Access control

Edit online

Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15

Draft comment:
Piotr - Is the info in this topic and it's sub-topic still valid? If so, should it be combined with the info we are reworking in: http://bidoc.torolab.ibm.com/review/8500/topic/com.ibm.wbpm.admin.doc/adminguide/topic/managing_users_E.html

When authenticating a user for IBM® Business Automation Workflow, it is important for security purposes that access to all operations is not automatically granted to that user. Allowing some users to perform certain operations, while denying access to those same operations for other users, is termed access control.

Access control can be arranged for components that you develop to make them secure. You provide access control for components by using service component architecture qualifiers at development time.

Some IBM Business Automation Workflow components, packaged as enterprise archive (EAR) files, secure their operation using Java™ EE role-based security. In contrast to code-based security, which secures the operation of components, role-based access control secures resources. For example, in the Business Calendars widget, you can specify the type of access that users have to individual timetables.

Security Roles widget

Use the Security Roles widget to specify, for each timetable, the owner of the timetable as well as those who have writer and reader access to the timetable.

The following table shows the administrative roles and their default permissions:

Roles	Default permission
BPMAdmin	Primary administrative user
BPMRoleManager	All authenticated users

EAR files and associated roles

The Business Process Choreographer and the Common Event Infrastructure are installed as part of IBM Business Automation Workflow.

Table 1. EAR files and associated roles in IBM Business Automation Workflow
Name of .ear file	Role	Default
BPEContainer_`nodeName`_`serverName`.ear OR BPEContainer_`clusterName`	APIUser	All Authenticated
	SystemAdministrator	None
	SystemMonitor	None
	JMSAPIUser	All Authenticated
	AdminJobUser	All Authenticated
	JAXWSAPIUser	Everyone
BPCExplorer_`nodeName`_`serverName`.ear OR BPCExplorer_`clusterName`	WebClientUser	All Authenticated
BPCArchiveExplorer_`nodeName`_`serverName`.ear OR BPCArchiveExplorer_`clusterName`	WebClientUser	All Authenticated
BusinessRulesManager.ear	BusinessRuleUsers	All Authenticated
	NoOne	None
	AnyOne	Everyone
BusinessRules_`nodeName`_`server`.ear	Administrator	All Authenticated
EventService.ear	eventAdministrator	All Authenticated
	eventConsumer	All Authenticated
	eventUpdater	All Authenticated
	eventCreator	All Authenticated
	catalogAdministrator	All Authenticated
	catalogReader	All Authenticated
mm.was_`nodeName`_`server`.ear	All Authenticated	All Authenticated
mm.was_`nodeName`_`server`.ear	everyone	Everyone
REST Services Gateway.ear	RestServicesUser	All Authenticated
REST Services Gateway Dmgr .ear	RestServicesUser	All Authenticated
TaskContainer_`nodeNameserverName`.ear OR TaskContainer_`clusterName`	APIUser	All Authenticated
	SystemAdministrator	None
	SystemMonitor	None
	EscalationUser	All Authenticated
	AdminJobUser	All Authenticated
	JAXWSAPIUser	Everyone
wpsFEMgr_7.0.0 Security	WBIOperator	Everyone