Managing service accounts for IBM BPM on Cloud
A service account is used by client applications to authenticate to the IBM® BPM on Cloud environment. Create a service account by generating service credentials.
Before you begin
About this task
Service credentials consist of a unique functional ID
and a password.
- Functional ID
- The functional ID is generated from the alias you specify for the service account. The functional ID is specific to the IBM BPM on Cloud tenant on which it is created; you can't use it on other tenants in your environment. Like regular user IDs, you grant functional IDs permissions for the operating environments that the client applications use and the roles that the applications might need. However, you cannot use these IDs to manually log in to a IBM BPM user interface, such as Process Portal. You also cannot use the user provisioning API to create or delete functional IDs.
- Password
- The password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Passwords never expire and you cannot renew them. Instead, you must replace the existing service credentials by generating a new functional ID and password, making them available to your programmers, and then deleting the previous ones. For security reasons, consider renewing service credentials according to your password renewal policies, for example, once a year.
You decide how many service accounts your IBM BPM on Cloud environment needs. For example, you might have several applications that use one account and other applications that each use their own accounts.
Procedure
To create a service account, complete the following steps:
What to do next
- Distribute service credentials.
- To enable password policies to be easily applied to client applications, your programmers should never hardcode service credentials in their application code. Instead, make the credentials available to the client application environment so that they can be easily accessed by client applications, for example, in a configuration file or credential vault. Ensure that you store and distribute these credentials securely so that they cannot be accessed by third parties.
- Renew service credentials.
- To ensure that applications don’t lose access rights to IBM BPM on Cloud when you renew service credentials, keep both the old and new credentials in the client application environment valid for a period of time. Coordinate the length of this overlap period with your programmers so that it reflects the maximum time that all clients in the application environment need to refresh their service credentials. For more information, see Designing client applications to use APIs.
- To renew credentials:
- Create a set of service credentials from the Service Credentials page.
- In the client application environment, replace the old service credentials with the new ones.
- Wait for your chosen overlap period.
- Delete the old service account.
- Delete service accounts.
- You might want to delete a service account that is no longer needed, for example, because you generated a new set of service credentials for the client applications that use the account. Before you delete the account, ensure that the functional ID is not used by any running applications. On the User Management page, delete the service account by removing the functional ID.