Security configuration properties

Use the WebSphere command-line administration tool (wsadmin) AdminConfig commands to access and modify IBM® Business Process Manager security properties as configuration objects.

The term configuration object refers to an object that is accessed by using the wsadmin AdminConfig commands. See Commands for the AdminConfig object using wsadmin scripting. Configuration objects may be nested, which means that a configuration object may contain other configuration objects. For example, the BPMServerSecurity configuration object is located below two other configuration objects: BPMDeploymentTargetConfigExtension.BPMProcessServer.BPMServerSecurity.
Tip: The properties listed below are no longer configurable using the 99local.xml and 100custom.xml configuration files.
Refer to the following examples:
Configuration in the BPMConsoleSection configuration object allows you to control which navigator entries appear for which users in the Process Admin Console. Note that this does not control authorization to the underlying functionality. For example, the creation of an internal group requires a user to be a member of the bpmAdminGroup (which defaults to tw_admins). If you change the bpmAdminGroup setting, you must also change many of the navigator entries in the BPMConsoleSection configuration object to make sure that users of this newly configured group can actually see the screens to perform these administrative actions.
Note: All of the properties listed below can be modified by replacing the previous values, except for properties that are contained in the BPMActionPolicy and BPMConsoleSection configuration objects. For BPMActionPolicy, you do not modify existing values, you add and remove roles. For BPMConsoleSection, you do not modify existing values, you add and remove constraints.
Table 1. IBM Business Process Manager configuration objects and security properties
Configuration object ConfigObject containment path (All editions except IBM Business Process Manager Express®) Property name Description Default value
BPMAuthAliasRoleType /Cell:<cellName>/BPMCellConfigExtension:/BPMDeploymentEnvironment:<DeName>/BPMAuthAliasRoleType:/ BPCUser, BPMAuthor, BPMUser, BPMWebserviceUser, CEIDbUser, CEIUser, CellAdmin, DeAdmin, EmbeddedECMTechnicalUser, EventManagerUser, PerformanceDWUser, ProcessCenterUser, ProcessServerUser, RALUser, SCAUser, SCADeploymentUser Refer to IBM Business Process Manager security roles for role descriptions.  
BPMActionPolicy /ServerCluster:clusterName/BPMClusterConfigExtension:/BPMPortal:/BPMActionPolicy:/BPMPolicyAction:/ ACTION_ABORT_INSTANCE, ACTION_SUSPEND_INSTANCE, ACTION_RESUME_INSTANCE, ACTION_ADD_COMMENT, ACTION_ADD_HELP_REQUEST, ACTION_RESPOND_HELP_REQUEST, ACTION_ASSIGN_TASK, ACTION_ASSIGN_AND_RUN_TASK, ACTION_REASSIGN_TASK, ACTION_REASSIGN_TASK_USER_ROLE, ACTION_CHANGE_TASK_DUEDATE, ACTION_CHANGE_INSTANCE_DUEDATE, ACTION_CHANGE_TASK_PRIORITY, ACTION_MOVE_TOKEN, ACTION_DELETE_TOKEN, ACTION_INJECT_TOKEN, ACTION_VIEW_PROCESS_DIAGRAM, ACTION_VIEW_PROCESS_AUDIT, ACTION_CHANGE_CRITICAL_PATH, ACTION_ADD_DOCUMENT, ACTION_UPDATE_DOCUMENT, ACTION_DELETE_DOCUMENT, ACTION_DELETE_INSTANCE, ACTION_FIRE_TIMER, ACTION_RETRY_INSTANCE, ACTION_SEND_EVENT Refer to Configuration properties for Process Portal action policies for property descriptions.  
BPMServerSecurity /ServerCluster:clusterName/BPMClusterConfigExtension:/BPMProcessServer:/BPMServerSecurity:/ deploySnapshotUsingHttps Used to force the Process Center Server to use https to deploy ProcessApps and Toolkits to Process Servers.
Note: This setting is ignored for Process Server runtimes 8.5.0.1 or later.
 false
wildcardProcessingOptimized Used for enabling searches for user registries with or without wildcards. When set to true, this optimizes searches. false
externalUserQueryLimit The maximum number of users in Process Admin Console or Process Center to be specified for any "add-user" or "look up user" activity. 100
BPMServerSecurityUsers /ServerCluster:clusterName/BPMClusterConfigExtension:/BPMProcessServer:/BPMServerSecurity:/BPMServerSecurityUsers:/ notifyError If an Event Manager task fails, a task is created for the failing task. For example, UCA execution. This property defines one or more user IDs to receive the task. Each user ID is separated from the others by a semicolon. User in DeAdmin role
userToCreateTask The user ID that is set in the task's receivedFrom field. This user must be assigned to the DeAdmin role. User in DeAdmin role
userToCloseTask The user ID that is set in a task that is cancelled by the system. This user must be assigned to the DeAdmin role. User in DeAdmin role
BPMServerSecurityGroups /ServerCluster:clusterName/BPMClusterConfigExtension:/BPMProcessServer:/BPMServerSecurity:/BPMServerSecurityGroups:/ processHelpAccess Used to request help from other process participants on a process instance or its related tasks. tw_admins
debug Specifies the role membership that users must have in order to access debugging functionality. Only one debug role can be defined. Debug
bpmAdminGroup Members of this group have full access to all interfaces, assets, servers, and security. Must have at least one user. tw_admins
processCenterInstall A user must be a member of process-center-install-group in addition to having the default access. For example, to install to a process server in a production environment, a user must have administrative access to the process application that is being installed and must also be a member of process-center-install-group. None
offlineInstall Used to limit the offline installation to specific groups. None
bpmAuthorGroup Members of this group have access to the Designer and other interfaces in the Process Designer, including the Process Center console. From the Process Center console, members of this group can create process applications and toolkits and control access to projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators. tw_authors
BPMVirtualHostInfo /ServerCluster:clusterName/BPMClusterConfigExtension:/BPMProcessServer:/BPMVirtualHostInfo:/ hostname, port, transportProtocol A configuration object that is used with the wsadmin command to specify the host name, port number, and transport protocol of a proxy server for Process Center or Process Server configuration. The BPMVirtualHostInfo object has three properties:
  • hostname
  • port
  • transportProtocol

