Configure the users and groups that you need for your Document Processing environment.
About this task
Unlike the document processing users whose roles are determined by their Team server membership,
certain backend administration functions and services require users and groups that reside in a
directory server. Additionally, because your Document Processing environment uses the FileNet® Content Manager services, you must also configure the
users and groups to use in the FileNet P8 domain.
For information on setting up your FileNet P8 domain users and groups, see Preparing users and groups.
This procedure assumes that you have installed and prepared a directory service provider that can
be used by your container environment.
Note: IBM virtual member manager is not supported for container environments.
When you prepare your environment, record the settings so that these values are available to
enter into the custom resource YAML file for deployment and configuration. For lists of the
parameters that you need to collect, see the following section: Automation Document Processing
parameters.
Procedure
To prepare your directory server:
-
Follow the steps for your directory server type:
Directory server type |
Configuration steps |
IBM Security Directory Server |
You can configure IBM Security Directory Server to be the directory service for Document Processing
Server Side Sorting (SSS) must be enabled. This is because components call on Content Platform
Engine to perform searches using a sorted paging mechanism. Note that SSS is normally enabled by
default but is sometimes disabled due to concerns with performance.
If your system requires continuous availability and a high degree of reliability, you should
configure failover for authorization.
|
Windows Active Directory |
In a multi-domain Active Directory environment, a logon will fail for any account whose user name
and password in a parent/child domain does not match those in a child/parent domain.
If you have an Active Directory failover configuration, you can configure this failover sequence
whenever Content Engine attempts to authorize an already authenticated user.
Server Side Sorting (SSS) must be enabled. This is because components call on Content Platform
Engine to perform searches using a sorted paging mechanism. Note that SSS is normally enabled by
default but is sometimes disabled due to concerns with performance.
DNS forwarders provide external DNS lookup functionality. If you are working in an "isolated"
network, a DNS forwarder is not required. However, if you want to access the Internet or other
network resources, then a DNS forwarder pointing to a DNS server that serves the external resources
(for example, the Internet) is required. Enable DNS forwarders in the properties for your
system.
|
-
Configure the users and groups that you need for your Document Processing environment.
The following users and groups are presented with their suggested names shown. These names
correspond with comments seen in the custom resource (CR) YAML templates provided. Using the
suggested names can assist you when filling out the required parameters in the CR.
At a minimum, configure the following:
- Create the following users in your directory server:
- FileNet P8 domain administrator and object store administrator - environmentOwner
- Backend service users
- btsServiceUser
- caServiceUser
- rrServiceUser
- Create the following groups in your directory server:
Make a note of the user and group names defined as they will be used to create Kubernetes secrets
with key and value pairs for sensitive information and provided as parameters in the CR.
- In the following snippets from the CR, suggested names are shown in bold lettering to
assist in locating where the values should be placed:
initialize_configuration:
ic_ldap_creation:
ic_ldap_admins_groups_name:
- "<Required>" # Specify an LDAP Admin group (CE_EnvironmentOwners) as domain admin (required for "document_processing" capability)
ic_obj_store_creation:
object_stores:
- oc_cpe_obj_store_display_name: "DEVOS1"
oc_cpe_obj_store_symb_name: "DEVOS1"
oc_cpe_obj_store_conn:
dc_os_datasource_name: "DEVOS1DS"
dc_os_xa_datasource_name: "DEVOS1DSXA"
oc_cpe_obj_store_admin_user_groups:
- "<Required>" # Specify an LDAP Admin User (environmentOwner) as object store admin (required for "document_processing" capability)
- "<Required>" # Specify an LDAP Admin group (CE_EnvironmentOwners) as object store admin (required for "document_processing" capability)
- In the following secrets, the key and value pair that corresponds to a user or group as
described previously is shown with a suggested name in bold:
ibm-fncm-secret
--from-literal=appLoginUsername="environmentOwner"
ibm-ban-secret
--from-literal=appLoginUsername="environmentOwner"
ibm-adp-secret
--from-literal=appLoginUsername="environmentOwner"
What to do next
To set up your own persistent volume (PV), persistent volume claim (PVC), and folders, see Creating volumes and folders for deployment.