IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications > Set up security for the Business Space component and Process Portal

Selecting the user repository for Process Portal

The federated repositories option is the default user account repository option for profiles. You can change the type of user account repository if needed for your environment.

Before you complete this task, you must have completed the following tasks:

• Enable application security and administrative security. See Enabling security for the Business Space component: .
• Check that your user ID is registered in the user registry for your product.

To enable authenticated access to Process Portal, you must have a user registry configured and application security enabled. For information about application security, see Enabling security for the Business Space component: .

Considerations for using a user account registry with Process Portal:

• Based on the type of LDAP configuration that you are using, your settings can impact your ability to access Business Space correctly. Verify that the user filters, the group filters, and mapping settings are configured properly. See Configure Lightweight Directory Access Protocol search filters in the WebSphere Application Server documentation.
• Based on the type of federated repository configuration that you are using, your settings can affect your ability to access Business Space correctly. Verify that the realms are configured properly. See Manage the realm in a federated repository configuration in the WebSphere Application Server documentation.

• The LDAP security is set up by default to use the login property uid (user ID) for searching in Business Space.

  If your LDAP security is changed to use another unique LDAP field, such as mail (email address) for the login property, then you must modify the userIdKey property in the ConfigServices.properties file in order for searching to work in Business Space. Follow step 3 below.

• If you are using a Microsoft SQL Server database and the Standalone LDAP registry, make sure that the user distinguished name (user DN) does not exceed 450 characters. If any of the user DN entries exceed 450 characters, you must designate the Federated repositories option for the user account repository.

• If you are using Federated repositories, you have additional capabilities in your widgets and framework, such as enhanced search capabilities. When searching for users to share spaces and pages, the search scope includes email, a full user name, and user ID.

Procedure

1. On the Global security administrative console page, under User account repository, designate either Federated repositories, Local Operating System, Standalone LDAP registry, or Standalone custom registry.
2. Restart the server.

3. If you want to change the default user repository from the default Federated repositories, modify the MashupAdminForOOBSpace property in the ConfigServices.properties to designate the correct user ID (the UID property for your user repository) as the valid administrator ID.

   1. Copy the modified file into an empty folder on your system. The ConfigServices.properties file is located at profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties for a stand-alone server or deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster.

   2. Run the updatePropertyConfig command using the wsadmin scripting client.

      Important: For Windows, the value for the propertyFileName parameter must be the full path to the file, and all backslashes must be double, for example: AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName " profile_root\\BusinessSpace\\ node_name\\ server_name\\mm.runtime.prof\\config\\ConfigService.properties" -prefix "Mashups_"]').

      • For a stand-alone server:

        The following example uses Jython:

        AdminTask.updatePropertyConfig('[-serverName  server_name -nodeName  node_name 
        -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name
        \mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"]')
        AdminConfig.save()

        The following example uses Jacl:

        $AdminTask updatePropertyConfig {-serverName  server_name -nodeName  node_name
         -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name
        \mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} $AdminConfig save

      • For a cluster:

        The following example uses Jython:

        AdminTask.updatePropertyConfig('[-clusterName  cluster_name -propertyFileName
         " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\
        config\ConfigService.properties" -prefix "Mashups_"]')
        AdminConfig.save()

        The following example uses Jacl:

        $AdminTask updatePropertyConfig {-clusterName  cluster_name -propertyFileName
         " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\
        config\ConfigService.properties" -prefix "Mashups_"} $AdminConfig save

   3. Log into Process Portal and reassign the owners of the default spaces to the new administrator ID.

4. If you are using an LDAP repository with a unique LDAP field, such as mail (email address) for the login property instead of uid (user ID), modify the userIdKey property in the ConfigServices.properties file in order for searching to work in Business Space.
   1. Locate the ConfigServices.properties file at profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties for a stand-alone server or deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster.
   2. Change the userIdKey attribute from uid to match the login property for your LDAP user repository, for example, mail.