An example of how to specify the BPMVirtualHostInfo object with the wsadmin command is shown below in the section Modifying security properties using the AdminConfig object commands.

Note: The BPMVirtualHostInfo object replaces the base-url property that was used in the 99local.xml configuration file to specify the host name and port number of a proxy server in earlier releases of IBM BPM.
 hostname: None

port: -1

transportProtocol: https
BPMPerformanceDataWarehouse /ServerCluster:%s/BPMClusterConfigExtension:/BPMPerformanceDataWarehouse:/BPMViewManager:/BPMSystem:/ viewUser Used to create a prefix for the views that Performance Data Warehouse creates for tracking groups. Used like a schema name.  
Table 2. IBM Business Process Manager Process Admin Console configuration objects and security properties
Configuration object Configuration object location Properties Description Default value
BPMConsoleSection /BPMConsoleElement:/ console.manage.caches Property to configure access to the Manage Caches link in the IBM BPM Admin section in the Server Admin area of process admin console tw_admins
console.task.cleanup Property to configure access to the Task Cleanup link in the IBM BPM Admin section in the Server Admin area of process admin console tw_admins
console.user.management Property to configure access to the User Management link in the User Management section in the Server Admin area of the process admin console tw_admins
console.group.management Property to configure access to the Group Management link in the User Management section in the Server Admin area of the process admin console tw_admins
console.bulk.user.attribute.assignment Property to configure access to the Bulk User Attribute Assignment link in the User Management section in the Server Admin area of the process admin console tw_admins
console.user.synchronization Property to configure access to the User Synchronization link in the User Management section in the Server Admin area of the process admin console
Note: Some IBM Business Process Manager functionality requires current data from your external security provider in order to function properly. If you see unexpected results with routing of activities, team data in dashboards, or other aspects of IBM BPM that could be caused by a lag between IBM BPM and your external security provider, you can use the Synchronization option in the Process Admin Console to resolve those issues.
  1. Log in to the Process Admin Console.
  2. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
  3. Click User Synchronization.
  4. In the User Management > Synchronize window, choose one of the following options:
    • Full Synchronize

      Synchronizes IBM BPM with all user accounts in your configured external provider.

