Security configuration properties

Use the WebSphere command-line administration tool (wsadmin) AdminConfig commands to access and modify IBM® Business Process Manager security properties as configuration objects.

The term configuration object refers to an object that is accessed by using the wsadmin AdminConfig commands. See Commands for the AdminConfig object using wsadmin scripting. Configuration objects can be nested, which means that a configuration object might contain other configuration objects.

IBM Business Process Manager configuration objects and security properties
Process Admin Console configuration objects and security properties
Examples of how to access and modify security properties:
- Modifying security properties by using the AdminConfig object commands
- Accessing and modifying security properties by using Jython

IBM Business Process Manager configuration objects and security properties

You can modify the following properties by replacing the previous values, except for properties in the BPMActionPolicy configuration objects. For BPMActionPolicy properties, you do not modify existing values: instead, you add and remove roles.

Table 1. IBM Business Process Manager configuration objects and security properties
Configuration object	ConfigObject containment path	Property name	Description	Default value
BPMAuthAliasRoleType	/Cell:/BPMCellConfigExtension: /BPMDeploymentEnvironment: `DeName` /BPMAuthAliasRoleType:/	BPCUser, BPMAuthor, BPMUser, BPMWebserviceUser, DeAdmin, EmbeddedECMTechnicalUser, EventManagerUser, PerformanceDWUser, ProcessCenterUser, ProcessServerUser, SCAUser	Refer to IBM Business Process Manager roles for role descriptions.
BPMAuthAliasRoleType	/Cell:/BPMCellConfigExtension: /BPMAuthAliasRoleType:/	CellAdmin, RALUser, SCADeploymentUser
BPMVirtualHostInfo	/Cell:/BPMCellConfigExtension:/ BPMDeploymentEnvironment: `DeName` /BPMVirtualHostInfo:/	hostname, port, transportProtocol	A configuration object that is used with the wsadmin command to specify the host name, port number, and transport protocol of a proxy server for Process Center or Process Server configuration. The IBM BPM virtual host has three properties: hostname port transportProtocol An example of how to specify the IBM BPM virtual host with the wsadmin command is in the section Modifying security properties by using the AdminConfig object commands. Note: The IBM BPM virtual host replaces the base-url property that was used in the 99Local.xml configuration file to specify the host name and port number of a proxy server in earlier releases of IBM BPM.	hostname: None port: -1 transportProtocol: https
BPMLdapOption	/ServerCluster: `clusterName` /BPMClusterConfigExtension: /BPMProcessServer: /BPMServerSecurity: /BPMLdapOption:/	twUserNameAttribute	The LDAP attribute name that holds the user name (which is the value specified on the login screen). The default value is derived from the WebSphere® Application Server configuration property userIdMap.	Note: All LDAP attributes are optional. The runtime code tries to determine these values from the WebSphere Application Server configuration. However, the displayName attributes are not configured in WebSphere Application Server. As a result, the default value of the description attribute is just an assumption that the system makes.
		twUserDescriptionAttribute	The LDAP attribute name that holds the user description (which is also referred to as the full name or display name). The default value is the specified description.
		twGroupNameAttribute	The LDAP attribute name that holds the group name. The default value is derived from the WebSphere Application Server configuration property groupIdMap.
		twGroupDescriptionAttribute	The LDAP attribute name that holds the group description (display name). The default value is the specified description.
BPMPerformance DataWarehouse	/Cell:/ServerCluster: `supportClusterName` /BPMClusterConfigExtension: /BPMPerformanceDataWarehouse: /BPMViewManager: /BPMSystem:/	viewUser	Used to create a prefix for the views that Performance Data Warehouse creates for tracking groups. Used like a schema name.

Process Admin Console configuration objects and security properties

You can control the navigator entries that are displayed for specific users in the Process Admin Console by configuring the BPMConsoleSection configuration object. Note that you do not control who is authorized to use the functionality. For example, the ability to create an internal group requires a user to be a member of the bpmAdminGroup (which defaults to tw_admins). For BPMConsoleSection properties, you do not modify existing values: instead, you add and remove constraints.

