Plan security, user IDs, and authorizations for configuring Business Process Choreographer

IBM BPM, V8.0.1, All platforms > Install IBM BPM > Plan for IBM BPM > Plan to configure Business Process Choreographer > Plan for a custom configuration
Plan security, user IDs, and authorizations

Plan the user IDs and authorizations for configuring Business Process Choreographer.

During configuration, you need to use various user IDs and you must specify other user IDs that will be used at run time. Make sure that you plan and create all user IDs before you start configuring Business Process Choreographer.

For a sample Business Process Choreographer configuration:

You only need the authority to create a new profile. In pmt.sh, using the option to create a typical profile, when you enable administrative security, the Business Process Choreographer sample will also be configured. No other planning or user IDs are required, and you can skip this task.

For a high security configuration:

You must plan all user IDs in detail as described in this task.

For a low security configuration:

If you do not require full security, for example for a non-production system, you can reduce the number of user IDs used. You must plan all user IDs in detail, but you can use certain user IDs for multiple purposes.
For example, the database user ID used to create the database schema can also be used as the data source user name to connect to the database at run time.

If you will use the bpeconfig.jacl script to configure Business Process Choreographer:

The user ID used to run the bpeconfig.jacl script must have the necessary rights for the configuration actions that the script will perform. Otherwise, you must specify user IDs as parameters for the script that have the necessary rights, in which case you must plan all user IDs in detail. For user IDs that can be specified as parameters to the bpeconfig.jacl script, the parameter names are included in the table. The profile must already exist. If WebSphere administrative security is enabled, you need a WebSphere administrator user ID in the configurator role that you can use to invoke the wsadmin tool.

If you will use human tasks:

WebSphere administrative security and application security must both be enabled.
Do not enable the security option Use realm-qualified user names.

Procedure

Print a hardcopy of this page so that you can write your planned values in the last column. Keep it for reference when you are configuring Business Process Choreographer, and keep it in your records for future reference.
Plan the user ID you will use on the Process Server to configure Business Process Choreographer.

Planning user IDs for Process Server
User ID or role When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
The user who configures Business Process Choreographer Configure Logging onto the administrative console and running administrative scripts. WebSphere administrator or configurator role, if WebSphere administrative security is enabled.
If you are going to run the bpeconfig.jacl script to configure the Business Process Choreographer. When running the script, you must also provide any user IDs that are necessary for the options that you select. For more information see bpeconfig.jacl script file.

Plan which people need access to subdirectories of INSTALL_ROOT. If your security policy does not allow these people to be granted this access, they will need to be given copies of the files in the directories.

Planning access to the subdirectories of INSTALL_ROOT
User ID or role When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
Database administrator Configure Running the scripts to setup the following databases:

BPEDB: This is the default name for the database for Business Process Choreographer.

OBSRVDB: This is the default name for the database for the Business Process Choreographer Explorer reporting function.
If you use the bpeconfig.jacl script to configure Business Process Choreographer:
Read access to (or a copy of) the createSchema_BPC.sql script for a DB2 for z/OS database or createSchema.sql for other databases, which bpeconfig.jacl generates in a subdirectory of the directory:

profile_root/dbscripts/ProcessChoreographer/

profile_root/dbscripts/ProcessChoreographer/
profile_root\dbscripts\ProcessChoreographer\

If you want to review the database script files:
Read access to (or a copy of the files in) the database scripts provided in the directory:

INSTALL_ROOT/dbscripts/ProcessChoreographer/ database_type

INSTALL_ROOT/dbscripts/ProcessChoreographer/ database_type
INSTALL_ROOT\dbscripts\ProcessChoreographer\ database_type
Where database_type is one of the following:

DB2
DB2zOS
Oracle
SQLServer

Integration developer Customize To use people assignment with a Lightweight Directory Access Protocol (LDAP) or Virtual Member Manager (VMM) people directory provider, you will have to customize a copy of the sample XSL transformation file. Either read access to the Staff directory, or a copy of the files in the directory:

INSTALL_ROOT/ProcessChoreographer/Staff

INSTALL_ROOT/ProcessChoreographer/Staff
INSTALL_ROOT\ProcessChoreographer\Staff
The integration developer will also need write access to a suitable directory to make the customized XSL transformation file available to the server.

Plan the user IDs that will be used to create, configure, and access the database that is used by Business Process Choreographer.

Planning user IDs for the BPEDB database
User ID or role When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
Database administrator Before configuring To create the BPEDB database. Create the database.
Database administrator or an administrator who will run the bpeconfig.jacl script Configure You or your database administrator must run Business Process Choreographer database scripts, unless you are using the default database. For the BPEDB database: Alter tables, connect, insert tables, and create indexes, schemas, tables, table spaces, and views.
Data source user name
If you use the bpeconfig.jacl script, this is the -dbUser parameter.
Configure If you select the Create Tables option, this user ID is used to create the database tables. To use the Create Tables configuration option, this user ID must also be authorized to perform the following actions on the BPEDB database: Alter tables, connect, insert tables, and create indexes, tables, and views.
Run time The Business Flow Manager and Human Task Manager use this user ID to connect to the BPEDB database. This user ID must be authorized to perform the following actions on the BPEDB database: Connect, delete tables, insert tables, select tables and views, and update tables.
After applying service or a fix pack When necessary, the database schema is updated automatically after applying service. This only works if this user ID has the necessary database rights, otherwise schema updates must be performed manually. This user ID must be authorized to perform the following actions on the BPEDB database: Alter, create, insert and select tables, connect to the database, create and drop indexes and views.

If you will have a separate database for the Business Process Choreographer's messaging engine message store, plan the user ID that will be used to access the database.