    • Add

      Click Add, then enter a user name, and repeat this action to create a list of user names. Then click Synchronize to synchronize only the user accounts in the created list.

 tw_admins
console.instrumentation Property to configure access to the Instrumentation link in the Monitoring section in the Server Admin area of the process admin console tw_admins
console.process.monitor Property to configure access to the Process Monitor link in the Monitoring section in the Server Admin area of the process admin console tw_admins
console.monitor Property to configure access to the Process Monitor link in the Event Manager section in the Server Admin area of the process admin console tw_admins, tw_authors
console.blackout.periods Property to configure access to the Blackout Periods link in the Event Manager section in the Server Admin area of the process admin console tw_admins, tw_authors
console.synchronous.queues Property to configure access to the Synchronous Queue link in the Event Manager section in the Server Admin area of the process admin console tw_admins, tw_authors
console.em.jms.error.queue Property to configure access to the EM JMS Error Queue link in the Event Manager section in the Server Admin area of the process admin console tw_admins, tw_authors
console.manage.epvs Property to configure access to the Manage EPVs link in the Admin Tools section in the Server Admin area of the process admin console tw_admins, tw_authors

Modifying security properties using the AdminConfig object commands

You can use the wsadmin AdminConfig object commands to access and modify security properties. For a complete list of list of AdminConfig commands provided by WebSphere® Application Server, see Commands for the AdminConfig object using wsadmin scripting.
  • For a list of IBM Business Process Manager specific properties, see Table 1.
  • For a list of Process Admin Console specific properties, see Table 2.

Modifying security properties in single deployment environments and IBM Business Process Manager Express

