new administrative user, the user is added to the tw_admins user group. Members in the administrators group, by default, tw_admins can administer workflow servers, Performance Data Warehouses, and internal users and groups.

About this task

The default installation of Business Automation Workflow provides a federated repository that contains the WebSphere® Application Server file registry. To implement an external security provider, which uses a different user registry than the WebSphere Application Server file registry, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a stand-alone Lightweight Directory Access Protocol (LDAP) registry, a stand-alone custom registry, and federated repositories.

See the related links for more information about registries and external security providers.

Note: Groups created in Business Automation Workflow cannot be edited in WebSphere Application Server and groups created in WebSphere Application Server cannot be edited in Business Automation Workflow.

Restriction: You cannot create a new group using the Process Admin Console if a group was created in the past with the same group name in the WebSphere Application Server user registry, that is, by using the WebSphere Application Server admin console. Once a group has been imported from the WebSphere Application Server user registry into the Business Automation Workflow system, it is kept in the Business Automation Workflow database. If the group is deleted in the WebSphere Application Server user registry, the group gets marked as deleted in the Business Automation Workflow database, but it is not actually deleted. Therefore, the group cannot be added using the Process Admin Console as a new group. But it is possible to migrate the group type for such groups with group synchronization REST API /system/groups_sync/ (Operations REST APIs).

Note: During a Process Application deployment if the snapshot includes user registry groups that do not exist on the target system these groups are created their. These groups can be managed by the Process Admin Console on the target system. These groups could later be migrated with group synchronization REST API /system/groups_sync.

Security considerations for Business Automation Workflow

Users and groups created in the WebSphere Application Server administrative console are stored in the file registry.
Internal users and groups are managed through the Process Admin Console.

Note: In IBM® Business Automation Workflow, there are user groups that have names that begin with the prefix "caseRole_". These user groups are created in the context of the new case and process integration capability that synchronizes Case Builder roles and Process Designer teams. You should never manually delete or modify these groups by any means, such as by using the Process Admin Console or by using a REST or JavaScript API.

For a list of default groups, see IBM Business Automation Workflow default group types.

Procedure

To create a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, click New Group.
4. In the Create Group window, enter a name and a description for the group, then click Save.
The group appears in the list and new members can be added.
To add members to a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group that you want to update.
5. Click Add Members next to the selected group.
6. In the Add Users and Groups window, enter the name of the user or group that you want to add in the Search for Name field.
  You can enter part of the name and the window displays all accounts that match.
  Tip: * is the only recognized wildcard character supported for the Search for Name field.
The added users and groups now show as members of the selected group.
(Deprecated): To designate a Team Manager group for a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group for which you want to designate a Team Manager.
5. Enter a partial or complete group name in the Team Manager Group (deprecated) field, and then select the group that you want from the list.
Important: Using team manager groups is deprecated. The Team Performance dashboard in IBM Process Portal requires that you define teams and team managers using Process Designer, as described in the following topics: Creating a team and Defining team managers.
To remove users from a group, perform the following steps:
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. From the list of groups displayed, click the group that you want to update.
  The Process Admin Console lists the members of the group.
5. Click Remove for the users and groups that you want to remove.
The removed users and groups are no longer displayed in the list of members and are removed from the selected group.
To delete a group, perform the following steps:

Restriction: You can't delete a group that has tasks assigned or is configured as bpmAdminGroup in the BPMServerSecurityGroups configuration.
1. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
2. Click Group Management.
3. In the Group Management window, enter a partial or complete group name in the Select Group to Modify field.
  
  Tip: To see all the groups, enter ** in the Select Group to Modify field.
4. In the list of groups displayed, click Remove for the group that you want to delete.
The group is removed from the list and is no longer available.

To return a list of members of a nested group for an LDAP repository:

Run the following command:

$AdminTask setIdMgrCustomProperty { -id Ldap Repository Id -name com.ibm.ws.wim.adapter.ldap.returnNestedNonGroupMembers -value true}

For example:

wsadmin>$AdminTask setIdMgrCustomProperty { -id LDAP1 -name com.ibm.ws.wim.adapt er.ldap.returnNestedNonGroupMembers -value true}

Save the changes and exit.
```
wsadmin>$AdminConfig save
wsadmin> exit
```
Restart the server.