   3. Copy the modified file into an empty folder on your system.

   4. Run the updatePropertyConfig command using the wsadmin scripting client.

      Important: For Windows, the value for the propertyFileName parameter must be the full path to the file, and all backslashes must be double, for example: AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName " profile_root\\BusinessSpace\\ node_name\\ server_name\\mm.runtime.prof\\config\\ConfigService.properties" -prefix "Mashups_"]').

      • For a stand-alone server:

        The following example uses Jython:

        AdminTask.updatePropertyConfig('[-serverName  server_name -nodeName  node_name 
        -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name
        \mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"]')
        AdminConfig.save()

        The following example uses Jacl:

        $AdminTask updatePropertyConfig {-serverName  server_name -nodeName  node_name
         -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name
        \mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} $AdminConfig save

      • For a cluster:

        The following example uses Jython:

        AdminTask.updatePropertyConfig('[-clusterName  cluster_name -propertyFileName
         " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\
        config\ConfigService.properties" -prefix "Mashups_"]')
        AdminConfig.save()

        The following example uses Jacl:

        $AdminTask updatePropertyConfig {-clusterName  cluster_name -propertyFileName
         " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\
        config\ConfigService.properties" -prefix "Mashups_"} $AdminConfig save

5. If you want to restrict logging in to Process Portal to a subset of users and groups, you can change the mapping of the Business Space Java™ EE security role.
   1. Update the user/group mapping for two enterprise applications: BSpaceEAR_ node_ server and mm.was_ node_ server (for a stand-alone server environment) or BSpaceEAR_ cluster and mm.was_ cluster (for an ND environment).

   2. Click Applications > Application Types > WebSphere enterprise applications and select the two applications.

   3. In the right panel, under Detail Properties, select Security role to user/group mapping.
   4. Remap the businessspaceusers and Allauthenticated roles from the two applications by first removing the special subject.

   5. Click Map Special Subjects and select None.

   6. Click Map Users or Map Groups and assign each role to your selected users or groups.
   Changing the Java EE security role mapping does not affect the user/group search function in Business Space.
6. Restart the server.

7. Log in to Process Portal and reassign the owners of the default spaces to the new administrator ID.

What to do next

• To set authorization to pages and spaces in Process Portal, you can manage authorization when creating the pages and spaces.

• To designate who can perform administrator actions in Process Portal, see Assigning the superuser role: .

If you find the following errors in the SystemOut.log file, you might have extra attributes in your user registry that cannot be processed:

 00000046 SystemErr R Caused by: com.ibm.websphere.wim.exception.WIMSystemException: CWWIM1013E  
    The value of the property secretary is not valid for entity uid= xxx,c=us,ou= yyy,o=ibm.com. 
 00000046 SystemErr R at com.ibm.ws.wim.adapter.ldap.LdapAdapter.setPropertyValue(LdapAdapter.java:3338)

Set the following attributes in the ConfigServices.properties file to bypass those attributes:

com.ibm.mashups.user.userProfile = LIMITED
com.ibm.mashups.user.groupProfile = LIMITED

The ConfigServices.properties file is located at profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties for a stand-alone server or deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster. After modifying the ConfigServices.properties file, run the updatePropertyConfig command using the wsadmin scripting client by following the instructions in step 4.d.

If you have Java EE security enabled in a cluster, consider tightening the entry in the server policy applied to the Business Space help location.

The Business Space help location policy is:

grant codeBase "file:${was.install.root}/profiles/ profile_name/temp/ node_name/-" {

permission java.security.AllPermission;

};

Tighten the policy by changing it to:

grant codeBase "file:${was.install.root}/profiles/ profile_name/temp/ node_name/ server_name/BSpaceHelpEAR_ node_name_ server_name/BSpaceHelp.war/-" {

permission java.security.AllPermission;

};

Set up security for the Business Space component and Process Portal