  • Start the wsadmin scripting tool:
    INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7031I: For help, enter: "print Help.help()"
  • List objects of a given type:
    wsadmin>AdminConfig.list('BPMServerSecurity')
'(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSecurity_136277477
6533)'
  • Show defaults:
    wsadmin>print AdminConfig.defaults(('BPMServerSecurity'))
Attribute                       Type                            Default
externalUserQueryLimit          int                             100
deploySnapshotUsingHttps        boolean                         false
securityNameTransformer         String
wildcardProcessingOptimized     boolean                         true
ldapOptions                     BPMLdapOption
securityGroups                  BPMServerSecurityGroups
securityUsers                   BPMServerSecurityUsers
  • Show attributes of an object:
    wsadmin>print AdminConfig.attributes(('BPMServerSecurity'))
deploySnapshotUsingHttps boolean
externalUserQueryLimit int
ldapOptions BPMLdapOption*
securityGroups BPMServerSecurityGroups
securityNameTransformer String
securityUsers BPMServerSecurityUsers
wildcardProcessingOptimized boolean
  • Show attributes of an object with values (Nested objects are listed using their configuration ID):
    wsadmin>print AdminConfig.show(AdminConfig.list('BPMServerSecurity'))
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 5]
[ldapOptions [twUserNameAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm
.xml#BPMLdapOption_1362774776533) twUserDescriptionAttribute(cells/Cell1/cluster
s/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776534) twGroupNameAttribut
e(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776535
) twGroupDescriptionAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml
#BPMLdapOption_1362774776536)]]
[securityGroups (cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSec
urityGroups_1362774776533)]
[securityUsers (cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSecu
rityUsers_1362774776533)]
[wildcardProcessingOptimized true]
  • Show all attributes of an object with values (Nested objects are listed):
    wsadmin>print AdminConfig.showall(AdminConfig.list('BPMServerSecurity'))
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 5]
[ldapOptions [[[name twUserNameAttribute]
[value sAMAccountName]] [[name twUserDescriptionAttribute]
[value description]] [[name twGroupNameAttribute]
[value cn]] [[name twGroupDescriptionAttribute]
[value description]]]]
[securityGroups [[bpmAdminGroup tw_admins]
[bpmAuthorGroup tw_authors]
[collaborationAdmin tw_admins]
[debug Debug]
[offlineInstall []]
[processHelpAccess tw_admins]
[showXmlMetadata Debug]]]
[securityUsers [[notifyError bpmadmin]
[userToCloseTask bpmadmin]
[userToCreateTask bpmadmin]]]
[wildcardProcessingOptimized true]
  • Show the value of a particular attribute:
    wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'e
xternalUserQueryLimit')
5
  • Modify a property value:
    Note: You must run the AdminConfig.save command each time a property is modified for the configuration changes to be saved. 
    wsadmin>AdminConfig.modify(AdminConfig.list('BPMServerSecurity'),[['externalUser
QueryLimit','20']])
''
wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'e
xternalUserQueryLimit')
20
wsadmin>AdminConfig.save()
''
  • Get the console element:
    Tip: Iterate through the returned list of elements using the index.
    wsadmin>elementName = AdminConfig.showAttribute((AdminUtilities.convertToList(Ad
minConfig.list('BPMConsoleElement'))[2]), 'name')
console.bulk.user.attribute.assignment
  • Get the configuration ID of the constraint object for this console element:
    wsadmin>constraintIds = AdminConfig.showAttribute((AdminUtilities.convertToList(Ad
minConfig.list('BPMConsoleElement'))[2]), 'constraints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_136277
4776537)]
  • Use the configuration ID to find the current value for the property:
    wsadmin>constraint1 = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMCo
nsoleConstraint_136277)"
wsadmin>constraint1 = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMCo
nsoleConstraint_1362774776537)"
wsadmin>val = AdminConfig.showAttribute(constraint1, 'value')
wsadmin>print val
tw_admins
  • Select the console element for which constraints must be added or removed:
    wsadmin>parent = (AdminUtilities.convertToList(AdminConfig.list('BPMConsoleElement'))[2])
wsadmin>print parent
console.bulk.user.attribute.assignment(cells/Cell1/clusters/SingleCluster|cluste
r-bpm.xml#BPMConsoleLink_1362774776537)
wsadmin>elementName = AdminConfig.showAttribute((AdminUtilities.convertToList(Ad
minConfig.list('BPMConsoleElement'))[2]), 'name')
wsadmin>print elementName
console.bulk.user.attribute.assignment
  • Add a constraint:
    wsadmin>AdminConfig.create('BPMConsoleConstraint', parent, [['type' , 'role'],['
value', 'random_group']])
'(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_136320
3504872)'
wsadmin>newId = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleC
onstraint_1363203504872)"
wsadmin>val = AdminConfig.showAttribute(newId, 'value')
wsadmin>print val
random_group
wsadmin>print AdminConfig.showAttribute((AdminUtilities.convertToList(Ad
minConfig.list('BPMConsoleElement'))[2]), 'constraints')
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_136277
4776537) (cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstrain
t_1363203504872)]
wsamdin>AdminConfig.save()
  • Remove a constraint:
    wsadmin>AdminConfig.remove(newId)
''
wsadmin>print AdminConfig.showAttribute((AdminUtilities.convertToList(Ad
minConfig.list('BPMConsoleElement'))[2]), 'constraints')
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_136277
4776537)]
wsamdin>AdminConfig.save()
  • Modify a set value to default value:
    wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'e
xternalUserQueryLimit')
101
wsadmin>print AdminConfig.unsetAttributes(AdminConfig.list('BPMServerSecurity'),
'externalUserQueryLimit')

wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'e
xternalUserQueryLimit')
100
wsamdin>AdminConfig.save()

