Restricting installation access to runtime servers

Edit online
Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15
You must authorize users with the appropriate type of access, depending on the environment: administrative access to install to workflow servers in production environments, write access to install to any non-production workflow server, or read access to install to workflow servers in development environments.

About this task

IBM® Workflow Center Authorization
The following authorization checks are performed on Workflow Center for deployment operations like online deploy or building a deployment package:
  • The user needs the following access to the process application depending on the type of target environment:
    • Administrative access to install to process servers in production environments
    • Write access to install to any non-production process server
    • Read access to install to process servers in development environments
    For more information about providing permissions to users and groups, see Managing access to workflow projects.
    Note: To create a generic deployment package, you need read access only.
  • If the processCenterInstall group is enabled, the user must be a member of the processCenterInstall group. The processCenterInstall group must exist on Workflow Center and you must be a part of this group in Workflow Center for the online deployment to work.
IBM Workflow Server Authorization
The following authorization checks are performed on Workflow Server for deployment operations like online deploy or offline deploy:
  • The user must be a member of tw_admins or the BPMAuthor user and a member of tw_authors.
    Important: If these internal groups, which are created when the deployment environment is created, are deleted, you won't be able to deploy snapshots.
  • If the offlineInstall group is enabled, the user must be a member of the offlineInstall group to run offline deployment commands.
Note: Online deployment uses the BPMAuthor user. If you override this user with a trust association interceptor (TAI), the new user must pass these checks.

Procedure

To enable a processCenterInstall or offlineInstall group, perform the following steps on the Workflow Server deployment manager.

  1. Start the wsadmin scripting tool. To start wsadmin using the Jython language, run the following command from the bin directory of the server profile: 
    wsadmin -conntype NONE -lang jython
  2. Extract the properties of the BPMProcessServer configuration object. 
    wsadmin> groups = AdminConfig.list('BPMServerSecurityGroups')
wsadmin> print AdminConfig.show(groups)
  3. View the output and note the processCenterInstall or offlineInstall value. For example, [processCenterInstall Existing_group_name] or [offlineInstall Existing_group_name].
    Note: If processCenterInstall or offlineInstall is missing, the group is not enabled.
  4. Update the processCenterInstall or offlineInstall value. 
    wsadmin> AdminConfig.modify(groups, [['processCenterInstall', 'New-Group-Name']])
    wsadmin> AdminConfig.modify(groups, [['offlineInstall', 'New-Group-Name']])

    where the New_group_name variable represents the group of users you want to grant access to. The group must exist in the user repository or be an internal group that is managed in the Process Admin Console.

  5. Verify your update. 
    wsadmin> print AdminConfig.show(groups)
  6. Save the changes and exit. 
    wsadmin> AdminConfig.save()
wsadmin> exit
  7. When the changes have been synchronized to the nodes, restart the application cluster for the changes to take effect.