IBM Support

Using IBM Business Automation Content Services on Cloud

Product Documentation


Abstract

Business Automation Content Services on Cloud is a comprehensive content management cloud service that delivers document management and content lifecycle capabilities that can be rapidly provisioned as a flexible, cost-effective cloud service for new and existing applications.

Content

Business Automation Content Services on Cloud provides superior scalability, security, stability, mobility, and content management capabilities that can be used for a variety of use cases that include:

  • Business and transactional content services
  • Collaborative document management
  • Imaging solutions
  • Social content management
  • Archiving

Business Automation Content Services on Cloud is based on IBM FileNet Content Manager, a reliable, scalable, and highly available enterprise platform that enables you to capture, store, manage, secure, and process information to increase operational efficiency and lower total cost of ownership. Business Automation Content Services on Cloud helps you to streamline and automate business processes, access and manage all forms of content, and automate records management to help meet compliance needs.

The general Cloud Service capabilities include:
  • Document Management with version control and compound documents
  • Content Collaboration with social capabilities
  • Document review and approval workflows
  • Process Orchestration and the ability to invoke a Web Service in a workflow
  • Ability to integrate content access with multiple P8 repositories in the same Cloud instance
  • Microsoft Office integration through IBM Content Navigator Edit Service
  • Microsoft Office document integration through IBM Content Navigator for Microsoft Office
  • Microsoft Office document viewing with annotation support
  • Document redaction
    • Redaction support limited to PDF and image file formats
  • Mobile device support
  • Development and Administration Tools
    • APIs - GraphQL, Java, .NET and Content Management Interoperability Service (CMIS)
    • Custom events
    • User interface plug-in
    • Custom classifiers (provisioned upon service request)
    • DITA Model (provisioned upon service request)
    • Deployment and design tools

You get a dedicated instance that is hosted in IBM Cloud data centers and managed by IBM, and is configured and ready to use. Your instance includes separate environments for development, testing, and production. A single sign-on to the Business Automation Content Services on Cloud portal provides your developers, content owners, and business users access to all of the components and environments that are appropriate to their roles and enables them to get started with content management quickly.

See the following topics for more information:


What's new

Discover what's new in Business Automation Content Services on Cloud.

2020.06

Support for loading IBM Content Navigator in an iframe

Your custom application can now load IBM Content Navigator in Business Automation Content Services on Cloud in an iframe. For more information, see Administering IBM Content Navigator.

Microsoft Azure Marketplace listing

IBM Digital Business Automation on Cloud is now listed in the Microsoft Azure Marketplace for easier SAML single sign-on configuration with Microsoft Azure Active Directory. For more information, see Security Assertion Markup Language (SAML) single sign-on.

Samples for the user and group provisioning REST API

Updated samples are now available for user/group provisioning REST API. To access the updated samples, see Provisioning users and groups for the user registry.

2020.03

Administer user groups directly from the cloud portal

Previously, you had to manage groups and their users by using a combination of the Group Management and User Management REST APIs. Now you can administer groups and their membership by using the new Groups user interface in the Access Management section of the cloud portal. For more information, see Managing groups and group membership.

Share content more easily with external users

You no longer need to invite external users before you can share content with them. As long as these users have an IBM ID to authenticate with the cloud subscription, you can share content with them. For more information, see Using External Share.

Schedule sweeps more easily

If your subscription includes IBM® Enterprise Records Add-on, you can now schedule record sweeps by using the Enterprise Records Administration Client. For more information, see Using the IBM Enterprise Records Add-on.


Users

The Account Administrator manages the accounts of other users and monitors usage in the IBM Business Automation Content Services on Cloud environment.

Other users interact with the content management system in accordance with their user role:

  • A Developer User interacts with the Development environment to create and deploy a content management solution or business process.
  • A Tester User interacts with the Test Environment to validate the solution or application that is created by the Developer.
  • A Business User interacts with the deployed solution or application in the Production Environment to manage content and complete business processes.

Environments

IBM® Business Automation Content Services on Cloud enables the following environment types:

Development

Use the development environment to develop, play back, and deploy applications, and also to create content-related processes.

Test

Use the test environment as a staging environment to validate business processes before they are deployed into the run-time environment. The test environment has the same components as the run-time operating environment.

In the test environment, you use snapshots of applications that are deployed from the development environment. By using snapshots, you can test applications before you deploy them to the run-time operating environment.

Production

Use the content management production environment to work with validated snapshots of content applications. The run-time environment has the same components as the test environment. As a business user of the run-time environment, you participate in processes that were previously validated from application snapshots.

Components

IBM® Business Automation Content Services on Cloud provides the following components:

Administration Console for Content Platform Engine

The Administration Console for Content Platform Engine provides a comprehensive UI to configure and administer the Content Platform Engine in your Business Automation Content Services on Cloud instance. You can use the console to configure and administer object stores and security, as well as to define custom classes and properties in your system.

IBM Content Navigator

IBM® Content Navigator is a flexible, customizable web client that can be configured to align with the needs of each line of business.