Modifying security properties in multiple deployment environments

For multiple deployment environments, each cluster can be set up with different capabilities, and the properties defined for a cluster are based on these capabilities. You must locate the correct cluster before accessing and modifying properties.
  • Get the deployment environment:
    wsadmin>deIds = AdminUtilities.convertToList(AdminConfig.getid ('/Cell:/BPMCellC
onfigExtension:/BPMDeploymentEnvironment:/'))
wsadmin>deIds
['De1(cells/Cell1|cell-bpm.xml#BPMDeploymentEnvironment_1366695378330)', 'De2(ce
lls/Cell1|cell-bpm.xml#BPMDeploymentEnvironment_1366696771995)']
wsadmin>AdminConfig.showAttribute(deIds[0], 'name')
'De1'
wsadmin>AdminConfig.showAttribute(deIds[1], 'name')
'De2'
  • Get the cluster with the correct capability:
    wsadmin>clusterPath = "/Cell:<cellName>/BPMCellConfigExtension:/BPMDeploymentEnvironm
ent:%s/BPMCluster:/" % "<De_name>"
wsadmin>clusterId = AdminUtilities.convertToList(AdminConfig.getid (clusterPath)
)
wsadmin>capabilities1 = AdminUtilities.convertToList(AdminConfig.showAttribute(cl
usterId[0], 'capabilities'))
wsadmin>capabilities1
['Application']
wsadmin>capabilities2 = AdminUtilities.convertToList(AdminConfig.showAttribute(cl
usterId[1], 'capabilities'))
wsadmin>capabilities2
['Messaging']
wsadmin>capabilities3 = AdminUtilities.convertToList(AdminConfig.showAttribute(cl
usterId[2], 'capabilities'))
wsadmin>capabilities3
['Support']
  • List objects of a given type:
    Note: For each of the properties, refer to Table 1 for the configuration object, including the configuration object containment path. For example:
    wsadmin>path = "/ServerCluster:<clusterName>/BPMClusterConfigExtension:/BPMProce
ssServer:/BPMServerSecurity:/"
wsadmin>b = AdminConfig.getid(path)
wsadmin>b
'(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSecurity_136669566
2779)'
  • Show attributes of an object with values (nested objects are listed using their configuration ID):
    wsadmin>print AdminConfig.show(b)
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 100]
[ldapOptions [twUserNameAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm
.xml#BPMLdapOption_1366695662779) twUserDescriptionAttribute(cells/Cell1/cluster
s/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662780) twGroupNameAttribut
e(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662781
) twGroupDescriptionAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml
#BPMLdapOption_1366695662782)]]
[securityGroups (cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSec
urityGroups_1366695662779)]
[securityUsers (cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSecu
rityUsers_1366695662779)]
[wildcardProcessingOptimized false]
  • Show all attributes of an object with values (nested objects are listed):
    wsadmin>print AdminConfig.showall(b)
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 100]
[ldapOptions [[[name twUserNameAttribute]
[value sAMAccountName]] [[name twUserDescriptionAttribute]
[value description]] [[name twGroupNameAttribute]
[value cn]] [[name twGroupDescriptionAttribute]
[value description]]]]
[securityGroups [[bpmAdminGroup tw_admins]
[bpmAuthorGroup tw_authors]
[collaborationAdmin tw_admins]
[debug Debug]
[offlineInstall []]
[processHelpAccess tw_admins]
[showXmlMetadata Debug]]]
[securityUsers [[notifyError bpmadmin2]
[userToCloseTask bpmadmin2]
[userToCreateTask bpmadmin2]]]
[wildcardProcessingOptimized false]
  • Show the value of a particular attribute:
    wsadmin>print AdminConfig.showAttribute(b,'externalUserQueryLimit')
100
  • Modify the value for a property:
    Note: You must run the AdminConfig.save command each time a property is modified for the configuration changes to be saved. 
    wsadmin>AdminConfig.modify(b,[['externalUserQueryLimit', '150']])
''
wsadmin>AdminConfig.save()
''
wsadmin>print AdminConfig.showAttribute(b,'externalUserQueryLimit')
150
  • Get the console element: 
    wsadmin>consoleElements = AdminUtilities.convertToList(AdminConfig.getid ("/BPMC
onsoleElement:/"))
wsadmin>elementName = AdminConfig.showAttribute((consoleElements[0]), 'name')
wsadmin>elementName
'console.admin.tools'
  • Get the configuration IDs of the constraint object for this console element:
    wsadmin>elementName = AdminConfig.showAttribute((consoleElements[4]), 'name')
wsadmin>elementName
'console.bulk.user.attribute.assignment'
  • Use the configuration ID to locate the current value for the property:
    wsadmin>constraintIds = AdminConfig.showAttribute((consoleElements[4]), 'constra
ints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_136669
5662782)]
wsadmin>constraint1 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMCo
nsoleConstraint_1366695662782)"
wsadmin>val = AdminConfig.showAttribute(constraint1, 'value')
wsadmin>val
'tw_admins'
  • Add a constraint:
    wsadmin>AdminConfig.create('BPMConsoleConstraint', consoleElements[4], [['type'
, 'role'],['value', 'admins']])
'(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_136739
4007068)'
wsadmin>AdminConfig.save()
''
  • Remove a constraint:
    Tip: Iterate through the returned list of constraints using the index.
    wsadmin>constraintIds = AdminConfig.showAttribute((consoleElements[4]), 'constra
ints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_136669
5662782) (cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstrain
t_1367394007068)]
wsadmin>constraint1 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMCo
nsoleConstraint_1366695662782)"
wsadmin>constraint2 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMCo
nsoleConstraint_1367394007068)"
wsadmin>val1= AdminConfig.showAttribute(constraint1, 'value')
wsadmin>val2= AdminConfig.showAttribute(constraint2, 'value')
wsadmin>val1
'tw_admins'
wsadmin>val2
'admins'
wsadmin>AdminConfig.remove(constraint2)
wsamdin>AdminConfig.save()

