The Process Application LifeCycle (PAL) MBean

The PALService managed bean (MBean) provides the same administrative scripting functionality as the wsadmin commands. In an environment with multiple security domains configured, consider using MBean administrative tasks instead of wsadmin tasks. You can also use the MBeans in other environments if you prefer to work with MBeans instead of wsadmin commands.

All of the methods exposed by the PALService MBean are listed in the Javadoc: install_root/web/mbeanDocs/PAL_Service.html. Use a Java Management Extensions (JMX) compliant console (for example, JConsole) to work with MBeans.

PALService MBean security considerations

You can use the MBean to configure fine-grained security for the PAL administrative actions with multiple security domains and administrative authorization groups.

The PALService MBean runs on all cluster members of an IBM BPM cluster. The MBean has methods for each of the IBM BPM wsadmin tasks. The MBean methods are protected by administrative roles. For example, you can use administrative authorization groups to make a user a deployer on DE1 but not on DE2. For more information on security roles and groups, see IBM Business Process Manager security overview.

In an environment with multiple security domains, each security domain can have its own user registry. Security domains can be attached to resources like servers, clusters, and buses. In addition, global security settings apply to all administrative functions and are the default security configuration for user applications. Use security domains to define a customized configuration for user applications. All administrative applications, such as the administrative console, naming resources, and MBeans, use global security configurations. If no security domains are configured, applications use information from the global security configuration.

Several administrative roles are defined to provide degrees of authority that are required for certain administrative functions from either the administrative console or the system management scripting interface, as described in Administrative roles. Access can be granted to each user per resource. For example, WebSphere Application Server users can be granted configurator access to a specific instance of a resource only (an application, an application server, or a node). WebSphere Application Server users cannot access any other resources outside of the resources that are assigned to them. The administrative roles apply per resource and do not apply to the entire cell. However, there is a cell-wide authorization group for compatibility with earlier versions. WebSphere Application Server users that are assigned to administrative roles in the cell-wide authorization group can still access all of the resources within the cell. To achieve this instance-based security, or fine-grained security, resources that require the same privileges are placed in a group that is called the administrative authorization group or authorization group. WebSphere Application Server users are granted access to the authorization group by assigning to them the required administrative role. See Fine-grained administrative security.

The IBM BPM RunAs role must be configured with a user ID that has the required privileges to perform the requested function in the cluster security domain. If the RunAs role is configured, the user ID that is defined as the RunAs user role completes the actions. If the RunAs user is not configured, the user ID that called the MBean completes the actions.

The BPMAdminJobUser user role is configured in a similar way to other IBM BPM user roles. If you run BPMConfig to configure your environment, add the following properties to your properties file, which creates a new authentication alias and maps it to the BPMAdminJobUser user role:

bpm.de.authenticationAlias.4.name=AdminJobAlias
bpm.de.authenticationAlias.4.user=
bpm.de.authenticationAlias.4.password=
bpm.de.roleMapping.3.name=BPMAdminJobUser
bpm.de.roleMapping.3.alias=AdminJobAlias

Invoking PALService

Invoking admin tasks with the MBean interface differs from calling the methods directly with wsadmin commands. From the running deployment manager, you must log in to wsadmin with the appropriate administrative role or roles required by the PALService MBean method you plan to invoke.

profile_root/bin/wsadmin.sh -lang jython -username username -password password

Next, you must get a reference to the PALService MBean as follows:

wsadmin>mbean = AdminControl.completeObjectName ("type=PALService,node=node,process=application_cluster_member,*")

where node is the name of node that hosts the running application cluster member (application_cluster_member) the calling user is authorized to perform administrative tasks on.

The general usage for the PALService MBean looks similar to the following:

AdminControl.invole_jmx(mgmt.ObjectName(mbean),
"admin_task_name",[parameter_list],[parameter_type_list])

where mbean is the reference to PALService, admin_task_name is the name of the admin command to invoke, parameter_list is a comma-separated list of parameters, and parameter_type_ list is a comma-separated list of parameter types.

Note: Some methods in the MBean allow you to pass lists as parameters. For example, the processInstancesCleanupcan accept a list of process instance IDs to remove ((java.lang.String[]instanceID)), with a corresponding parameter type of [Ljava.lang.String;.