Creating and managing groups
If you use an external security provider, you can view the groups from that external
provider in the Process Admin Console, but you cannot edit them. You can, however, add users and
groups from your external provider to Business Automation Workflow internal groups that you
create. You can also combine accounts from different providers into one group.
Before you begin
Note: To create and maintain groups, log in as an
administrative user, such as the default administrative user account, or an account that you added
during installation that has administrator privileges. If you added a new administrative user, the
user is added to the
tw_admins user group. Members in the
administrators group, by default, tw_admins can administer workflow servers,
Performance Data Warehouses, and internal users and groups.About this task
The default installation of Business Automation Workflow provides a federated repository that contains the WebSphere® Application Server file registry. To implement an external security provider, which uses a different user registry than the WebSphere Application Server file registry, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a stand-alone Lightweight Directory Access Protocol (LDAP) registry, a stand-alone custom registry, and federated repositories.
See the related links for more information about registries and external security providers.
Note: Groups created in Business Automation Workflow cannot be edited in
WebSphere Application
Server and groups
created in WebSphere Application
Server cannot
be edited in Business Automation Workflow.
Restriction: You cannot create a new group using the Process Admin Console if a group was created in the past with the same group name in the WebSphere Application Server user registry, that is, by using the WebSphere Application Server admin console. Once a group has been imported from the WebSphere Application Server user registry into the Business Automation Workflow system, it is
kept in the Business Automation Workflow database. If the group is deleted in the WebSphere Application Server user registry, the group gets marked as deleted in the Business Automation Workflow database, but it is not
actually deleted. Therefore, the group cannot be added using the Process Admin Console as a new
group. But it is possible to migrate the group type for such groups with group synchronization REST
API /system/groups_sync/ (Operations REST APIs).
Note: During process application deployment, if the snapshot includes user registry
groups that do not exist on the target system these groups are created their. These groups can be
managed by the Process Admin Console on the target system. These groups could later be migrated with
group synchronization REST API /system/groups_sync.
Security considerations for Business Automation Workflow
- Users and groups created in the WebSphere Application Server administrative console are stored in the file registry.
- Internal users and groups are managed through the Process Admin Console.
Note: In IBM® Business Automation
Workflow, there
are user groups that have names that begin with the prefix "caseRole_". These user groups are
created in the context of the new case and process integration capability that synchronizes Case Builder roles and Process Designer teams. You should
never manually delete or modify these groups by any means, such as by using the Process Admin Console or by using a REST or JavaScript API.
For a list of default groups, see IBM Business Automation Workflow default group types.
This topic is shared by BAW, CP4BA, CP4BASaaS. Last updated on 2025-03-13 12:15