Table 2. IBM Business Process Manager Process Admin Console configuration objects and security properties
Configuration object	Configuration object location	Properties	Description	Default value
BPMConsoleSection	/BPMConsoleElement:/	console.manage.caches	The property used to configure access to the Manage Caches link in the IBM BPM Admin section in the Server Admin area of the Process Admin Console	tw_admins
		console.task.cleanup	The property used to configure access to the Task Cleanup link in the IBM BPM Admin section in the Server Admin area of the Process Admin Console	tw_admins
		console.rest.commands	The property used to configure access to the Health Management link in the IBM BPM Admin section in the Server Admin area of the Process Admin Console	tw_admins
		console.user.management	The property used to configure access to the User Management link in the User Management section in the Server Admin area of the Process Admin Console	tw_admins
		console.group.management	The property used to configure access to the Group Management link in the User Management section in the Server Admin area of the Process Admin Console	tw_admins
		console.bulk.user. attribute.assignment	The property used to configure access to the Bulk User Attribute Assignment link in the User Management section in the Server Admin area of the Process Admin Console	tw_admins
		console.user.synchronization	The property used to configure access to the User Synchronization link in the User Management section in the Server Admin area of the Process Admin Console. Note: Some IBM Business Process Manager functionas require current data from your external security provider to function properly. If you see unexpected results with routing of activities, team data in dashboards, or other aspects of IBM BPM that could be caused by a lag between IBM BPM and your external security provider, you can use the Synchronization option in the Process Admin Console to resolve those issues. Log in to the Process Admin Console. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options. Click User Synchronization. In the User Management > Synchronize window, choose one of the following options: Full Synchronize Synchronizes IBM BPM with all user accounts in your configured external provider. Add Click Add, then enter a user name, and repeat this action to create a list of user names. Then click Synchronize to synchronize only the user accounts in the created list.	tw_admins
		console.instrumentation	The property used to configure access to the Instrumentation link in the Monitoring section in the Server Admin area of the Process Admin Console	tw_admins
		console.process.monitor	The property used to configure access to the Process Monitor link in the Monitoring section in the Server Admin area of the Process Admin Console	tw_admins
		console.monitor	The property used to configure access to the Monitor link in the Event Manager section in the Server Admin area of the Process Admin Console	tw_admins, tw_authors
		console.blackout.periods	The property used to configure access to the Blackout Periods link in the Event Manager section in the Server Admin area of the Process Admin Console	tw_admins, tw_authors
		console.synchronous.queues	The property used to configure access to the Synchronous Queue link in the Event Manager section in the Server Admin area of the Process Admin Console	tw_admins, tw_authors
		console.em.jms.error.queue	The property used to configure access to the EM JMS Error Queue link in the Event Manager section in the Server Admin area of the Process Admin Console	tw_admins, tw_authors
		console.manage.epvs	The property used to configure access to the Manage EPVs link in the Admin Tools section in the Server Admin area of the Process Admin Console	tw_admins, tw_authors

Modifying security properties by using the AdminConfig object commands

You can use the wsadmin AdminConfig object commands to access and modify security properties. For a list of AdminConfig commands that WebSphere Application Server provides, see Commands for the AdminConfig object using wsadmin scripting.

For a list of IBM Business Process Manager specific properties, see Table 1.
For a list of Process Admin Console specific properties, see Table 2.

Modifying security properties in single deployment environments and IBM Business Process Manager Express

Start the wsadmin scripting tool:

install_root\bin>wsadmin -conntype NONE -lang jython
WASX7357I: By request, this scripting client is not connected to any server proc
ess. Certain configuration and application operations will be available in local
 mode.
WASX7031I: For help, enter: "print Help.help()"

List objects of a given type:

wsadmin>AdminConfig.list('BPMServerSecurity')
'(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSecurity_136277477
6533)'

Show defaults:

wsadmin>print AdminConfig.defaults('BPMServerSecurity')
Attribute                       Type                            Default
externalUserQueryLimit          int                             100
deploySnapshotUsingHttps        boolean                         false
securityNameTransformer         String
wildcardProcessingOptimized     boolean                         true
ldapOptions                     BPMLdapOption
securityGroups                  BPMServerSecurityGroups
securityUsers                   BPMServerSecurityUsers