Content Platform Engine Administration Tools

The Content Platform Engine Administration Tools is a package that includes the most commonly used administration tools for the Content Platform Engine such as FileNet Deployment Manager (FDM), Process Designer, (PD), and Content Engine Bulk Import Tool (CEBIT).

IBM Content Navigator Clients

The IBM Content Navigator Clients are the client components for IBM Content Navigator. These include the Edit Service, Sync Service, and IBM Content Navigator for Microsoft Office.

Content Platform Engine API

The Content Platform Engine API is the client API for the Content Platform Engine. This includes the Content Platform Engine API (Java and .NET) and Content Management Interoperability Service API.

Components will be displayed based on the type of Cloud instance you have (Express or Enterprise), the environments you have access to, and the role that you have. The following matrix shows when and which components will be displayed:

Express Instance

Role

Env Access

ICN

ICN Clients

ACCE

CPE Tools

CPE API

CPE User

Production

X

X

ACCE Designer

Production

X

X

X

X

CPE Administrator

Production

X

X

X

X

X

Enterprise Instance

Role

Env Access

ICN

ICN Clients

ACCE

CPE Tools

CPE API

CPE User

Development

X

X

X

Test

X

X

Production

X

X

ACCE Designer

Development

X

X

X

X

Test

X

X

X

Production

X

X

X

CPE Administrator

Development

X

X

X

X

X

Test

X

X

X

X

Production

X

X

X

X

Getting Started

Getting your organization started with IBM Business Automation Content Services on Cloud generally follows this procedure:

  1. The user who is assigned the account administrative role receives an email invitation and follows the link to create and configure access to the instance.
  2. The account administrator invites new users. See Inviting users.
  3. Invited users activate their access by clicking the link in the email invitation that is sent to them when the account administrator invites them. See Activating your user access.
  4. Users log in to the IBM Business Automation Content Services on Cloud instance.
  5. Users set up and use the content management system according to business needs.
  6. Environment developers use the user and group management API to provision users and groups in the dedicated user registry in the cloud tenant space. See Provisioning users and groups for the user registry.

Activating your user access

To activate your IBM Business Automation Content Services on Cloud user account, complete the following steps:

  1. Click the link in the email invitation that you received to create your account.
  2. Provide the information to activate your access:
    • Your user ID is always your email address.
    • Enter your first and last name.
    • If you do not already have a password, you are prompted to enter a new password for your account.

      Important: You are prompted to change your password every 90 days. If you reset your password, the temporary password expires after an hour.

  3. Click Activate. If you have access to more than one instance of Business Automation Content Services on Cloud, you will see a list of your subscriptions. Select the instance that you want to work with.

    When you are inside the instance, you see the Work tab by default. On the Work tab, you can access the environments inside the instance. If you are assigned the Account Administrator role, you also see the Admin tab.

  4. Optional: To manage roles and groups for subscription members, click the Admin tab.

You can update profile information such as your first name, last name, or preferred language by clicking your name and then Profile from the Business Automation Content Services on Cloud menu bar. You cannot change your user name, which is your email address.

Managing Accounts

As an account administrator, you are responsible for managing both user and service accounts.

User accounts

You invite users by email to access IBM Business Automation Content Services on Cloud and create a user account. The user account is identified by an email address. After accounts are set up, you assign roles and permissions to users so that they can do their work.

Email invitations are automatically sent to invited users so that they can activate their user accounts. However, you can decide not to send emails when you invite them, for example, so that you can assign the roles and permissions users need before they activate their accounts. After you set up the accounts, you can then send the invitation emails by inviting the users again.

If your Cloud subscription is set up for Security Assertion Markup Language (SAML) authentication, you should choose not to send emails and to activate user accounts automatically.

When a user activates an account, personal data, such as the user's email address, first name, and last name, are stored in the IBM Business Automation Content Services on Cloud user management platform. As the user interacts with the content management environment on the instance, personal data is also stored in that instance.

The European Union General (EU) Data Protection Regulation (GDPR) includes a requirement that individuals have a right to be forgotten, for example, when they leave the company. When you remove a user from an IBM Business Automation Content Services on Cloud instance, by default the user's personal data is removed from that instance and the user management platform. If the user has an account on more than one instance, you must remove the user from each of these instances too.

Service accounts

For client applications, a service account is the equivalent of a user account. You create a service account by generating the corresponding service credentials that consist of a functional ID and password. Client applications require these credentials to access the IBM Business Automation Content Services on Cloud environment. A service account is identified by a functional ID and it can be used by one or more client applications. For more information, see Managing service accounts.

Inviting users

To add users to your IBM Business Automation Content Services on Cloud environment, complete the following steps:

  1. Log in to IBM Business Automation Content Services on Cloud at Digital Business Automation on Cloud. Select the appropriate subscription, if you have more than one.
  2. Click Admin > Access Management > Users > Invite users.
  3. Enter the email address for the user, or users, that you want to add. Provide the email address, or addresses, in the following format: local-part@domain, for example, John_Doe@mycompany.com. You can either type email addresses or you can paste copied email addresses into this field. If you add multiple email addresses, separate the entries with a comma or space, or add one email address per line.

