Creating and maintaining users for an Business Automation Workflow deployment environment

Use the Process Admin Console to create and configure user accounts for a deployment environment server. A deployment environment is an environment in which server processes, which are typically on different physical computer systems, are managed together.

Before you begin

Authorize users to manage other users in IBM® Business Automation Workflow. To enable users to add, delete, or modify other users in WebSphere, assign the user to the WebSphere® Application Server IdMgrWriter role by running the following command in the wsadmin scripting client:

wsadmin> AdminTask.mapIdMgrUserToRole( [ '-roleName', 'IdMgrWriter', '-userId', 'uid=sample_user,o=defaultWIMFileBasedRealm' ] )
wsadmin> AdminConfig.save()

Run the command on the deployment manager node. In IBM BPM Express, run the command on the stand-alone server.
The command must be run in connected mode. Do not specify the wsadmin -conntype none option.

See the topic Providing security. Refer to the topic IdMgrConfig command group for the AdminTask object for more information on the WebSphere Application Server IdMgrWriter role.

If a user needs to use the Process Admin Console to manage other users, then add the user to the tw_admins group in the Process Admin Console. See the topic Creating and managing groups.

To create and maintain users, log in as an administrative user, such as a user in the DeAdmin role. Do not remove a user or group assigned to the DeAdmin role. Only users and groups assigned to this role can administer servers and users.

Important: You cannot use the Process Admin Console to create a new user if another user was created in the past with the same user name. Once a user has been created using the Process Admin Console, it is retained in the IBM Business Automation Workflow system. Even if the user is subsequently deleted, the user entry is not removed from the IBM Business Automation Workflow database and the internal authorization system.

About this task

During IBM Business Automation Workflow profile creation, a file-based federated user repository is configured as the active user registry. You can change the default user repository by using the administrative console, or in the case of IBM Security Access Manager, by configuring the repository with the wsadmin command.

Restriction: A user name cannot have more than 64 characters.

Restriction: Specify unique user IDs for every user in the following groups:

WebSphere Application Server Virtual Member Manager (VMM) user repository security groups
Lightweight Directory Access Protocol (LDAP) user repository security groups
Internal IBM Business Automation Workflow custom user registries

Procedure

The procedure for creating and configuring user accounts varies according to the type of user registry that is configured and whether you use an external security provider.

Note: In the Server Admin area of the Process Admin Console, the User Management section in the User Management window displays only internal users, that is, users that exist in the file registry part of VMM.

Use the appropriate method to manage user authentication.
For example, to configure Microsoft Active Directory to perform user authentication see Using Microsoft Active Directory for authentication in the WebSphere Application Server Knowledge Center. To add users to the Lightweight Directory Access Protocol user registry, see Adding users to the Lightweight Directory Access Protocol user registry in the WebSphere Application Server Knowledge Center.
To configure a user ID for specific access privileges on a Windows system, see Configuring a user ID for proper privileges for local operating system registries in the WebSphere Application Server Knowledge Center.
To assign users to specific security roles for application security, see Assigning users and groups to roles in the WebSphere Application Server Knowledge Center.
To assign users and groups to administrative roles so that the users can perform administrative functions, see Authorizing access to administrative roles in the WebSphere Application Server Knowledge Center.
To assign users to internal groups to access the administrative console, Workflow Center, and Process Portal applications, see Business Automation Workflow security roles.