Show attributes of an object:

wsadmin>print AdminConfig.attributes('BPMServerSecurity')
deploySnapshotUsingHttps boolean
externalUserQueryLimit int
ldapOptions BPMLdapOption*
securityGroups BPMServerSecurityGroups
securityNameTransformer String
securityUsers BPMServerSecurityUsers
wildcardProcessingOptimized boolean

Show attributes of an object and their values (Nested objects are listed according to their configuration ID):

wsadmin>print AdminConfig.show(AdminConfig.list('BPMServerSecurity'))
[deploySnapshotUsingHttps false][externalUserQueryLimit 5]
[ldapOptions [twUserNameAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776533)
twUserDescriptionAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776534)
twGroupNameAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776535) 
twGroupDescriptionAttribute(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMLdapOption_1362774776536)]]
[securityGroups (cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSecurityGroups_1362774776533)]
[securityUsers (cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMServerSecurityUsers_1362774776533)]
[wildcardProcessingOptimized true]

Show all attributes of an object and their values (Nested objects are listed):

wsadmin>print AdminConfig.showall(AdminConfig.list('BPMServerSecurity'))
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 5]
[ldapOptions [[[name twUserNameAttribute]
[value sAMAccountName]] [[name twUserDescriptionAttribute]
[value description]] [[name twGroupNameAttribute]
[value cn]] [[name twGroupDescriptionAttribute]
[value description]]]]
[securityGroups [[bpmAdminGroup tw_admins]
[bpmAuthorGroup tw_authors]
[collaborationAdmin tw_admins]
[debug Debug]
[offlineInstall []]
[processHelpAccess tw_admins]
[showXmlMetadata Debug]]]
[securityUsers [[notifyError bpmadmin]
[userToCloseTask bpmadmin]
[userToCreateTask bpmadmin]]]
[wildcardProcessingOptimized true]

Show the value of a particular attribute:

wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'externalUserQueryLimit')
5

Modify a property value:

Note: To ensure that configuration changes are saved, run the AdminConfig.save command each time a property is modified.

wsadmin>AdminConfig.modify(AdminConfig.list('BPMServerSecurity'),[['externalUserQueryLimit','20']])''
wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'externalUserQueryLimit')
20
wsadmin>AdminConfig.save()
''

Get the console element:

Tip: Iterate through the returned list of elements by using the index.

wsadmin>elementName = AdminConfig.showAttribute((AdminUtilities.convertToList(AdminConfig.list
('BPMConsoleElement'))[2]), 'name')
wsadmin>print elementName
console.bulk.user.attribute.assignment

Get the configuration ID of the constraint object for this console element:

wsadmin>constraintIds = AdminConfig.showAttribute((AdminUtilities.convertToList
(AdminConfig.list('BPMConsoleElement'))[2]), 'constraints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1362774776537)]

Use the configuration ID to find the current value for the property:

wsadmin>constraint1 = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_136277)"
wsadmin>constraint1 = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1362774776537)"
wsadmin>val = AdminConfig.showAttribute(constraint1, 'value')
wsadmin>print val
tw_admins

Select the console element for which constraints must be added or removed:

wsadmin>parent = (AdminUtilities.convertToList(AdminConfig.list('BPMConsoleElement'))[2])
wsadmin>print parent
console.bulk.user.attribute.assignment
(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleLink_1362774776537)
wsadmin>elementName = AdminConfig.showAttribute((AdminUtilities.convertToList(AdminConfig.list
('BPMConsoleElement'))[2]), 'name')
wsadmin>print elementName
console.bulk.user.attribute.assignment

Add a constraint:

wsadmin>AdminConfig.create('BPMConsoleConstraint', parent, [['type' , 'role'],['value', 'random_group']])'
(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1363203504872)'
wsadmin>newId = "(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1363203504872)"
wsadmin>val = AdminConfig.showAttribute(newId, 'value')
wsadmin>print val
random_group
wsadmin>print AdminConfig.showAttribute((AdminUtilities.convertToList(AdminConfig.list
('BPMConsoleElement'))[2]), 'constraints')
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1362774776537) 
(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1363203504872)]
wsamdin>AdminConfig.save()

