Managing IBM Business Process Manager users and groups

The way that IBM® Business Process Manager handles security for users and groups depends on whether you are using IBM Business Process Manager Advanced or IBM Business Process Manager Standard.

Important: Before you complete the following tasks, ensure that you have applied Interim Fix JR48507.

IBM Business Process Manager Standard includes an internal security provider, which you can use to create and maintain IBM BPM users and groups as outlined in the following sections. You can also use the internal IBM BPM security provider in conjunction with an external security provider (such as LDAP with Microsoft Active Directory) that you have registered with the IBM BPM embedded application server.

The IBM BPM internal security provider includes several default users and groups.

Restriction: Do not remove the default IBM BPM administrator account, tw_admin, or the default administrator group, tw_admins. Administration of IBM BPM is not possible without these default accounts.

Important: You cannot create a new user using the Process Admin Console if a user was created in the past with the same user name. Once a user has been created using the Process Admin Console, it is kept in the BPM system. Even if the user is subsequently deleted, the user entry is not removed from the BPM DB and the internal authorization system.

When you use the internal IBM BPM security provider in conjunction with an external provider, the users and groups from both providers are available for selection from IBM BPM Standard components. The users from the internal provider cannot be added as a part of groups from an external provider.

For network deployments, the internal security provider manages groups only; it does not manage users. The users are managed by the federated file repository.

The following table describes where these user accounts are made available in IBM BPM:

Task	Interface	To learn more..
Granting access to the repository	Process Center Console	See "Managing access to the Process Center repository" in the related links.
Binding users to participant groups during process development	Designer in Process Designer	See "Creating a participant group" in the related links.
Binding users to participant groups at run time	Process Admin Console	See "Configuring installed snapshots" in the related links.

IBM BPM does not lock user accounts after a configurable number of failed authentication attempts. Note that end user accounts are managed in a user repository (typically LDAP connected to Federated Repositories). IBM BPM is just one of many client systems to the user repository. The user repository is the system of records for the user accounts and therefore has to define rules such as password lock policy. For IBM Tivoli Directory Server, you can read more about password policies at http://www.ibm.com/developerworks/tivoli/library/t-tdspp-ect/ If you are using the IBM BPM Internal Security Provider, there is no policy for locking users after a number of failed authentication attempts.