Understanding users and groups
Security planning considerations for the FileNet P8 domain
- Authentication and authorization are separate processes.
-
Authentication (logon security) is separate from authorization (object and process security). The operator defines the JAAS login on the Content Platform Engine application server. So, any user or group that can successfully log on to FileNet P8 resources can also be authorized to work within FileNet P8 interfaces. The user or group is authenticated by using the Content Platform Engine connection to the directory service provider.
After the initial Content Platform Engine deployment, you can use the Administration Console for Content Platform Engine(ACCE) to configure the Content Platform Engine authorization by creating a directory configuration.
- Logins are done through JAAS.
-
FileNet P8 uses Java™ Authentication and Authorization Service (JAAS) for authentication. The JAAS-based authentication occurs between a Java EE client application, a Java EE application server, and one or more JAAS login modules. This process does not involve any FileNet P8 code.
FileNet P8 Platform uses JAAS for authentication only, not for authorization on stored objects. Also, it does not support Java Security Manager.
- Determine single sign-on (SSO) requirements.
-
The Content Platform Engine uses JAAS-based authentication. So, if a single sign-on (SSO) provider writes a JAAS LoginModule for a supported application server, then clients of FileNet P8 applications that are hosted in that application server can use that SSO solution. Where appropriate, the operator automatically configures SSO support.
- Decide how many authentication realms you require.
-
You require at least one authentication realm, which, the operator creates, during an initial deployment based on information provided in the CR.
- Make sure that you have a directory service provider in place.
-
Directory services are provided by third-party directory servers. Refer to the IBM Software Product Compatibility Report for a full list of supported directory service providers.
- Understand the users and groups that are needed for FileNet P8.
-
All general administrative users and groups that need access to FileNet P8 based applications must be included in one of the supported directory servers. If the operator initializes the FileNet P8 domain, the user account that is specified as
appLoginUser
in theibm-fncm-secret
, becomes both the GCD administrator and the object store administrator. It is important to include that user in the groups for GCD administrators and the object store administrators. For details on the users and groups to consider, see Creating Content Platform Engine directory server accounts. - Understand the users and groups that are needed for Task Manager.
- The P8 domain must be configured to use a directory server and users,
groups utilized with Task Manager must reside in that directory server. The Task Manager deployment
requires that all users belong to one of three groups or roles that are specific to Task Manager.
You can also create custom groups that you define in the CR.
- TaskAdmins
- Users who are associated with this role can see and modify all of the tasks in the system.
- TaskUsers
- Users who are associated with this role can create tasks. They can also see and modify only the tasks that they create. They cannot see tasks that are created by other users.
- TaskAuditors
- Users who are associated with this role can see and modify all of the audit records in the system.
Create these groups in your LDAP or SCIM directory server, and assign all Task Manager users to the appropriate group.
- Avoid overlapping realm definitions
-
If you define multiple directory service providers in the CR, repositories with overlapping suffixes are not supported. For example, the following two repositories with overlapping Base entry distinguished names are not supported. The domain component attributes (dc=ibm,dc=com) are the same for the following entries:
ou=users,dc=ibm,dc=com
dc=ibm,dc=com
This restriction mainly applies to Active Directory parent and child domains, since by definition, parent and child domains in Active Directory have overlapping suffixes.
The repositories in the following example are supported because they are sibling repositories and do not overlap. The domain component attributes differ; they have different child components (dc=tivoli versus dc=filenet):
dc=tivoli,dc=ibm,dc=com
dc=filenet,dc=ibm,dc=com
The Content Engine realm attribute is mapped one-to-one to the NamingContext LDAP attribute in most systems.