Remove a constraint:

wsadmin>AdminConfig.remove(newId)''
wsadmin>print AdminConfig.showAttribute((AdminUtilities.convertToList
(AdminConfig.list('BPMConsoleElement'))[2]), 'constraints')
[(cells/Cell1/clusters/SingleCluster|cluster-bpm.xml#BPMConsoleConstraint_1362774776537)]
wsamdin>AdminConfig.save()

Modify a set value to default value:

wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'externalUserQueryLimit')
101
wsadmin>print AdminConfig.unsetAttributes(AdminConfig.list('BPMServerSecurity'),'externalUserQueryLimit')
wsadmin>print AdminConfig.showAttribute(AdminConfig.list('BPMServerSecurity'),'externalUserQueryLimit')
100
wsamdin>AdminConfig.save()

Modifying security properties in multiple deployment environments

For multiple deployment environments, each cluster can be set up with different capabilities and the properties defined for a cluster are based on these capabilities. Before you can access and modify properties, you must locate the correct cluster.

Get the deployment environment:

wsadmin>deIds = AdminUtilities.convertToList(AdminConfig.getid 
    ('/Cell:/BPMCellConfigExtension:/BPMDeploymentEnvironment:/'))
wsadmin>deIds['De1(cells/Cell1|cell-bpm.xml#BPMDeploymentEnvironment_1366695378330)', 'De2
(cells/Cell1|cell-bpm.xml#BPMDeploymentEnvironment_1366696771995)']
wsadmin>AdminConfig.showAttribute(deIds[0], 'name')
'De1'
wsadmin>AdminConfig.showAttribute(deIds[1], 'name')
'De2'

Get the cluster with the correct capability:

wsadmin>clusterPath = "/Cell:<cellName>/BPMCellConfigExtension:
    /BPMDeploymentEnvironment:%s/BPMCluster:/" % "<De_name>"
wsadmin>clusterId = AdminUtilities.convertToList(AdminConfig.getid (clusterPath))
wsadmin>capabilities1 = AdminUtilities.convertToList(AdminConfig.showAttribute(clusterId[0], 'capabilities'))
wsadmin>capabilities1['Application']
wsadmin>capabilities2 = AdminUtilities.convertToList(AdminConfig.showAttribute(clusterId[1], 'capabilities'))
wsadmin>capabilities2['Messaging']
wsadmin>capabilities3 = AdminUtilities.convertToList(AdminConfig.showAttribute(clusterId[2], 'capabilities'))
wsadmin>capabilities3['Support']

List objects of a given type:

Note: For each of the properties, refer to Table 1 for the configuration object, including the configuration object containment path, for example

wsadmin>path = "/ServerCluster:<clusterName>/BPMClusterConfigExtension:/BPMProcessServer:/BPMServerSecurity:/"
wsadmin>b = AdminConfig.getid(path)
wsadmin>b
'(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSecurity_1366695662779)'

Show attributes of an object with values (Nested objects are listed using their configuration ID):

wsadmin>print AdminConfig.show(b)
[deploySnapshotUsingHttps false][externalUserQueryLimit 100][ldapOptions 
    [twUserNameAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662779) 
    twUserDescriptionAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662780) 
    twGroupNameAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662781) 
    twGroupDescriptionAttribute(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMLdapOption_1366695662782)]]
    [securityGroups (cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSecurityGroups_1366695662779)]
    [securityUsers (cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMServerSecurityUsers_1366695662779)]
    [wildcardProcessingOptimized false]