    Restriction: The local part of the email address can contain the following characters: A-Z, a-z, 0-9, . (period), - (dash), and _ (underscore).

  4. Choose whether you want to skip sending email invitations to users. You can also choose to automatically activate user accounts only if your Cloud subscription is set up for SAML authentication and you skip sending emails.

    The user you have invited is granted access to the Production environment by default. Grant access to the other environments by checking the box under the corresponding column.

Assigning roles and permissions

A Cloud subscription includes environments for developing, testing, and running applications. If you have the Account Administrator role, you specify which environments a user can access and the role, if any, the user has in each environment.

Each subscription provides the tools users need to accomplish their tasks, such as Content Platform Engine Administration Tools. When users are invited to join the subscription, their user IDs are assigned access to the production environment by default. However, you can assign them the permissions and roles that they need at any time.

To assign roles and permissions to a user:

  1. Log in to the Cloud subscription.
  2. Click Admin > Access Management > Users.
  3. Assign or remove access to environments for each user. If a user is not granted access to a particular environment but tries to access it, an error will occur.
  4. Assign users to or remove them from roles for each environment by clicking the Edit roles action. Make the appropriate changes and click Update.

    Note: You cannot assign the IBM® Content Navigator Administrator role from the Access Management window. You must assign this role directly in the IBM Content Navigator administration tool.

  5. Optional: Assign a user, or users, to the Cloud operations roles, i.e, Cloud Administrator or Operator.

When you assign a role to a user, that user is added to the corresponding group in the dedicated user registry in the Cloud instance. If that user has already logged into the Administration Console for Content Platform Engine or IBM Content Navigator, the role change is not immediate due to the Content Platform Engine user token cache. This cache stores a local copy of the mapping from a security principal (a user or group) to its list of security IDs (SIDs) used by Content Platform Engine to authorize the principal. Maintaining this information in the user token cache means Content Platform Engine does not have to retrieve the information from the dedicated user registry every time it needs information about a user. The user token cache Time To Live (TTL) attribute is set to 1 hour. For more information, see Security Caching.

For the Content Platform Engine Class Designer role, the Content Platform Engine Application Designer role, and the Content Platform Engine Administrator role, only one can be selected at any time. The Content Platform Engine Administrator role already includes all the privileges of the Application Designer or Class Designer role. The Content Platform Engine Application Designer role already includes all the privileges of the Class Designer role. For more details about the Content Platform Engine Application Designer and Class Designer roles, see the following information: Designer group access.

Setting the password for the Content Platform Engine Administrator role

If you are assigned the Content Platform Engine Administrator role, you must set your password. This is to allow use of the Content Platform Engine Administration tools and Content Navigator repository administration.

To set the password:

  1. Log in to your Cloud instance.
  2. In the Business Automation Content Services on Cloud menu bar, click your name and then click Set Password for SAML enabled instance or Change Password for non-SAML enabled instance.
  3. Type the new password and click Set. This will set the password for both the dedicated user registry in your Cloud instance as well as your Business Automation Content Services on Cloud user account when you activated your account. See Activating your user access for more details.

Managing groups and group membership

If you are assigned the Account Administrator role, you can manage user groups and their members.

As an alternative to the Cloud portal, you can use the Group Management API to manage groups and their membership. For more information, see Provisioning users and groups for the user registry. Note that you cannot manage membership of system groups through the Groups page. For more information, see System groups.

To manage groups and their members, complete the following steps:

  1. Log in to your cloud subscription.
  2. Click Admin > Access Management > Groups.

User roles and system groups

Most of the user roles shown in the Access Management pages correspond to system groups in the cloud platform user registry. When you assign a role to a user, they are automatically added to the corresponding group in the user registry.

For system groups in the user registry, use the Users page to assign the corresponding role or the Group Management REST API to manage group members. See the following tables for information on the system groups.

Cloud platform groups

Role User Group Description
Account Admin Administratorst Members of this group can manage user and service accounts, manage groups, and create usage reports. 
Operator Operators Members of this group can manage cloud environments through the System Operations page.
Developer Developers Members of this group have access to the development environment.
Tester Testers Members of this group have access to the test environment.
Runtime User Participants Members of this group have access to the production environment.

