IBM BPM version 8570 cumulative fix 2017.06

Managing service accounts for IBM BPM on Cloud

A service account is used by client applications to authenticate to the IBM® BPM on Cloud environment. Create a service account by generating service credentials.

Before you begin

To manage service accounts, you must have the Account Administrator role. For more information about service accounts, see Managing IBM BPM on Cloud accounts.

About this task

Service credentials consist of a unique functional ID and a password.
Functional ID
The functional ID is generated from the alias you specify for the service account. The functional ID is specific to the IBM BPM on Cloud tenant on which it is created; you can't use it on other tenants in your environment. Like regular user IDs, you grant functional IDs permissions for the operating environments that the client applications use and the roles that the applications might need. However, you cannot use these IDs to manually log in to a IBM BPM user interface, such as Process Portal. You also cannot use the user provisioning API to create or delete functional IDs.
Password
The password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Passwords never expire and you cannot renew them. Instead, you must replace the existing service credentials by generating a new functional ID and password, making them available to your programmers, and then deleting the previous ones. For security reasons, consider renewing service credentials according to your password renewal policies, for example, once a year.

You decide how many service accounts your IBM BPM on Cloud environment needs. For example, you might have several applications that use one account and other applications that each use their own accounts.

Procedure

To create a service account, complete the following steps:

  1. Log in to IBM BPM on Cloud (https://www.bpm.ibmcloud.com).
  2. Click Admin > User Management.
  3. Create the credentials for the service account.
    1. On the Service Credentials page, click CREATE CREDENTIALS, and give the service an alias. A functional ID alias can contain the following characters: A through Z, a through z, 0 through 9, . (period), - (dash), and _ (underscore).
      The functional ID and password are displayed.
      Important: The credentials are displayed only when you create them. If you close the window without copying the credentials, you cannot display them again, and you must create a new set.
    2. Save the credentials by clicking COPY TO CLIPBOARD.
  4. Give the functional ID access to the operating environments that applications need to access.

    On the User Management page, find the functional ID in the list of users, and grant it permissions for the appropriate IBM BPM on Cloud environments. For example, if the functional ID is used by user provisioning applications, assign the account administrator role to the functional ID. If client applications require IBM BPM roles too, for example, tw_admins for an IBM BPM administrative client, click the functional ID to assign them.

What to do next

Distribute service credentials.
To enable password policies to be easily applied to client applications, your programmers should never hardcode service credentials in their application code. Instead, make the credentials available to the client application environment so that they can be easily accessed by client applications, for example, in a configuration file or credential vault. Ensure that you store and distribute these credentials securely so that they cannot be accessed by third parties.
Renew service credentials.
To ensure that applications don’t lose access rights to IBM BPM on Cloud when you renew service credentials, keep both the old and new credentials in the client application environment valid for a period of time. Coordinate the length of this overlap period with your programmers so that it reflects the maximum time that all clients in the application environment need to refresh their service credentials. For more information, see Designing client applications to use APIs.
To renew credentials:
  1. Create a set of service credentials from the Service Credentials page.
  2. In the client application environment, replace the old service credentials with the new ones.
  3. Wait for your chosen overlap period.
  4. Delete the old service account.
Delete service accounts.
You might want to delete a service account that is no longer needed, for example, because you generated a new set of service credentials for the client applications that use the account. Before you delete the account, ensure that the functional ID is not used by any running applications. On the User Management page, delete the service account by removing the functional ID.
Parent topic: Managing IBM Business Process Manager on Cloud accounts