IBM BPM, V8.0.1, All platforms >

Securing IBM BPM and applications

Security of IBM BPM and applications depends on securing the runtime environment and securing applications.

Securing the IBM BPM runtime environment involves enabling administrative security, enabling application security, creating profiles with security, and restricting access to critical functions to selected users.

Securing an application includes authenticating users, implementing access control for operations and resources, and providing data integrity and privacy.

IBM BPM security is based on the WebSphere Application Server version 8.0 security.

For detailed information about security, see the WebSphere Application Server ND Information Center.

Security tasks can be broadly divided into those concerning the administration of security in the IBM BPM environment and those that are related to the applications running in IBM BPM. The security of the server environment is central to the security of applications, and therefore the two sides should not be thought of in isolation.

Securing the environment involves enabling administrative security, enabling application security, creating profiles with security, and restricting access to critical functions to selected users.

To secure an application, consider the following aspects:

• Authentication of users. A user or a process that invokes an application must be authenticated. With a single sign on, a user can provide authentication data once and then pass this authentication information to downstream components.

• Access control. The authenticated user must have permission to perform the operation.
• Data integrity and privacy. The data that is accessed by an application must be secured so that no unauthorized party can view or modify it in any way.

The rest of this section describes the security considerations at various stages of operation of the IBM BPM environment.

IBM BPM security is built on WebSphere Application Server 8.0 security. Considerations that are specific to IBM BPM are listed.

• The administrative console page Business Integration Security is unique to IBM BPM. You display this page by expanding Security and clicking Business Integration Security.

  This page allows users to assign specific identities from their user registry to important business integration authentication aliases. In addition, you can administer your Business Process Choreographer security settings on this page.

• Application security is turned on by default in IBM BPM. This is not the case in WebSphere Application Server.
• IBM BPM contains a set of component-specific security roles.

The following list provides an overview of the tasks you perform when securing IBM BPM. For detailed instructions, refer to the related tasks.

1. Consider security when you install IBM BPM.
   1. Secure your environment before installation.
   2. Prepare the operating system for installation of IBM BPM.
   3. Prepare the environment after installation.
2. Ensure that security is turned on for your stand-alone or deployment environment installation.
   1. Ensure that Administrative security is turned on.
   2. Ensure that Application security is turned on.

   3. If required, turn on Java™ 2 security.

   4. Use the Security Configuration wizard in the administrative console to configure security options.
   5. Set up a secure authentication mechanism and user account repository.

   6. Assign user names and passwords to important business integration authentication aliases.

   7. Assign users to appropriate administrative security roles.

   8. Assign users and groups to appropriate internal groups (using the Process Admin Console) so that IBM Process Center, IBM Process Portal, and other tools can be accessed by those users and groups.
3. Set up security for specific IBM BPM components.

   For example, use the Security Roles widget to set up role-based access control for timetables in the Business Calendars widget.

4. Secure the applications that you deploy to your process server environment.
   1. Develop your applications in Integration Designer using all appropriate security features.
   2. Deploy your applications to your IBM BPM environment.

   3. Assign users or groups to appropriate security roles to control access to the newly deployed application.
5. Maintain the security of your IBM BPM environment.

• Get started with security
  Security is an integral consideration when you are planning to install IBM BPM, when you are developing and deploying applications, and in the day-to-day running of IBM BPM.
• Defining RunAs roles user assignments for system applications
  The bpmModifyMapRunAsRole script provides a way to define the RunAs roles user assignments for the system applications that are shipped with the IBM BPM product.
• Configure SSL for IBM BPM
  

  You can enable SSL communication for IBM BPM. This process enables secure https communication between the Process Center and the Process Server.

• Configure cross-cell security for IBM Process Center
  Before registering a Process Center with another Process Center in different cell, complete security configuration. Once the security configuration between the cells is completed, a Process Center in one cell can register a Process Center in another cell with HTTPS protocol over SSL.
• Configure administrative and application security
  The first step in securing your IBM BPM environment and your applications is to make sure that administrative security is enabled. In WebSphere Application Server version 7.0, administrative security is enabled by default. If you have disabled administrative security, use the following instructions to enable it again.
• Manage IBM BPM users and groups
  The way that IBM BPM handles security for users and groups depends on whether you are using IBM BPM Advanced or IBM BPM Standard.
• Configure external security providers
  To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.
• Securing access to timetables in the Business Calendars widget
  The Security Roles widget provides you with the ability to secure access to individual timetables in the Business Calendars widget. You use the Security Roles widget to assign roles to the members of an organization. It is these roles that determine the level of access to the timetables.
• Security access to CEI functions
  
• Set up security for the Business Space component and Process Portal
  

  If you are using Process Portal with your environment, you must consider security options for the Business Space component.

  If you want to turn on security, set up application security and designate a user repository. To define administrators, assign a Business Space superuser role.

• Security in human tasks and BPEL processes
  There are a number of roles associated with human tasks and BPEL processes. These roles are unique to tasks and processes that run in Business Process Choreographer.

Related tasks:
Importing process applications and toolkits from the Process Center repository

Related reference:
Security considerations specific to IBM BPM