Business Automation Content Services on Cloud groups

Role User Group User registry group Description
Content Platform Engine Class Designer
  • ECMoC_Client_ACCE_Class_Designer
    • The user group for the production environment.
  • ECMoC_Client_ACCE_Class_Designer_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes Members of this group can create and update data models for an application or applications. They can also create classes used by multiple applications. For more information about this role, see Designer group access in the FileNet® P8 Platform documentation.
Content Platform Engine Application Designer
  • ECMoC_Client_ACCE_Application_Designer
    • The user group for the production environment.
  • ECMoC_Client_ACCE_Application_Designer_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes In addition to Class Designer privileges, members of this group can create properties that affect a wider set of components. They are also responsible for the components that are needed to create a Content Platform Engine application. For more information about this role, see Designer group access in the FileNet P8 Platform documentation.
Content Platform Engine Administrator
  • ECMoC_Client_CPE_Administrator
    • The user group for the production environment.
  • ECMoC_Client_CPE_Administrator_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes In addition to Application Designer privileges, members of this group can administer the object store provisioned for the cloud subscription. They also have access to the Content Platform Engine Administration Tools.
Content Platform Engine User
  • ECMoC_Client_CPE_User
    • The user group for the production environment.
  • ECMoC_Client_CPE_User_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes Members of this group can use the object store in the production environment, for example, to create, modify, and delete objects.
Enterprise Records Administrator
  • ECMoC_Client_IER_RecordsAdministrator
    • The user group for the production environment.
  • ECMoC_Client_IER_RecordsAdministrator_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes
Members of this group have the following privileges:
  • Assign permissions to different users and groups.
  • Define and modify security markings.    Configure auditing.
  • Delete file plans, categories, and records. Import and export records.
  • Back up and restore file plan and records.
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
Enterprise Records Manager
  • ECMoC_Client_IER_RecordsManager
    • The user group for the production environment.
  • ECMoC_Client_IER_RecordsManager_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes
Members of this group have the following privileges:
  • Create and modify file plans and levels of hierarchy, such as record categories, folders, and volumes.
  • Create other associated objects, such as naming patterns, record types, actions, phases, and holds.
  • Define and maintain disposition schedules to control the retention and destruction of entities.
  • Associate disposal schedules to record categories, record folders, and record types.
  • Perform records management activities, such as relocating categories and folders, setting vital records, and activating records. 
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
Enterprise Records Privileged User
  • ECMoC_Client_IER_RecordsPrivilegedUser
    • The user group for the production environment.
  • ECMoC_Client_IER_RecordsPrivilegedUser_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes
Members of this group have the following privileges: Review entities that are due for disposition.
  • Perform basic record-related operations, such as file and copy record.
  • Search and display records, folders, and categories.
  • Declare records.
Enterprise Records User
  • ECMoC_Client_IER_RecordsUser
    • The user group for the production environment.
  • ECMoC_Client_IER_RecordsUser_Env
    • The user groups for the development and test environments; where Env is Dev or Test.
Yes
Members of this group have the following privileges:
  • File records.
  • Search and display records, folders, and categories.
  • Declare records.

Managing service accounts

To manage service accounts, you must have the Account Administrator role. Service credentials consist of a unique functional ID and a password.

The functional ID is generated from the alias you specify for the service account. The functional ID is specific to the Cloud subscription on which it is created; you can't use it on other Cloud subscriptions. Like regular user IDs, you grant functional IDs permissions for the Cloud environments that the client applications access and the roles that the applications might need. However, you cannot use these IDs to manually log in to one of the tools in the Cloud portal. You also cannot use the Access Management API to create or delete functional IDs.

The password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Passwords never expire and you cannot renew them. Instead, you must replace the existing service credentials by generating a new functional ID and password, making them available to your application developers, and then deleting the previous ones. For security reasons, consider renewing service credentials according to your password renewal policies, for example, once a year. You decide how many service accounts your subscription needs. For example, several applications might share one account and other applications might have their own accounts.

 

To create a service account:

  1. Log in to the cloud subscription.
  2. Click Admin > Access Management > Service credentials.
  3. Create the credentials for the service account. On the Service Credentials page, click Create credentials to open the Create service credentials window.
  4. Enter a functional ID alias and click Create. Tip: A functional ID alias can contain only the following characters: A through Z, a through z, 0 through 9, . (period), - (dash), and _ (underscore).
  5. The Credentials created window opens, which shows the functional ID and password. Important: The credentials are displayed only when you create them. If you close the window without copying the credentials, you cannot display them again, and you must create a new set.
  6. Save the credentials by clicking Copy to clipboard.
  7. Give the functional ID access to the content services environments and assign the roles that the associated applications need.

On the Users page, find the functional ID in the list of users, and grant it the roles and permissions for the appropriate environments. For example, if the functional ID is used by user provisioning applications, assign the Account Administrator role to the functional ID. If the functional ID is used by a content services application, assign the functional ID the Content Platform Engine Administrator role.

Creating usage reports

You can view information about usage on your IBM® Business Automation Content Services on Cloud instance. You can also generate reports about user volume over periods that you specify.

To create usage reports:

  1. Log in as an Account Administrator.
  2. Click Admin > Usage Reports.
  3. Select the report type and the reporting period, then click Update to generate the usage report.

System Operations

You can manage your IBM® Business Automation Content Services on Cloud environments. You can retrieve and view log files, and restart components. To manage operating environments, you must have the Operator role which is granted by the Account Administrator.

To grant the Operator role to a user:

  1. Log in as an Account Administrator.
  2. Click Admin > Access Management > Users.
  3. Search the user to be granted the Operator role. Select the Operator role checkbox.

To manage operating environments:

  1. Log in as Operator to IBM Business Automation Content Services on Cloud.
  2. Click Admin > System Operations.
  3. Click the tab for the environment you want.

