IBM Business Process Manager group types
IBM® Business Process Manager can use groups that are visible only within the IBM BPM environment and also groups that are visible outside of that environment.
Many customers define their groups in the Lightweight Directory Access Protocol (LDAP). IBM Business Process Manager accesses the groups through federated repositories.
- WebSphere Application Server administrative roles.
- IBM Business Process Manager application Java EE roles.
- IBM Business Process Manager security roles
- Internal groups with specific privileges. For example, a group that is defined using the bpmAdminGroup security configuration property. See Security configuration properties.
IBM Business Process Manager group management manages several types of IBM Business Process Manager private groups. In this context, "private" means that the groups are not visible outside of the IBM Business Process Manager environment, not available in LDAP, and not visible to WebSphere Application Server. Such groups cannot be used for Java Platform, Enterprise Edition or WebSphere Application Server administrative role assignment.
- Security group - A group that was replicated from the user registry. In the diagram in this topic, the user registry is referred to as the Federated Repositories. The group might be defined in either the file registry or LDAP and is stored in the BPMDB table.
- Team - There is an entry for each team in the BPMDB table. Teams are defined in either process applications or toolkits. Teams can have static member lists that include users or groups, or they can use a service to calculate their members. Teams can be used to expose process application artifacts by, for example, controlling who can start a business process or human service. Portal Admin Teams can be defined to administer process instances of the process application. Teams can be used in task assignments. Team managers can be defined as a team, which makes it possible for you to create a hierarchy. Team managers can assign work from one team member to another team member and can view dashboards check their team's performance.
- Ad hoc group - If a team calculates its members using a service, the service returns a set of users and groups. This list of users and groups is then persisted as a reusable entry in the database. Ad hoc groups are immutable. Ad hoc groups can also be created by using a list of users or a list of groups (deprecated).
- Internal group - Internal groups are created by using the Process
Admin Console or an application programming interface. They are not
process-application specific, but can be reused across multiple process
applications. They are similar to LDAP groups, but are
- Managed by IBM Business Process Manager
- Writable using IBM Business Process Manager application program interfaces
- Invisible except to IBM Business Process Manager and its process applications
- Dynamic group - Dynamic groups are defined using expressions.
For example, "All users that are members of the EuropeanUsers group
with a skill-level user attribute value of 3 or
higher, but not the person who started the process".IBM Business Process Manager
- Stores the definition of a dynamic group (the expression)
- Resolves all users satisfying the criteria and stores this resolved set of users
- Refreshes all dynamic groups, depending on configuration, if:
- A user logs in and IBM Business Process Manager detect that this user's group membership in the user registry changed compared to the user's most recent login
- Any user attribute value of any user is modified
- Group membership in any internal group is updated
The following diagram illustrates how IBM Business Process Manager group management works with the federated repository to manage the various types of groups.
How does group membership refreshing work? Refreshing group memberships has a quickly rising cost. You can manage refreshing group memberships by using admin scripts. See Synchronizing users and groups.
- Grant permission to users by making them members of these groups. For example, by adding a group from LDAP as a subgroup.
- Specify different group names in place of the default groups that are listed below. See Security configuration properties.
- Specify groups that exist in the user registry or internal groups.
Table 1 lists the IBM Business Process Manager groups that are included by default.
Default group | Description |
---|---|
tw_admins | Members of this group have full access to all
interfaces, assets, servers, and security. Note: You can rename this
group, but there must always be an administrator group defined. Administration
of IBM BPM is
not possible without this group.
|
tw_allusers | This group is the default lane assignment for non-system lanes when business process definitions (BPDs) are created in Process Designer. The dashboards that you create in Process Designer are available to this group by default. |
tw_allusers_managers | This group contains the team of managers for
the tw_allusers group. In the Team Performance dashboard in Process Portal and Heritage Process Portal, members
of this group can see a dashboard for the All Users team and the sample
teams that are delivered with the product. By default, the tw_allusers_managers group includes the tw_admins group. |
tw_authors | Members of this group have access to the Designer and other interfaces in the Process Designer, including the Process Center console. From the Process Center console, members of this group can create process applications and toolkits and control access to projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators. |
Debug | You can use this account to restrict access to service debugging in the Inspector in the Process Designer. |
tw_eventmanager | Members of this group have full access to historical information about Event Manager processing. |
tw_managers | Members of this group can see the Team Performance
dashboard in Process Portal and Heritage Process Portal. To
see dashboards for individual teams, the group member must also be
a member of a managers team that is defined in Process Designer. By default, the tw_managers group includes the tw_allusers group. |
tw_portal_admins | Because of functionality changes in IBM BPM V8, members of this group no longer have any special access rights. |
tw_process_owners | Members of this group can see the Process Performance
dashboard. By default, this group is also assigned to the ACTION_CHANGE_CRITICAL_PATH Process Portal policy,
which allows members to view and change the projected path of a process
instance. By default, the tw_process_owners group includes the tw_admins group. |