Accessing and modifying security properties using Jython scripts

The following examples are shown using Jython scripts to do get and set methods on objects and to add and remove values for the properties.

The Jython scripts work for the most commonly used scenarios, for example, -g|get and -s|set methods. For more advanced scenarios, see Commands for the AdminConfig object using wsadmin scripting.
Usage: Use this script to get/modify the configured security properties.
          -E|--de DE_name -option')
                          -g|--get property_name')
                          -s|--set property_name , new_value')
                          -a|--add console_property_name , constraint_value')
                                |action_policy_name , role to be added')
                          -r|--remove console_property_name , constraint_value')
                                |action_policy_name , role to be removed')
The property values can be accessed using the -g|get option and can be modified to have a different value by using the -s|set option. For the console properties, constraints can be added or removed to restrict access to console sections and these have their own -a|--addConstraint and -r|--removeConstraint options as shown above.
  • Get the value of the external user query limit:
    INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython -f <install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name> -g externalUserQueryLimit

WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -g, ext
ernalUserQueryLimit]"

Current value for property externalUserQueryLimit in DE De1 is:
99
  • Get the value of an action policy:
    INSTALL_ROOT\bin>wsadmin -conntype NONE -lang jython -f <install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name> -g ACTION_ABORT_INSTANCE
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -g, ACT
ION_ABORT_INSTANCE]"

Current value for property ACTION_ABORT_INSTANCE in DE De1 is:
tw_admins
  • Modify an existing value:
    Note: Any of the security properties listed in Table 2 can be modified as shown below.
    • Set the value of the external user query limit: 
      INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython -f <install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name> -s externalUserQueryLimit,100
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -s, ext
ernalUserQueryLimit,100]"

Current value for property externalUserQueryLimit in DE De1 is:
99

INFO : The given value for the property was set successfully.

Current value for property externalUserQueryLimit in DE De1 is:
100
    • Add a role to an action policy:
      INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython -f <install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name > -s ACTION_ABORT_INSTANCE,admins
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -a, ACT
ION_ABORT_INSTANCE,admins]"

Current value for property ACTION_ABORT_INSTANCE in DE De1 is:
tw_admins

Current value for property ACTION_ABORT_INSTANCE in DE De1 is:
tw_admins;admins
  • Add a constraint to a console property:
    INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython -f <install-root>/util/Security/BPMSecurityConfig_sample.py -D <de_name> -a console.monitor,admins
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -a, con
sole.monitor,admins]"

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors

INFO : The given value for the property was set successfully.

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors
constraint 2 : admins
  • Remove a constraint from a console property:
    INSTALL_HOME\bin>wsadmin -conntype NONE -lang jython -f BPMSecurityConfig_sample.py -r console.monitor,admins
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -r, con
sole.monitor,admins]"

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors
constraint 2 : admins

The given constraint was removed successfully.

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors
Parent topic: Securing IBM Business Process Manager and applications
Related information:
WebSphere Common Configuration Model