Runtime user availability and lifecycle

You can create and maintain users as needed for your specific IBM® Business Process Manager environment. However, before users can take part in IBM BPM runtime operations, they must be available in the IBM BPM database.

IBM BPM retrieves its user information from the WebSphere® Application Server user registry. Similarly, WebSphere Application Server retrieves its user information from the configured user registries, such as LDAP or a custom user registry. For more information, see IBM Business Process Manager security overview.

User activation

A user can be activated in the IBM BPM database only if the user is available in a user registry. Users are activated through runtime operations, for example:

A user logs in to IBM BPM.
You use the usersSync or usersFullSync command to synchronize the IBM BPM database with the user registry. For information about these commands, see Synchronizing users.
You create a user in the WebSphere Application Server default file repository by using the user management section of the Process Admin Console.
The user or users REST API resource is called with the refreshUser parameter.

You can also use any of these options to activate deactivated users. Generally, users are also activated when a user refers to another user for the first time through one of the runtime APIs.

User deactivation

Restriction: Actions triggered through the web service API do not take user deactivation into account. If you use the web service API, refrain from using of any aspect of user deactivation, including the syncExistingUsers command.

While users can be removed from the user registry, you cannot delete user entries from the IBM BPM database. Therefore, these inactive users are still available for task assignments and collaboration invitations. However, you can deactivate the inactive users by running the syncExistingUsers command. This command flags users that are no longer in the user registry as deactivated in the database. Each time that you run the command, the activation status of the users is synced with their availability in the user registry. For more information, see Synchronizing users.

The deactivation flag is checked for new runtime assignments and collaboration invitations that are triggered either by a REST or JavaScript API call, or by the system as a BPD task assignment.

Assignments and invitations through API calls.: When you reassign a task to a deactivated user or you send a collaboration request to a deactivated user, the action is denied and you receive an error message. You can reassign the task to a different user, invite a different user to collaborate, or restore the availability of the user you want to work with.
To handle deactivated users in clients, the user detail objects that are returned by REST and JavaScript API methods include a user availability status flag. In addition, the existing REST API method for looking up users allows you to restrict the result to only active or deactivated users. To identify deactivated users, you can use available methods to search for tasks that are possibly assigned to the deactivated users and decide on their reassignment.
BPD task assignments.: Generally, BPD task assignment options that dynamically determine user membership, such as the team filter service or the team retrieval service, do not assign tasks to deactivated users, and add a corresponding message to the systemOut.log file. Be aware that all assignment options keep their defined behavior when they process deactivated users. For example, if no active users remain, the List of Users option fails with an error, while a team retrieval service assigns the task to an empty team. For more information about defining task assignments, see Assigning teams to BPD activities.
In some cases, the task is assigned to a deactivated user or an empty group. Consider defining an alternative user to own these tasks by configuring the userToOwnTask property of the BPMServerSecurityUsers configuration object. If the userToOwnTask user is also deactivated, the task is assigned to this user anyway to make it easier to find these tasks. For more information, see Security configuration properties.

Note: Not all BPD task assignments options distinguish between activated and deactivated users. For example, if you manually add members to some teams or groups, these members are assigned tasks even if they are deactivated.