The following options are available on the System Operations page:

Option

Description

Environment

Log Retrieval

You can retrieve log data for components in your environments. You will see a log retrieval history table with the following information:

  • Component for which the log was requested
  • Time when the log was requested
  • Operator who made the request
  • Status of the request

A log is ready to download when its status changes to Download. Log retrieval might take some time. Refresh for the latest status. Logs can be deleted after successful downloads. You can also delete the logs without downloading them.

Development, Test, Production

Component Restart

You can restart the components in your environments. The component restart might take some time to complete. These scenarios are examples where restarting a component can be useful:

  • You want configuration changes to take effect immediately. For example, you have made role changes and do not want to wait for existing user token cache to expire.

    See Assigning roles and permissions for more details.

  • You are developing and testing custom IBM Content Navigator plug-in code. You have encountered issues with a specific component due to custom code.

Development, Test, Production

Administering Content Platform Engine

If you are assigned the Content Platform Engine Administrator role, you are able to get access to the Content Platform Engine Administration Tools. See Components.

As a Content Platform Engine Administrator in an environment you are granted access, you have full administration access to the object store in that environment provisioned for your instance, including the workflow system. The object store level security is configured as follows:

  • ECMoC_Client_ACCE_Class_Designer (group) - Full Control
  • ECMoC_Client_ACCE_Application_Designer (group) - Full Control
  • ECMoC_Client_CPE_Administrator (group) - Full Control
  • ECMoC_Client_CPE_User (group) - Use object store

The names of these groups vary for the object store in each environment to ensure separation of access for each environment.

The ECMoC_Client_CPE_User is the group for your users who need to access the object store. When you grant user access to an environment, you also grant that user access to the object store in that environment. See Assigning roles and permissions.

Configuring Content Extended Operations in Workflow

If you want to use Content Extended Operations in the Content Platform Engine workflow system, you need to configure the correct JAAS credentials:

  1. Create a Service Credential and grant sufficient access to it for content related activities. See Managing service accounts for details.
  2. Log in to Administration Console for Content Platform Engine as an Content Platform Engine Administrator and navigate to the default object store OS1.
  3. Click Administrative > Workflow System > Isolated Regions > OS1_IR1 > Component Queues > CE_Operations.
  4. Go to the Adapter tab and configure JAAS user name and Password to be the service credential and password that you created earlier.
  5. Click Save.

Administering IBM Content Navigator

If you are one of the account administrators invited to your Cloud subscription, you are also automatically added to IBM Content Navigator as an administrator. As an IBM Content Navigator administrator, you have full access to the IBM Content Navigator settings in the administration console. You can also add others as administrators to IBM Content Navigator using the administration console. See the attached document for the special considerations that apply.
Configuring email integration
If you want to leverage email capability of IBM Content Navigator, you can configure your own SMTP email service. This email service needs to be accessible from within your Cloud subscription.
IBM Cloud offers an email delivery service that allows you to use a SMART host to relay your outbound mail services. This service has many other functions such as generating metrics, tracking email lists, tracking email activity, assisting with newsletters, and authenticating. See IBM Cloud Email Delivery for more information.
Once you have your email service ready, you can open a ticket and engage the Business Automation Content Service on Cloud operations team to configure IBM Content Navigator to use your email service.
Plug-in for Recycle Bin
IBM Content Navigator comes with a Recycle Bin plug-in. You can load that plug-in using the file path /opt/ibm/intPlugins/recycleBin/RecycleBinPlugin.jar.
See Configuring the Recycle Bin feature for more information.
Uploading custom plug-ins
You can upload custom plug-ins from the IBM Content Navigator administration console. To upload plug-ins, make sure the Upload File Path on the Server setting is configured:
  1. Log in to IBM Content Navigator as an administrator and navigate to the administration console.
  2. Click Settings > General.
  3. Confirm the Upload File Path on the Server setting is configured to be /opt/ibm.  If it is not yet configured, set it to /opt/ibm then save.
  4. Refresh your browser and go to IBM Content Navigator administration console. 
  5. Click Plug-ins > New Plug-in, you will now see the option to specify a JAR file from your workstation.
See Registering and configuring plug-ins for more details.
External Data Service

You can configure External Data Service (EDS) in Business Automation Content Service on Cloud. You need an updated EDS plugin that can reference a custom EDS data source plug-in. See Register and configure the EDS plug-in.

To obtain the updated EDS plug-in, open a ticket and make a request to the Business Automation Content Service on Cloud operations team.

Support for iframe

Your custom application can load IBM Content Navigator in Business Automation Content Services on Cloud in an iframe. Special configuration is required for IBM Content Navigator in your Business Automation Content Services on Cloud subscription to enable iframe support. If you require iframe support for your cloud subscription, you can open a ticket and engage the Business Automation Content Service on Cloud operations team to configure IBM Content Navigator.

Using External Share

You can securely share content in your content repository with users outside of your organization. Depending on the privileges these users have, they can view, download, and modify the shared content as well as upload content to a shared folder.

Sharing content

For information about authorization privileges and how to share content, see Sharing documents with external users in the IBM® Content Navigator documentation.

