Optional user access configurations

In addition to the webSecurity.xml file in which you define the users allowed to access the application server, you have the option to specify up to four additional files to configure the access to an Operational Decision Manager instance. These customizations are implemented with the customization.authSecretRef parameter.

ldap-configurations.xml

The ldap-configurations.xml file automatically defines the LDAP configuration available under the Decision Center Administration tab.

For example:

<dc-usermanagement>
        <ldapConnections>
                <ldapConnection name="LDAP">
                        <ldapUrl>ldap://hostname</ldapUrl>
                        <searchConnectionDN>cn=admin,dc=example,dc=org</searchConnectionDN>
                        <searchConnectionPassword>password</searchConnectionPassword>
                        <groupSearchBase>ou=groups,dc=example,dc=org</groupSearchBase>
                        <groupSearchFilter>(cn=*)</groupSearchFilter>
                        <groupNameAttribute>cn</groupNameAttribute>
                        <groupMemberAttribute>member</groupMemberAttribute>
                        <userIdAttribute>uid</userIdAttribute>
                        <userNameAttribute>cn</userNameAttribute>
                        <userMailAttribute>mail</userMailAttribute>
                        <ldapProperties>
                                <ldapPropertyName/>
                        </ldapProperties>
                </ldapConnection>
        </ldapConnections>
</dc-usermanagement>

This option is equivalent to the manual procedure described in Synchronizing users and groups in Decision Center.

Note: If you want to use SSL-enabled LDAP in your container environment, you must create the SSL secret with the certificate of the LDAP server. Put the LDAP server certificate in the operator trust list as described in Importing the certificate of an external service.

group-security-configurations.xml

The group-security-configurations.xml file automatically populates the groups and users under the Decision Center Administration tab to map roles to groups.

For example:
<dc-usermanagement>
        <role name="rtsAdministrator"/>
        <role name="rtsConfigManager"/>
        <role name="rtsInstaller"/>
        <role name="rtsUser"/>
        <group name="rtsAdministrators" roles="rtsAdministrator"/>
        <group name="rtsConfigManagers" roles="rtsConfigManager"/>
        <group name="rtsInstallers" roles="rtsInstaller"/>
        <group name="rtsUsers" roles="rtsUser"/>
        <user name="odmAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
        <user name="rtsAdmin" groups="rtsAdministrators, rtsInstallers, rtsConfigManagers, rtsUsers"/>
        <user name="rtsConfig" groups="rtsConfigManagers, rtsUsers"/>
        <user name="rtsUser1" groups="rtsUsers"/>
        <user name="rtsUser2" groups="rtsUsers"/>
</dc-usermanagement>

server-configurations.json

The server-configurations.json file must contain an array of JSON objects. Each JSON object defines a server by using the following fields:

Field Description
name The name of the server as it is displayed in the Business console interface.
kind Indicate the server type:
  • RES: RuleApp deployment
  • DECISION_RUNNER: test suite and simulation executions
authenticationKind Indicate authentication type:
  • BASIC_AUTH: basic username and password authentication (default)
  • OAUTH: OpenID authentication
authenticationProvider If the authenticationKind is OAUTH, this property defines the name of the OIDC provider. This name must match one of the OIDC providers that are uploaded to the Business Console.
url The URL of the server.
loginServer The username for logging in to this server.
loginPassword The password for logging in to this server.
builtIn If this field is set to false, the server configuration can be edited or removed.
description A sentence describing the server.
groups The list of groups.

The following example illustrates the fields in a server-configurations.json file:

[ 
 {
   "name": "Test and Simulation Execution (BASIC)", 
   "kind": "DECISION_RUNNER", 
   "authenticationKind": "BASIC_AUTH", 
   "url": "https://cpd-odm.apps.XXX.XXX/odm/DecisionRunner", 
   "loginServer": "odmAdmin",
   "loginPassword": "odmAdmin", 
   "builtIn": false, 
   "description": "Use this server to run tests and simulationsfor decision services.", 
   "groups": ["*"]
 }, 
 {
   "name": "Decision Service Execution (OIDC)", 
   "kind": "RES", 
   "authenticationKind": "OAUTH", 
   "authenticationProvider": "frlab", 
   "url": "https://cpd-odm.apps.XXX.XXX/odm/res", 
   "loginServer": "odmAdmin", 
   "loginPassword": "odmAdmin", 
   "builtIn": false, 
   "description": "Use this server to deploy decision services that you want to execute.", 
   "groups": ["*"] 
 } 
]

XXX.XXX corresponds to the OpenShift domain name.

OdmOidcProviders.json

The OdmOidcProviders.json file provides the OpenID Connect client configuration to deploy decision services to Rule Execution Server. In this case, Decision Center is the client of Rule Execution Server for deploying decision services.

You can specify several OpenID Connect Providers in the same JSON file.

For example:
{
  "providers": [
    {
	"name": "OIDCProviderName1",
	"grantType": "password",
	"authorizationURL": "https://<host>:<port>/<path>/authorize",
	"tokenURL": "https://<host>:<port>/<path>/token",
	"introspectionURL": "https://<host>:<port>/<path>/introspect",
	"clientId": "<client_id>",
	"clientSecret": "<client_secret>"
    },
    {
	"name": "OIDCProviderName2",
	"grantType": "client_credentials",
	"authorizationURL": "https://<host>:<port>/<path>/authorize",
	"tokenURL": "https://<host>:<port>/<path>/token",
	"introspectionURL": "https://<host>:<port>/<path>/introspect",
	"clientId": "<client_id>",
	"clientSecret": "<client_secret>"
    }
  ]
}
The following table lists the attributes used in the OdmOidcProviders.json file for Decision Center.
Attribute Value for Decision Center Description
name

Mandatory

A short name to identify the OpenID Connect Provider.
grantType

Mandatory

Values:

  • password
  • client_credentials (default value)

The flow that is used to obtain a token.

  • password: Supports the current username and password authentication.
  • client_credentials: Uses the client credentials.
    Note: When you use client credentials, no username or password is needed when you select an OpenID Connect Provider in the Decision Center Business console. The fields for these credentials are hidden.
authorizationURL

Mandatory

  
tokenURL

Mandatory

It is used to obtain an access token by using the specified flow.
introspectionURL

Optional

It is used to introspect the token that is received in API calls when the token is opaque (NON-JWT).

When this URL is provided, the Operational Decision Manager OpenID Connect implementation caches access tokens that are used in the password flow or the client credentials flow. The introspection URL is invoked to verify that the cached token remains valid before it is reused.

When this URL is not provided, the Operational Decision Manager OpenID Connect implementation does not cache access tokens that are used in the password flow or the client credentials flow because it cannot verify the validity of the cached tokens. Therefore, every new connection to Rule Execution Server requires re-execution of the flow.
clientId

Mandatory

The client ID that is obtained after the registration.
clientSecret

Mandatory

The client secret that is obtained after the registration.

Before you specify the client secret in the JSON file, test the connection without the client secret to verify the connection.