Show all attributes of an object with values (Nested objects are listed):

wsadmin>print AdminConfig.showall(b)
[deploySnapshotUsingHttps false]
[externalUserQueryLimit 100]
[ldapOptions [[[name twUserNameAttribute]
[value sAMAccountName]] [[name twUserDescriptionAttribute]
[value description]] [[name twGroupNameAttribute]
[value cn]] [[name twGroupDescriptionAttribute]
[value description]]]]
[securityGroups [[bpmAdminGroup tw_admins]
[bpmAuthorGroup tw_authors]
[collaborationAdmin tw_admins]
[debug Debug]
[offlineInstall []]
[processHelpAccess tw_admins]
[showXmlMetadata Debug]]]
[securityUsers [[notifyError bpmadmin2]
[userToCloseTask bpmadmin2]
[userToCreateTask bpmadmin2]]]
[wildcardProcessingOptimized false]

Show the value of a particular attribute:

wsadmin>print AdminConfig.showAttribute(b,'externalUserQueryLimit')
100

Modify the value for a property:

Note: To ensure that configuration changes are saved, run the AdminConfig.save command each time a property is modified.

wsadmin>AdminConfig.modify(b,[['externalUserQueryLimit', '150']])
''
wsadmin>AdminConfig.save()
''
wsadmin>print AdminConfig.showAttribute(b,'externalUserQueryLimit')
150

Get the console element:

wsadmin>consoleElements = AdminUtilities.convertToList(AdminConfig.getid ("/BPMConsoleElement:/"))
wsadmin>elementName = AdminConfig.showAttribute((consoleElements[0]), 'name')
wsadmin>print elementName
'console.admin.tools'

Get the configuration IDs of the constraint object for this console element:

wsadmin>elementName = AdminConfig.showAttribute((consoleElements[4]), 'name')
wsadmin>print elementName
'console.bulk.user.attribute.assignment'

Use the configuration ID to locate the current value for the property:

wsadmin>constraintIds = AdminConfig.showAttribute((consoleElements[4]), 'constraints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1366695662782)]
wsadmin>constraint1 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1366695662782)"
wsadmin>val = AdminConfig.showAttribute(constraint1, 'value')
wsadmin>print val
'tw_admins'

Add a constraint:

wsadmin>AdminConfig.create('BPMConsoleConstraint', consoleElements[4], [['type', 'role'],['value', 'admins']])
'(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1367394007068)'
wsadmin>AdminConfig.save()''

Remove a constraint:

Tip: Iterate through the returned list of constraints by using the index.

wsadmin>constraintIds = AdminConfig.showAttribute((consoleElements[4]), 'constraints')
wsadmin>print constraintIds
[(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1366695662782) 
(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1367394007068)]
wsadmin>constraint1 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1366695662782)"
wsadmin>constraint2 = "(cells/Cell1/clusters/AppClusterDe1|cluster-bpm.xml#BPMConsoleConstraint_1367394007068)"
wsadmin>val1= AdminConfig.showAttribute(constraint1, 'value')
wsadmin>val2= AdminConfig.showAttribute(constraint2, 'value')
wsadmin>print val1
'tw_admins'
wsadmin>print val2
'admins'
wsadmin>AdminConfig.remove(constraint2)
wsamdin>AdminConfig.save()

Accessing and modifying security properties by using Jython

The following examples are shown by using Jython scripts. For more examples on modifying the BPMActionPolicy configuration object, refer to the BPMSecurityConfig_sample.py sample Jython script. The sample script is located at install_root/util/Security/BPMSecurityConfig_sample.py.

For more advanced scenarios, see Commands for the AdminConfig object using wsadmin scripting.

Usage: Use this script to get/modify the configured security properties.
          -E|--de DE_name -option')
                          -g|--get property_name')
                          -s|--set property_name , new_value')
                          -a|--add console_property_name , constraint_value')
                                |action_policy_name , role to be added')
                          -r|--remove console_property_name , constraint_value')
                                |action_policy_name , role to be removed')

You can access the property values by using the -g|get option and you can change the value by using the -s|set option. For the console properties, you can add or remove constraints to restrict access to console sections. These properties have their own -a|--addConstraint and -r|--removeConstraint options as previously described.