Work with shared documents and folders as an external user

As an external user, you receive an email inviting you to work on content that's shared with you. Click the Accept Share link in the email invitation to access the content. If you are prompted to log in, enter the email address for the account where you received the share invitation. You are then redirected to the IBM ID login page. Here you can use your existing IBM ID account or create a new one. For your IBM ID account, make sure you use the same email address where you received the share invitation. After you successfully log in, the IBM Content Navigator is launched and you can work with the content that's shared with you.

Customize consent agreement and share email template

You can customize the consent agreement that share recipients will see when they are invited to accept content that is shared with them. Follow the steps for this customization:
  • Log in to IBM Content Navigator as an IBM Content Navigator administrator.
  • Go to Administration > Plug-ins. Select the Share plug-in and click Edit.
  • Select the object store and click Configure Share.
  • Type in the text you desire for the Consent agreement field. Click OK.
  • Now click Save and Close to exit the Share plug-in tab.

You can customize the entire email template that you use for your share invitations through the Administration Console for Content Platform Engine. You must be a Content Platform Engine Administrator to do this operation. For more information, see Customizing the email template for external sharing.

Using Key Protect

IBM Key Protect is a cloud-based security service that provides lifecycle management for encryption keys that are used in IBM Cloud services or client-built applications. Key Protect provides roots of trust (RoT), backed by a hardware security module (HSM). For more information on the IBM Key Protect Cloud service, see the IBM Cloud Catalog.

Business Automation Content Services on Cloud supports IBM Key Protect as an external key management service. If you select Key Protect support for your Cloud instance, the Business Automation Content Services on Cloud operations team will contact you. They will request information that is related to the Key Protect service instance that you want to use. Your Business Automation Content Services on Cloud instance will be provisioned with external key management that is enabled to point to your Key Protect service instance.

When Key Protect is enabled during provisioning of your Business Automation Content Services on Cloud instance, the Content Platform Engine domain master key and pre-provisioned storage area content encryption key is automatically generated and saved to your Key Protect service instance. Review the following guidelines about the master key and content encryption key:
  • Do not rotate or delete the domain master key. It is used to encrypt Content Platform Engine user credentials, user name, and passwords for various purposes that include access to external services and devices.
  • Do not delete your existing content encryption key or keys. They are used to encrypt and decrypt your content as they are stored and retrieved. Missing content encryption keys cause content encryption, decryption, and retrieval to fail.
  • Lock the Service ID and API Key that is associated with your Key Protect service instance. This action helps ensure that your service ID and/or API Key are not accidentally deleted.
  • Generate a new content encryption key on a specified interval as a best practice. For more information on how to generate a new content encryption key, see Encrypting content.

Using IBM Cloud Object Storage Immutable Object Storage

Business Automation Content Services on Cloud provides support for IBM Cloud Object Storage Immutable Object Storage. Immutable Object Storage preserves content and maintains data integrity. Retention policies ensure that data is stored in a WORM (Write-Once-Read-Many), non-erasable and non-rewritable manner. This policy is enforced until the end of a retention period. This feature can be used for long-term data retention including - but not limited to - organizations in the following industries:

  • Financial
  • Healthcare
  • Media content archives
  • Anyone seeking to prevent modification or deletion of objects or documents

Both event-based retention and permanent retention are supported.

The IBM Cloud Object Storage Immutable Object Storage support is only available for regional Cloud Object Storage. For the list of regions that support the immutable object storage, see the IBM Cloud Object Storage service availability information.

Using the IBM Enterprise Records Add-on

The Enterprise Records add-on includes full integration into the Business Automation Content Services on Cloud infrastructure and user experience. It offers a governance solution that makes it easier to manage a more strategic global records program and to enforce policies for retention and disposition across the organization and information environment.

With the Enterprise Records add-on, your Business Automation Content Services on Cloud instance comes with a Records-Enabled object store and a File Plan object store.

User Roles and Security Configuration in the File Plan Object Store

When the Enterprise Records add-on is provisioned in your Cloud instance, you see the following Enterprise Records administration roles and are able to assign them to a user:
  • IER Records Administrator
  • IER Records Manager
  • IER Records Privileged User

When you assign one of these roles to a user, that user is added to the corresponding group in the dedicated user directory in the Cloud instance. For more information on how to assign an Enterprise Records administration role to a user, see Assigning roles and permissions.

The directory groups that corresponds to the administration roles are also assigned to the Enterprise Records security roles in the File Plan object store (FPOS):
  • Records Administrator > ECMoC_Client_IER_RecordsAdministrator
  • Records Manager > ECMoC_Client_IER_RecordsManager
  • Records Privileged User > ECMoC_Client_IER_RecordsPrivilegedUser

Enterprise Records Administration Client

If you are assigned one of the following IER roles, you will see the Enterprise Records Administration Client component displayed on the Work tab of the Cloud portal:

  • IER Records Administrator
  • IER Records Manager
  • IER Records Privileged User

You can use the Enterprise Records Administration Client to configure and administer File Plans and other objects for your Enterprise Records management system.

