IBM Business Automation Workflow group types
IBM® Business Automation Workflow can
use groups that are visible only within the Business Automation Workflow environment
and also groups that are visible outside of that environment.
Many customers define their groups in the Lightweight Directory Access Protocol (LDAP). IBM Business Automation Workflow accesses the groups through federated repositories.
As a result, these groups are also visible to WebSphere® Application
Server and can
be mapped to:
- WebSphere Application Server administrative roles.
- IBM Business Automation Workflow application Java™ EE roles.
- IBM Business Automation Workflow security roles
- Internal groups with specific privileges. For example, a group that is defined using the bpmAdminGroup security configuration property. See Security configuration properties.
IBM Business Automation Workflow group
management manages several types of IBM Business Automation Workflow private
groups. In this context, private
means that the groups are
not visible outside of the IBM Business Automation Workflow environment,
not available in LDAP, and not visible to WebSphere
Application Server. Such groups cannot be used for Java Platform, Enterprise Edition or WebSphere
Application Server administrative
role assignment.
The following list describes IBM Business Automation Workflow private
group types:
- Security group - A group that was replicated from the user registry.
In the diagram in this topic, the user registry is referred to as
the Federated Repositories. The group might be defined in either the
file registry or LDAP and is stored in the
BPMDBtable. - Team - There is an entry for each team in the
BPMDBtable. Teams are defined in either process applications or toolkits. Teams can have static member lists that include users or groups, or they can use a service to calculate their members. Teams can be used to expose process application artifacts by, for example, controlling who can start a business process or human service. Process application administrator teams (referred to as Portal Admin Team in the desktop Process Designer) can be defined to administer process instances of the process application. Teams can be used in task assignments. Team managers can be defined as a team, which makes it possible for you to create a hierarchy. Team managers can assign work from one team member to another team member and can view dashboards check their team's performance. - Ad hoc group - If a team calculates its members using a service, the service returns a set of users and groups. This list of users and groups is then persisted as a reusable entry in the database. Ad hoc groups are immutable. Ad hoc groups can also be created by using a list of users or a list of groups (deprecated).
- Internal group - Internal groups are created by using the Process Admin Console or an
application programming interface. They are not process-application specific, but can be reused
across multiple process applications. They are similar to LDAP groups, but are
- Managed by IBM Business Automation Workflow
- Writable using IBM Business Automation Workflow application program interfaces
- Invisible except to IBM Business Automation Workflow and its process applications
Note: Internal groups are also created implicitly during a process application deployment if the snapshot includes security groups that do not exist on the target system. If later on such security groups are created in the connected user registry the group type can be migrated from internal group to security group. Use the group synchronization REST API/system/groups_sync/(Operations REST APIs) and set the migrate_group_type parameter totrue.
The following diagram illustrates how IBM Business Automation Workflow group
management works with the federated repository to manage the various
types of groups.
A number of default groups are available after IBM Business Automation Workflow installation.
Permissions are associated with membership in these groups as described
in the table below. Note that you can:
- Grant permission to users by making them members of these groups. For example, by adding a group from LDAP as a subgroup.
- Specify different group names in place of the default groups that are listed below. See Security configuration properties.
- Specify groups that exist in the user registry or internal groups.
Table 1 lists the IBM Business Automation Workflow groups that are included by default.
| Default group | Description |
|---|---|
| tw_admins | Members of this group have full access to all
interfaces, assets, servers, and security. Note: You can rename this
group, but there must always be an administrator group defined. Administration
of Business Automation Workflow is
not possible without this group.
|
| tw_allusers | This group is the default lane assignment for non-system lanes when business process definitions (BPDs) are created in Process Designer. The dashboards that you create in Process Designer are available to this group by default. |
| tw_allusers_managers | This group contains the team of managers for
the tw_allusers group. In the Team Performance dashboard in Process Portal and Heritage Process Portal, members
of this group can see a dashboard for the All Users team and the sample
teams that are delivered with the product. By default, the tw_allusers_managers group includes the tw_admins group. |
| tw_authors | Members of this group have access to the Designer and other interfaces in the Process Designer, including Workflow Center. From Workflow Center, members of this group can create process applications and toolkits and control access to projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Workflow Center repository administrators. |
| Debug | You can use this account to restrict access to service debugging in the Inspector in the Process Designer. |
| tw_eventmanager | Members of this group have full access to historical information about Event Manager processing. |
| tw_managers | Members of this group can see the Team Performance
dashboard in Process Portal and Heritage Process Portal. To
see dashboards for individual teams, the group member must also be
a member of a managers team that is defined in Process Designer. By default, the tw_managers group includes the tw_allusers group. |
| tw_portal_admins | Because of functionality changes in Business Automation Workflow V8, members of this group no longer have any special access rights. |
| tw_process_owners | Members of this group can see the Process Performance
dashboard. By default, this group is also assigned to the ACTION_CHANGE_CRITICAL_PATH Process Portal policy,
which allows members to view and change the projected path of a process
instance. By default, the tw_process_owners group includes the tw_admins group. |