Managing IBM Business Process Manager on Cloud accounts

As an account administrator, you are responsible for managing both user and service accounts for IBM® Business Process Manager on Cloud.

User accounts

You invite users by email to access IBM BPM on Cloud and create a user account. The user account is identified by an email address. After accounts are set up, you assign roles and permissions to users so that they can do their work. For more information, see Inviting users and Assigning roles and privileges.

Password policy
The following rules apply to passwords for user accounts:
  • Minimum length: 12 characters:
    • Alphabetic characters: minimum 4, which must include a minimum of 1 uppercase and 1 lowercase alphabetic character
    • Numeric characters: minimum 1
    • Special characters: minimum 1 of the following character set, _-|@.,?/!˜#$%&*(){}[]=
    • Repetitions of a character: maximum 2
  • Password validity: maximum 60 days
  • History of used passwords: 24

Example password: MyNewPa$sw0rd

Users are locked out of the IBM BPM on Cloud instance for 30 minutes if they exceed five failed login attempts. After a password expires, users have three attempts to log in to reset their password.

Personal data
When a user activates an account, personal data, such as the user's email address, given name, and surname, are stored in the IBM BPM on Cloud user management platform. As the user interacts with the business process management environment on the IBM BPM on Cloud instance, personal data is also stored in the operating environments the user has access to.

The European Union General (EU) Data Protection Regulation (GDPR) includes a requirement that individuals have a right to be forgotten, for example, when they leave the company. When you remove a user from an IBM BPM on Cloud instance, by default the user's personal data is removed from the user management platform and all the operating environments. However, you can choose to keep the user's personal data, for example, if you need to reactivate the user later. If the user has an account on more than one instance, you must remove the user from each of these instances too.

Service accounts

For client applications, a service account is the equivalent of a user account. You create a service account by generating the corresponding service credentials that consist of a functional ID and password. Client applications require these credentials to access the IBM BPM on Cloud environment. A service account is identified by a functional ID and it can be used by one or more client applications. For more information, see Managing service accounts.

Password policy
The password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Password expiry is not enforced for service accounts; you decide how long passwords remain valid before you replace the service credentials with a new set. If there are more than 100 failed login attempts with the account functional ID, the service account is locked for 60 minutes.