For the Enterprise Records add-on, the Enterprise Records Administration Client does not support the following functions:
  • Reports

For more information on how to administer Enterprise Records, see Administering IBM Enterprise Records.

Scheduling sweeps

Sweep processes are daemon processes that complete typical records management operations. You can schedule disposition or hold sweeps from the Tasks menu in the Enterprise Records Administration Client. Choose a time when system usage is low.
To schedule and run sweeps, make sure you have met the following requirements:
If you don't see the Tasks menu in your Enterprise Records Administration Client, your user ID is probably not in either of the two groups. Report the issue to your account administrator.
Disposition sweeps
Disposition sweeps automatically process and update entire batches of records. They find records that are ready to start moving through the various phases of their disposition schedules.
Hold sweeps
Hold sweeps find records that meet the conditions that are specified in conditional holds and placing the holds. They automatically place and remove dynamic holds on entire batches of entities.
Note: The following schedule types are not supported:
  • Schedule Report
  • Schedule Basic Disposition Sweep

Events

You can configure Enterprise Records events in Content Platform Engine in Business Automation Content Services on Cloud. For example, you can configure the RMAutoDeclare event to automatically create a corresponding electronic record in a specific File Plan Object Store when a user performs a specific operation (such as check in or file into a folder) on a document in the Record-enabled Object Store. For more information on how to configure, refer to the README in the IEREvents.zip file.

Physical Records Management Workflow

Charge out is a process that delivers and tracks physical items, which cannot be seen online. You can configure the Physical Records Management workflow to track where the entities are at each step. You can charge out individual records (one at a time) or any of the containers that hold physical items. For more information, refer to Physical records management workflows.

File Plan Import Export Tool

The File Plan Import Export Tool is a stand-alone application that allows an administrator to move a file plan and its associated objects to another object store. This tool is available for download on the Work tab of the cloud portal if you are assigned the IER Records Administrator role. You can use it on premise to move a file plan from one environment to another in Business Automation Content Services on Cloud.

Mobile access

You can configure access to Business Automation Content Services on Cloud on mobile devices. See Configuring access to IBM Content Navigator from mobile devices for more information on enabling mobile access. You must configure mobile access to IBM Content Navigator for each environment in your Business Automation on Content Services on Cloud instance.

After mobile access is configured, follow these steps on each mobile device:

  1. Install the IBM Navigator Mobile iOS or Android application.
  2. Open the IBM Navigator Mobile application and select Use your organization's login page.
  3. Enter the URL to IBM Content Navigator in your Business Automation Content Services on Cloud environment:
      https://<tenant instance virtual host>.bpm.ibmcloud.com/dba/<dev|test|run>/navigator/

    Where:

    • <tenant instance virtual host> is the virtual host name of your Business Automation Content Services on Cloud instance.
    • <dev|test|run> is the environment where you want to access IBM Content Navigator on the mobile devices.

    Note that you must include the trailing slash in the URL.

  4. Follow the Business Automation Content Services on Cloud login screens to log in to IBM Content Navigator on the mobile devices.

Provisioning users and groups for the user registry

Your Business Automation Content Services on Cloud instance comes with a dedicated user registry. Business Automation Content Services on Cloud requires provisioning of your cloud users and groups in the dedicated user registry. You can use the Business Automation Content Services on Cloud user and group management REST API to automate this provisioning.

The user and group management REST API is part of the cloud operations API and helps you provision and manage users and groups in your Cloud instance. You can use the REST API to add a user or group, delete a user or group, or check whether a particular user or group exists in the dedicated user registry.

You can also use the user and group management REST API to facilitate a bulk import of users and groups from your on-premises directory to the dedicated user registry in your Cloud instance.

For more information on using the user and management REST API for managing users and groups, see the attached guide and samples.

Developing Content Management Interoperability Services Applications with Content Services on Cloud

Content Management Interoperability Services (CMIS) is an open source OASIS standard that enables applications to work with one or more content management systems. CMIS defines a standard domain model and standard set of services and protocol bindings for web services and RESTful AtomPub. You can develop applications using the CMIS API to work with Content Services on Cloud.

The attached archive file, CMISClient_Sample.zip, provides additional instructions and sample code.

Using the Content Services GraphQL API

The Content Services GraphQL API provides a schema and an easy-to-understand query language system that simplifies application development for your Content Platform Engine. The API schema definition of types and fields matches Content Engine Java API object model closely, with necessary and desirable extensions for natural GraphQL developer consumption. The API is ideal for web and mobile application development because it supports retrieving exactly the data you need with a single call.

