Restricting access to debugging for services (deprecated)

For services other than human services, you might need to limit access to debugging functionality in the Inspector in IBM® Process Designer. Use the IBM Business Process Manager configuration file (99Local.xml) to control which users have the ability to debug services. To edit the settings, find the debug section in the 99Local.xml file. Copy it to the 100Custom.xml file, and then make the necessary changes there.

The settings are checked by the server that runs the service. They need to be applied to the configuration file of your IBM Process Center when you debug locally in your Process Designer. IBM BPM version 8570 cumulative fix 2016.06 To run and debug on an online IBM Process Server, the configuration file of the online process server is checked.

Remember: The access restrictions do not apply to human services.

The following elements in the debug section of the 99Local.xml file enable you to configure debugging functionality for services.

Element	Default setting	Description
`<enabled>true</enabled>`	`true`	On Process Center: Establishes whether debugging of services is enabled. If set to `false` , when you attempt to debug a service in the Inspector in Process Designer, IBM BPM simply runs the service without providing any debugging feedback. On Process Server: Establishes whether running and debugging of services is enabled. If set to false, when you attempt to run or debug a service in the Inspector in Process Designer, IBM BPM rejects the attempt.
`<enforce-debug-role>false</enforce-debug-role>`	`false`	Establishes whether IBM BPM users who do not belong to the Debug group (defined in the following setting) can access debugging functionality. By default, this element is set to `false` , which allows users who do not belong to the Debug group to access debugging functionality. So, by default, all users have access to debugging for services. If you want to limit access to users who are members of the Debug group, set this element to `true` .
`<debug-role>debug</debug-role>`	`debug`	Specifies the role membership that users must have in order to access debugging functionality. Only one debug role can be defined. If one or both of the preceding settings is false (`enabled` and `enforce-debug-role`), then this setting has no effect. If both of the preceding settings are true, then: A user who belongs to this role will have access to debugging functionality. A user who does not belong to this role will not have access to debugging functionality. If you do not specify any value for `debug-role` , debugging functionality is disabled.

Element

Default setting

Description

<enabled>true</enabled>

true

On Process Center: Establishes whether debugging of services is enabled. If set to false , when you attempt to debug a service in the Inspector in Process Designer, IBM BPM simply runs the service without providing any debugging feedback.

IBM BPM version 8570 cumulative fix 2016.06 On Process Server: Establishes whether running and debugging of services is enabled. If set to false, when you attempt to run or debug a service in the Inspector in Process Designer, IBM BPM rejects the attempt.

<enforce-debug-role>false</enforce-debug-role>

false

Establishes whether IBM BPM users who do not belong to the Debug group (defined in the following setting) can access debugging functionality. By default, this element is set to false , which allows users who do not belong to the Debug group to access debugging functionality. So, by default, all users have access to debugging for services. If you want to limit access to users who are members of the Debug group, set this element to true .

<debug-role>debug</debug-role>

debug

Specifies the role membership that users must have in order to access debugging functionality. Only one debug role can be defined.

If one or both of the preceding settings is false (enabled and enforce-debug-role), then this setting has no effect.

If both of the preceding settings are true, then:

A user who belongs to this role will have access to debugging functionality.
A user who does not belong to this role will not have access to debugging functionality.
If you do not specify any value for debug-role , debugging functionality is disabled.

The debug section of the 99Local.xml file is shown in the following example:

<server merge="mergeChildren">
<debug merge="mergeChildren">

<!-- Indicates whether or not debugging of services is enabled. If this is false then debugging a service will simply run the service, and the
debugging functions will be turned off. -->

<enabled merge="replace">true</enabled>

<!-- Defines whether or not users that do not belong to the debug role can access
debugging functions for services. -->

<enforce-debug-role merge="replace">true</enforce-debug-role>

<!-- Specifies the role a user must be a member of to debug a service. Only one
user role can be defined. If enabled is false, or is enforce-debug-role is
false then this has no effect.
If enabled and debug-role is true, then a user belonging to this role will
have access to debugging functions. A user that does not belong to this
role will not have access to debugging functions, hence the service will run
as it would normally.
If you do not specify any value for the debug role this will disable the
debugging functions.
-->
<debug-role merge="replace">debug</debug-role>
</debug>
</server>