Process Manager, in its default configuration, provides security through the following methods:
- User authentication
- Role-based access control
Two models for user authentication are supported. In js.conf, specify JS_LOGIN_REQUIRED=true|false, which indicates whether a user is asked to log in when they start Process Manager Clients or not.
If JS_LOGIN_REQUIRED=false, no login is required.
If JS_LOGIN_REQUIRED=true, when the user starts Calendar Editor or Flow Manager they are prompted for a user name and password which is verified by the Process Manager Server. If the user name is a Windows user name, it must also include the domain name. The domain name and user name are passed to the server for verification. The Process Manager Server tries to verify the user name from the domain.
Process Manager supports LDAP authentication through PAM (Pluggable Authentication Modules, a 3rd-party tool) if JS_LOGIN_REQUIRED=true.
To enable LDAP authentication, you need to configure your PAM policy to add a service name eauth_userpass for the module type: auth.
For example, in a Solaris system, you may add the following entry in the /etc/pam.conf file:
eauth_userpass auth required pam_ldap.so.1
Role-based access control
In addition to authentication, Process Manager uses role-based access control to secure certain types of objects.
By default, any user in Process Manager can create and submit their own flow definitions, and monitor and control their own flows, as long as their user ID is recognized by LSF®. In addition, by default all users can view calendars and flows submitted by another user. However, special permissions are required to install and configure Process Manager, or to modify Process Manager items on behalf of another user.
Process Manager recognizes the following roles:
- Normal user
- Primary Process Manager administrator
- Process Manager administrator
- Process Manager Control administrator
- Process Manager Group administrator
The following roles are in IBM Spectrum LSF Application Center:
- Primary Flow Administrator (same as Primary Process Manager administrator)
- Flow Administrator(same as Process Manager administrator)
- Flow Control Administrator(same as Process Manager Control administrator)
- Flow Designer. This role is only defined and enforced in IBM Spectrum LSF Application Center. Users can design flows with the Flow Editor Java client without having the Flow Designer role.
- Normal User
You can enable encrypted communications between Process Manager Server and its clients to further secure the Process Manager network. Set the parameter JS_ENCRYPTION=true in the configuration file js.conf on the Server, and also set JS_ENCRYPTION=true in the js.conf file on all clients.