The Content Services GraphQL API includes the following operations:

  • Metadata discovery - ClassDescription, PropertyDescription, ChoiceList, and sub-ClassDescriptions
  • Document and Folder operations
  • Search and query
  • Browse - folder hierarchy query of contained subfolders and documents
Access the API endpoint by using the following URL:
https://hostname.bpm.ibmcloud.com/dba/environment/content-services-graphql/graphql
where environment has the value dev for the development environment, test for the test environment, or run for the production environment.
GraphQL also has an in-browser integrated development environment (GraphiQL) that helps you explore and interact with the API.  Access GraphiQL by using the following URL:
https://hostname.bpm.ibmcloud.com/dba/environment/content-services-graphql/
Make sure you include "/" at the end of the URL.
Testing connection to the API
After you access the GraphiQL instance for the API, you can test the connection to the Content Platform Engine:
{
  _apiInfo(repositoryIdentifier: "OS1") {
    buildDate
    buildNumber
    implementationVersion
    implementationTitle
    productVersion
    cpeInfo {
      cpeURL
      cpeUser
      repositoryName
    }
  }
}
The value for the repositoryIdentifier is the Content Platform Engine object store name (symbolic name) or ID (GUID).A successful connection provides a return like the following example:
{
 "data": {
  "_apiInfo": {
  "buildDate": "February 28, 2020 at 09:20",
  "buildNumber": "29",
  "implementationVersion": "20200228-0920-29-pwtest330",
  "implementationTitle": "IBM FileNet Content Services GraphQL API - content-graphql-api",
  "productVersion": "5.5.4",
  "cpeInfo": {
   "cpeUser": "uid=admin@ibm.com,cn=users,O=IBM,C=US",
   "repositoryName": "OS1"
   }
  }
 }
}

For more information, refer to the Content Services GraphQL Development Guide.

Webhook

A webhook is a way for the Content Platform Engine to provide near real-time information to other interested applications or services. When the subscribed event occurs, the Content Engine makes an HTTP POST request to the URL that is configured for the webhook.

Webhooks are user-defined HTTP callbacks made with HTTP POST. They provide a loosely coupled means of integration between different services. The Content Platform Engine supports making such callbacks when triggered by some event in the Content Platform Engine, such as the check-in of a document to a repository or the update of a property on a Content Platform Engine object.

For more information on Webhook, refer to Content Platform Engine event webhooks.

Webhook is supported in the Content Services GraphQL API. For more information, refer to Content Event Webhook examples.

Using the Content Platform Engine Java and .NET API

You can use the Content Platform Engine Java and .NET API to develop and run on-premises custom applications to connect to Business Automation Content Services on Cloud. You can download the Content Platform Engine Java and .NET API package from the cloud portal with detailed instructions on how to configure. See Components for more information.

Applications that target Business Automation Content Services on Cloud require an additional parameter in the connection URL. Add the following parameter to the URL that you construct to communicate with the Content Platform Engine services that are running in the Business Automation Content Services on Cloud environment:

?useBasicAuth=true
For example:
https://hostname.bpm.ibmcloud.com/dba/environment/wsi/FNCEWS40MTOM?useBasicAuth=true
where environment has the value dev for the development environment, test for the test environment, or run for the production environment.
For more information, refer to the detailed instructions that come with the Content Platform Engine Java and .NET API package.

Integrating with IBM on-premises software

You can use Business Automation Content Services on Cloud as a content repository for the IBM Content Collector for File Systems, IBM Content Collector for SAP, and Datacap on-premises software. This enables your business to archive or scan on-premises content into Business Automation Content Services on Cloud, achieving the benefits of enterprise content management in the Cloud.

For details on how to configure IBM Content Collector for File Systems on-premises with Business Automation Services on Cloud, refer to the following technical notice.

For details on how to configure IBM Content Collector for SAP on-premises with Business Automation Services on Cloud, refer to the following technical notice.

For details on how to configure Datacap on-premises with Business Automation Content Services on Cloud, refer to the following technical notice.

Security Assertion Markup Language (SAML) Single Sign-On

IBM Business Automation Content Services on Cloud supports Security Assertion Markup Language (SAML) single sign-on via the Digital Business Automation on Cloud platform. Single sign-on is defined as the ability to leverage a single user identity (user email and password) to access multiple systems. In IBM Digital Business Automation on Cloud, you can leverage your own company user identity or user email to access IBM Digital Business Automation on Cloud platform using SAML. SAML enables the IBM Digital Business Automation on Cloud platform to delegate user authentication to your company authentication process. IBM Digital Business Automation on Cloud platform supports both identity provider (IdP) initiated mode and service provider initiated mode for SAML single sign-on.

Microsoft Azure Marketplace listing

IBM Digital Business Automation on Cloud is now listed in the Microsoft Azure Marketplace.

You can use Microsoft Azure Active Directory to manage user access and enable single sign-on with the IBM Digital Business Automation on Cloud platform. An existing IBM Business Automation Content Services on Cloud subscription is required.

For step-by-step instructions on connecting IBM Digital Business Automation on Cloud to Azure Active Directory, see this Tutorial.

Secure communication to the Cloud instance endpoints

Business Automation Content Services on Cloud supports TLS 1.2 as the minimum level of secure communication to the Cloud instance endpoints. Supported ciphers are based on ECDHE_RSA key exchange with GCM/CBC based encryption.

Time synchronization

The server used for network time synchronization is time.service.networklayer.com. For more information, refer to Synchronizing system clocks.

[{"Product":{"code":"SS5RVW","label":"IBM Business Automation Content Services on Cloud"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
28 August 2020

UID

swg27050963