Synchronizing users and groups

IBM® Cloud Pak for Business Automation synchronizes external users and groups between the WebSphere® Application Server user registry and the Business Automation Workflow database in response to certain triggers.

Event-triggered synchronization

Business Automation Workflow synchronizes external users and groups based on the following triggers:
Table 1. User and group synchronizing triggers
Trigger event Synchronization
When the server starts in the pod.

All available groups are synchronized with the Business Automation Workflow database, so that all external groups are available for Business Automation Workflow modeling and execution.

During this startup synchronization, if a previously synchronized external group is not present, then its absence is noted in the database by setting a deleted flag, but the group is not removed from the database.

This startup synchronization does not update any group membership information.

When a user is searched for. For example:
  • In the Process Admin Console to add a user to a group.
  • In the designer to add a user to a team.

All users that are found during the search are created in the Business Automation Workflow database, even if they are not added to the group or team.

During user authorization. For example:
  • A user logs into Process Admin Console
  • A REST API call is made by a user (once per browser session)

If the user doesn't exist in the Business Automation Workflow database, the user is created in the database and the user information is synchronized with the user registry information (full name and distinguished name).

The groups that the user belongs to in the user registry are synchronized to ensure that the Business Automation Workflow database content reflects the current state of the user registry for the user.

If the is a member of one or more groups that were not previously synchronized, these groups are now created in the Business Automation Workflow database, too. Only the membership of this user in these new groups is reflected, the membership of other members of these newly added groups is not reflected until those other users log in.

If a user was previously deactivated, the login reactivates the user in the Business Automation Workflow database.

For more details about the REST API calls, see IBM Business Automation Workflow Operations REST Interface. The synchronization calls are POST /system/users_sync and POST /system/groups_sync.