If you have configured IBM® Business Process Manager to
work with an external security provider, you can use the Process Admin
Console to synchronize external users and groups.
IBM Business Process Manager synchronizes
external users and groups based on the following triggers:
- Upon startup of a cluster member or server, all available groups
(without members) are synchronized, so that all external groups that
are available for modelling in the Process Designer repository are
available for assignment in the Process Admin Console.
- When a user logs in to Process Portal for the first time, that
user is created with the IBM Business Process Manager database.
- When a new or existing user logs in to Process Portal, that member's
group memberships are updated. The groups the user is in are queried
from the external user registry and the IBM Business Process Manager database
content is updated to reflect the current state.
Important: Before you complete the following tasks,
ensure that you have applied Interim Fix JR48507.
The
following commands, which are located in the
install_root\IBM
BPM\Lombardi\tools\security directory, can be executed
to do this synchronization administratively, which prevents user logins
from slowing down while the
IBM Business Process Manager database
content is being updated.
- groupMembershipFullUpdate -username [options] -dynamicGroupUpdate
[required value]
- Updates the LDAP group membership of all users that are known
to IBM Business Process Manager.
At the end of the group membership update, dynamic groups are updated
once. You must specify one of the following values for the -dynamicGroupUpdate parameter:
- never to stop dynamic group updates.
- always to enforce dynamic group updates.
Omitting this option or specifying default or
any other value will result in updates to dynamic groups only if a
group membership change was detected.
- groupMembershipUpdate -username [options] userID1 userID2 ...userIDn -dynamicGroupUpdate
[required value]
- Updates the LDAP group membership of the user or users specified
with this command. If a specified user ID is unknown to IBM Business Process Manager, this
user is created within IBM Business Process Manager. At
the end of the group membership update, dynamic groups are updated
once. You must specify one of the following values for the -dynamicGroupUpdate parameter:
- never to stop dynamic group updates.
- always to enforce dynamic group updates.
Omitting this option or specifying default or
any other value will result in updates to dynamic groups only if a
group membership change was detected.
Each command has the following options:
- -username
- The name of the user
- -password
- The password of the user
- -host
- The host name of the AppTarget cluster member on which the admin task should
be executed
- -port
- The SOAP port of the AppTarget cluster member on which the admin task should
be executed
- usersFullSync [options]
- Synchronizes all users available from LDAP. No group membership
is updated. This admin task is equivalent to the Full Synchronize command
in the Process Admin Console.
- usersSync [options]userID1 userID2 ...userIDn
- Synchronizes the specified user or users from LDAP. No group membership
is updated. This admin task is equivalent to the Synchronize command
in the Process Admin Console.
Each command has the following options:
- -username
- The name of the user
- -password
- The password of the user
- -host
- The host name of the AppTarget cluster member on which the admin task should
be executed
- -port
- The SOAP port of the AppTarget cluster member on which the admin task should
be executed