IBM BPM, V8.0.1, All platforms > Installing, deploying, and undeploying applications in the runtime environment > Deploying service modules > Deploying secure applications

Assigning users to roles

A secured application uses one or both of the security qualifiers securityPermission and securityIdentity. When these qualifiers are present, there are additional steps that must be taken at deployment time in order that the application and its security features work correctly.

This task assumes that you have a secured application ready to deploy as an EAR file into IBM BPM.

Applications implement interfaces that have methods. You can secure an interface or a method with the Service Component Architecture (SCA) qualifier securityPermission. When you invoke this qualifier, you specify a role (for example, "supervisors") that has permission to invoke the secured method. When you deploy the application you have the opportunity to assign users to the specified role.

The securityIdentity qualifier is equivalent to the RunAs role used for delegations in WebSphere Application Server. The value associated with this qualifier is a role. During deployment, the role is mapped to an identity. Invocation of a component secured with securityIdentity takes the specified identity, regardless of the identity of the user who is invoking the application.


Procedure

  1. Follow the instructions for deploying an application into IBM BPM. See "Deploying a module or mediation module" for more details.

  2. Associate the correct users with the roles.
    Security qualifier Action to take
    Security Permission Assign a user or users to the role specified. There are four choices:

    • Everyone - equivalent to no security.

    • All authenticated - every authenticated user is a member of the role.
    • Mapped User - Individual users are added to the role.
    • Mapped Groups - Groups of users are added to the role.

    The most flexible choice is Mapped Groups, because users can be added to the group and thus gain access to the application without restarting the server.

    Security Identity Provide a valid user name and password for the identity to which the role is mapped.

Deploying secure applications


Related concepts:
Get started with security


Related information:
Deploying a module or mediation module
Delegations