Understanding users and groups

Similar to the Kubernetes platform, where, you use authentication and authorization functions for user management, most of the concepts apply to artifacts within the FileNet P8 domain. You can use the information that is presented in the section for assistance during your security planning.

Security planning considerations for the FileNet P8 domain

Authentication and authorization are separate processes.

Authentication (logon security) is separate from authorization (object and process security). The operator defines the JAAS login on the Content Platform Engine application server. So, any user or group that can successfully log on to FileNet P8 resources can also be authorized to work within FileNet P8 interfaces. The user or group is authenticated by using the Content Platform Engine connection to the directory service provider.

After the initial Content Platform Engine deployment, you can use the Administration Console for Content Platform Engine(ACCE) to configure the Content Platform Engine authorization by creating a directory configuration.

Logins are done through JAAS.

FileNet P8 uses Java™ Authentication and Authorization Service (JAAS) for authentication. The JAAS-based authentication occurs between a Java EE client application, a Java EE application server, and one or more JAAS login modules. This process does not involve any FileNet P8 code.

FileNet P8 Platform uses JAAS for authentication only, not for authorization on stored objects. Also, it does not support Java Security Manager.

Determine single sign-on (SSO) requirements.

The Content Platform Engine uses JAAS-based authentication. So, if a single sign-on (SSO) provider writes a JAAS LoginModule for a supported application server, then clients of FileNet P8 applications that are hosted in that application server can use that SSO solution. Where appropriate, the operator automatically configures SSO support.

Decide how many authentication realms you require.

You require at least one authentication realm, which, the operator creates, during an initial deployment based on information provided in the CR.

Make sure that you have a directory service provider in place.

Directory services are provided by third-party directory servers. Refer to the IBM Software Product Compatibility Report for a full list of supported directory service providers.

Understand the users and groups that are needed for FileNet P8.

All general administrative users and groups that need access to FileNet P8 based applications must be included in one of the supported directory servers. If the operator initializes the FileNet P8 domain, the user account that is specified as appLoginUser in the ibm-fncm-secret, becomes both the GCD administrator and the object store administrator. It is important to include that user in the groups for GCD administrators and the object store administrators. For details on the users and groups to consider, see Creating Content Platform Engine directory server accounts.

Understand the users and groups that are needed for Task Manager
The P8 domain must be configured to use a directory server and users, groups utilized with Task Manager must reside in that directory server .The Task Manager deployment requires that all users belong to one of three groups or roles that are specific to Task Manager. You can also create custom groups that you define in the CR.

The following list contains the roles available in the system and their permissions:

  • TaskAdmins: Users who are associated with this role can see and modify all of the tasks in the system.
  • TaskUsers: Users who are associated with this role can create tasks. They can also see and modify only the tasks that they create. They cannot see tasks that are created by other users.
  • TaskAuditors: Users who are associated with this role can see and modify all of the audit records in the system.

Create these groups in your LDAP or SCIM directory server, and assign all Task Manager users to the appropriate group.

After you created a CP4BA deployment, the operator automatically connects your LDAP to IAM. The users and groups you defined in your LDAP for Task Manager are now available via IAM.

At this point, you must associate your users and groups to Zen roles to be able to use them in all of the CP4BA applications. IBM Automation has four roles defined: Automation Administrator, Automation Analyst, Automation Developer, and Automation Operator. For more information, see Roles and permissions.

Log in to the Common Web UI to get the IBM Cloud Pak console route and admin's password. Use the Platform UI to create a group for your CP4BA Developers, and add your LDAP users and groups to this group. You then need to assign the Zen group with the Automation Developer role.

Avoid overlapping realm definitions

If you define multiple directory service providers in the CR, repositories with overlapping suffixes are not supported. For example, the following two repositories with overlapping Base entry distinguished names are not supported. The domain component attributes (dc=ibm,dc=com) are the same for the following entries:

  • ou=users,dc=ibm,dc=com
  • dc=ibm,dc=com

This restriction mainly applies to Active Directory parent and child domains, since by definition, parent and child domains in Active Directory have overlapping suffixes.

The repositories in the following example are supported because they are sibling repositories and do not overlap. The domain component attributes differ; they have different child components (dc=tivoli versus dc=filenet):

  • dc=tivoli,dc=ibm,dc=com
  • dc=filenet,dc=ibm,dc=com

The Content Engine realm attribute is mapped one-to-one to the NamingContext LDAP attribute in most systems.