Modeling secure Ajax services

To ensure that the Ajax services that you model are secure, you must add authorization checks to the service implementation.

Before you begin

To perform this task, you must be in the IBM® Process Designer desktop editor.

About this task

You can use different methods to add authorization checks to your service implementation, as follows.
  • Use the optional checkAuthorization Boolean flag that some JavaScript APIs provide. If checkAuthorization is set to true, the authorization check is delegated to the JavaScript API, and only information that the current user is authorized to access is returned.
    instance.retrieveTaskList(properties, maxRows, beginIndex, timezone, true); // authorization is done by JS API
  • Use the getAvailableActions() method on a resource to determine whether the current user is authorized to perform a specific action. Continue only if the specified action is shown in the result.
    var actions = instance.getAvailableActions();
    		if (actions != null) {
    		    for (var i = 0; i < actions.length; i++) {
    		        if (actions[i] == "ACTION_VIEW_INSTANCE") {
    		            // do whatever you want to secure, 
    				// e.g. retrieve instance-specific information
  • Check the user's group membership to determine the user's authorization.
    var group =;
    		if (tw.system.user.isInParticipantGroup(group)) {
    			// do whatever you want to secure, 
    			// e.g. retrieve team information

Securing the start of the Ajax services

About this task

When you create an external implementation to implement a task, you can specify the Ajax services that can be started from this external implementation. Only the owners of the task that is implemented by this external implementation are authorized to start the listed Ajax services. To start the Ajax services, the task owners use the startService REST API in the context of the specified callerTaskId.
Tip: The startService REST API is one of the IBM BPM REST APIs that are exposed through the IBM MobileFirst generic adapter. For more information, see REST APIs exposed through the MobileFirst adapters.


To specify an Ajax service that can be started from a task implemented by an external implementation, complete the following steps:

  1. In Process Designer, create an external implementation. See Creating an external implementation.
  2. In the properties view of the external implementation, under Ajax Services, select Authorize Ajax Services.
  3. Click Add and, from the list of available Ajax services, select a service that can be started from the task implemented by this external implementation. The selected service is added to the Ajax Services list.


For the task that is implemented by this external implementation, only the services that are listed in the Ajax Services list can be started by using the startService REST API. The following conditions are true for the startService REST API that is exposed through the MobileFirst adapters:
  • Only the Ajax services that are associated with the specified external implementation can be started.
  • The callerTaskId is a mandatory parameter in the startService REST API, and the external implementation must list the Ajax service to be started.
  • For the specified task, Ajax services that are called from a context other than an external implementation cannot be started.
In IBM BPM Standard, the startService REST API tolerates these conditions for backward-compatibility reasons.