Task 3: Importing to the Decision Center database

In this task, you import into Decision Center the groups and users that you created in your LDAP.

About this task

At this point, you can log in to Decision Center as:
  • Jim or Sue, which you created in your LDAP registry, and any of the users declared in the Liberty basic registry for the other tutorials. All these users are authenticated with the rtsUser role by default.
  • The rtsAdmin administrative power user found in the basic registry, and mapped to both the rtsAdministrator and rtsInstaller roles. The user Paul, mapped only to the rtsAdministrator role, is used in the other tutorials.

Because you have not yet imported Jim, Sue, and their groups to the Decision Center database, these users cannot access any decision service after you enforce security. Note also that these users are not yet visible as participants in the decision governance framework.

Step 1: Creating the connection to the LDAP

About this task

In this step, you create a separate connection to the LDAP as an administrative user. The Business console facilitates the task of importing groups and users to the Decision Center database.

Procedure

  1. Log in to the Decision Center Business console with the user/password combination rtsAdmin/rtsAdmin.
    In the user profile, notice that this user does not belong to any group.
  2. Click the Administration tab.
    Explore both the Users and Groups subtabs, which show what users and groups exist in the Decision Center database. All these users and groups were created manually, through an Ant task, as part of the sample server setup (see Opening Decision Center on the sample server). These users are deleted when you import from the LDAP.
  3. In the Administration tab, click Connection Settings.
  4. Click the New Connection button.
  5. In the New Connection panel, enter the following information:
    Table 1.
    Field Information
    Connection name Apache DC
    LDAP URL ldap://localhost:10389
    Bind DN or user uid=admin,ou=system
    Bind password secret
    Group search base ou=groups,dc=example,dc=com
    Group search filter (cn=*)
    Group name attribute cn
    Group member attribute member
    User login id attribute uid
    User name attribute cn
    With this information, Decision Center goes through your domain (ou=groups,dc=example,dc=com) in search of all groups (cn=*). Decision Center then copies to its database:
    • The group name
    • The members of this group, specifically the uid as login name and the cn as display name.

    The user email attribute is not used in this tutorial.

  6. Click Create.

    Make sure that the connection status shows a green checkmark.

Step 2: Importing groups and their users

About this task

In this step, you import the groups that you created and their users.

Procedure

  1. Click the Groups tab.
  2. Click the Import Groups for LDAP directories icon.
  3. Expand the entries and select the Checkers and Scoring groups:
    Import Groups screen
  4. Click Import groups and users.
    The groups that you created in the LDAP now exist in the Decision Center database, and each group has one member.
  5. Click the Users tab.
    Your new users exist in the Decision Center database with their uid value to log in and the cn value as Display name. All manually created users are deleted:

    User tab

Step 3: Creating a new group

About this task

In this step, you create a new group containing a new user in the LDAP to see the automatic refresh, and to further your knowledge on the administrator role. A command is available that automatically creates the following:
  • Group name: BCAdmin
  • User name: Bob
    • The cn value to Bob Brown
    • The sn value to Bob
    • The password to Bob

Procedure

  1. In the Sample Server, make sure you are in the Samples Console perspective. Then, in the Samples Commands view, expand Decision Center > LDAP User Management.
  2. Click add.bob to import the new user and group.
    Wait for the BUILD SUCCESSFUL message.
  3. The new user Bob is not automatically imported to the Decision Center database because the LDAP refresh that you implemented is based on groups. You must include this group for the automatic import. In the Business console, in the Groups tab, click the Import Groups for LDAP directories icon.
  4. Expand the entries, add BCAdmin, and click Import groups and users.
    The new group and its user are now available in the Decision Center database. From now on, any user that you add in the LDAP to any of the three existing groups gets automatically imported.
  5. In preparation for the next task, set the permissions profile for the new group. In the Groups tab, hover over BCAdmin and click the Edit button.
    All new groups that you import are mapped to the rtsUser role by default. Here, you want the BCAdmin group to have administrator rights.
  6. Under Roles, remove rtsUser, add rtsAdministrator, and keep the Permissions profile to None:

    Promoting group to administrators

  7. Click Done.
  8. Log out and log back in as Bob.
    Notice that the user profile for Bob Brown includes the group BCAdmin, and that this user can see the Administration tab. You can give administrator access to a dedicated group of users imported into the Decision Center database. In this case, note the following:
    • These administrators differ from the administrative "power" user that you declare in the basic registry.
    • Groups of administrative users do not need to be given access to decision services because they have all the rights. You see this in the next task.

What to do next

The next task shows the basics of how to enforce security on decision services.