Get the value of the external user query limit:

install_root\bin>wsadmin -conntype NONE -f <install-root>/util/Security/BPMSecurityConfig_sample.py 
-E <de_name> -g externalUserQueryLimit

WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are available 
as arguments that are stored in the argv variable: "[-E, De1, -g, externalUserQueryLimit]"
Current value for property externalUserQueryLimit in DE De1 is:99

Get the value of an action policy:

INSTALL_ROOT\bin>wsadmin -conntype NONE -f 
<install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name> -g ACTION_ABORT_INSTANCE
WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are
 available as arguments that are stored in the argv variable: "[-E, De1, -g, ACTION_ABORT_INSTANCE]"
Current value for property ACTION_ABORT_INSTANCE in DE De1 is:tw_admins

Modify an existing value:

Note: You can modify any of the security properties listed in Table 2.

Set the value of the external user query limit:

install_root\bin>wsadmin -conntype NONE -f 
<install-root>/util/Security/BPMSecurityConfig_sample.py -E <de_name> -s externalUserQueryLimit,100
WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are 
available as arguments that are stored in the argv variable: "[-E, De1, -s, externalUserQueryLimit,100]"
Current value for property externalUserQueryLimit in DE De1 is:99
INFO : The given value for the property was set successfully.
Current value for property externalUserQueryLimit in DE De1 is:100

Add a role to an action policy:

install_root\bin>wsadmin -conntype NONE -f <install-root>/util/Security/BPMSecurityConfig_sample.py 
    -E <de_name > -s ACTION_ABORT_INSTANCE,adminsWASX7357I: 
By request, this scripting client is not connected to any server process. Certain configuration 
and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are available 
as arguments that are stored in the argv variable: "[-E, De1, -a, ACTION_ABORT_INSTANCE,admins]"
Current value for property ACTION_ABORT_INSTANCE in DE De1 is:tw_admins
Current value for property ACTION_ABORT_INSTANCE in DE De1 is:tw_admins;admins

Add a constraint to a console property:

install_root\bin>wsadmin -conntype NONE -f 
<install-root>/util/Security/BPMSecurityConfig_sample.py -D <de_name> -a console.monitor,admins
WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are available as arguments 
that are stored in the argv variable: "[-E, De1, -a, console.monitor,admins]"
Current value for property console.monitor in DE De1 is:constraint 0 : tw_admins
constraint 1 : tw_authors

INFO : The given value for the property was set successfully.

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors
constraint 2 : admins

Remove a constraint from a console property:

install_root\bin>wsadmin -conntype NONE -f BPMSecurityConfig_sample.py -r console.monitor,admins
WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7303I: The following options are passed to the scripting environment and are available 
as arguments that are stored in the argv variable: "[-E, De1, -r, console.monitor,admins]"
Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors
constraint 2 : admins

The given constraint was removed successfully.

Current value for property console.monitor in DE De1 is:
constraint 0 : tw_admins
constraint 1 : tw_authors

To suppress the inclusion of the user password in the URLs that Process Designer opens, use the suppressRedirectUrlPasswd option. For example, each time you run a playback in Process Designer, a new Process Portal browser session is opened. Process Designer then submits the user credentials, which consist of the user ID and password, and the browser session uses these credentials to log in. The suppressRedirectUrlPasswd option stops the password from being included in the URL to improve security.
Note: When you use the suppressRedirectUrlPasswd option, you need to log in to the browser only the first time that you open a web editable artifact or run a playback in Process Designer. This option applies only to Process Designer and can be turned on and off as needed.
The following example is shown using Jython:
```
dmgr_profile_root>wsadmin.bat -connType NONE
WASX7357I: By request, this scripting client is not connected to any server process. 
Certain configuration and application operations will be available in local mode.
WASX7031I: For help, enter: "print Help.help()"
wsadmin>path='/ServerCluster:AppCluster/BPMClusterConfigExtension:/BPMAuthoringEnvironment:/'
wsadmin>b=AdminConfig.getid(path)
wsadmin>b
'(cells/PCCell1/clusters/AppCluster|cluster-bpm.xml#BPMAuthoringEnvironment_1376890854832)'
wsadmin>AdminConfig.modify(b,[['suppressRedirectUrlPasswd','true']])
wsadmin>AdminConfig.save()
```