Planning user ID for the preconfigured BPEME messaging engine database
User ID When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
Bus data source user name
If you use the bpeconfig.jacl script, this is the -medbUser parameter.
Configure and run time This user name is used to connect to the BPEME database, and to create the necessary tables and index. This user ID must be authorized to perform the following actions on the BPEME database: Connect, delete tables, insert tables, select tables and views, and update tables.

Plan the Business Process Choreographer user IDs for the Java™ Message Service (JMS).

Planning user IDs for JMS
User ID When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
JMS authentication user Run time The authentication alias for the system integration bus. Specify it when configuring Business Process Choreographer.
If you use the bpeconfig.jacl script, this user IDs and its password are the parameters -mqUser and -mqPwd.
It must be a user name that exists in the WebSphere user registry. It is automatically added to the Bus Connector role for the Business Process Choreographer bus.
JMS API authentication user Run time Any Business Flow Manager JMS API requests will be processed on using this user ID.
If you use the bpeconfig.jacl script, this user IDs and its password are the parameters -jmsBFMRunAsUser and -jmsBFMRunAsPwd.
The user name must exist in the WebSphere user registry.
Escalation authentication user Run time Any Human Task Manager escalations will be processed using this user ID.
If you use the bpeconfig.jacl script, this user ID and its password are the parameters -jmsHTMRunAsUser and -jmsHTMRunAsPwd.
The user name must exist in the WebSphere user registry.

Plan which groups or user IDs, the Java EE roles for the Business Flow Manager and Human Task Manager will be mapped onto.

Planning the security roles for the Business Flow Manager and Human Task Manager
User ID or role When the user ID is used What the user ID is used for Planned list of user IDs, groups, or both
Administrator user Run time The system administrator and monitor security roles for both the Business Flow Manager and Human Task Manager are each mapped to a list of user IDs, groups, or both. The values defined here create the mapping that gives users in this role the access rights that they need.
If you use the bpeconfig.jacl script, these users and groups correspond to the following parameters:

-adminUsers
-adminGroups
-monitorUsers
-monitorGroups

Administrator group Run time
Monitor user Run time
Monitor group Run time

Plan the user ID to use as the Java EE run-as role for administration jobs like the Business Flow Manager and Human Task Manager cleanup services and the process instance migration tool. This user ID must be a member of the administrator role user or group planned in Table 6.

Planning the user ID for running administration jobs
User ID When the user ID is used What the user ID is used for Planned user ID
Administration job user ID Run time administration This user ID is used to run administration jobs.
If you use the bpeconfig.jacl script, this user ID and its password correspond to the -adminJobUser and -adminJobPwd parameters.

If you want human task escalations to send notification emails for specific business events, and your Simple Mail Transfer Protocol (SMTP) server requires authentication, decide which user ID will be used to connect to the email server.

Planning the user ID for the email server
User ID or role When the user ID is used What the user ID is used for Which rights the user ID must have Planned user ID
Mail transport user Run time The Human Task Manager uses this user ID to authenticate against the configured mail server to send escalation emails.
If you use the bpeconfig.jacl script, this is the -mailUser parameter. The password is the -mailPwd parameter.
Send emails.

If you will use people assignment for human tasks, and you will use a Lightweight Directory Access Protocol (LDAP) people directory provider that uses simple authentication, plan a Java Authentication and Authorization Service (JAAS) alias and an associated user ID that will be used to connect to the LDAP server. If the LDAP server uses anonymous authentication this alias and user ID are not required.

Planning the alias and user ID for the LDAP server
User ID or role When the user ID is used What the alias and user ID are used for Which rights the user ID must have Planned alias and user ID
LDAP plug-in property: AuthenticationAlias Run time The alias is used to retrieve the user ID used to connect to the LDAP server. You specify this alias ID when customizing the properties for the LDAP plug-in, for example mycomputer/My LDAP Alias. The JAAS alias must be associated with the LDAP user ID.
LDAP user ID Run time This user ID is used to connect to the LDAP server. If the LDAP server uses simple authentication, this user ID must be able to connect to the LDAP server. This user ID is either a short name or a distinguished name (DN). If the LDAP server requires a DN you cannot use the short name.

Create the user IDs that you have planned with the necessary authorizations. If you do not have the authority to create them all yourself, submit a request to the appropriate administrators, and enter the names of the user IDs that they create for you in this table.

Results
You know which user IDs will be required when configuring Business Process Choreographer.

User ID or role	When the user ID is used	What the user ID is used for	Which rights the user ID must have	Planned user ID
The user who configures Business Process Choreographer	Configure	Logging onto the administrative console and running administrative scripts.	WebSphere administrator or configurator role, if WebSphere administrative security is enabled.
If you are going to run the bpeconfig.jacl script to configure the Business Process Choreographer.	When running the script, you must also provide any user IDs that are necessary for the options that you select. For more information see bpeconfig.jacl script file.

User ID or role	When the user ID is used	What the user ID is used for	Which rights the user ID must have
Database administrator	Configure	Running the scripts to setup the following databases: BPEDB: This is the default name for the database for Business Process Choreographer. OBSRVDB: This is the default name for the database for the Business Process Choreographer Explorer reporting function.	If you use the bpeconfig.jacl script to configure Business Process Choreographer: Read access to (or a copy of) the createSchema_BPC.sql script for a DB2 for z/OS database or createSchema.sql for other databases, which bpeconfig.jacl generates in a subdirectory of the directory: profile_root/dbscripts/ProcessChoreographer/ profile_root/dbscripts/ProcessChoreographer/ profile_root\dbscripts\ProcessChoreographer\
If you want to review the database script files: Read access to (or a copy of the files in) the database scripts provided in the directory: INSTALL_ROOT/dbscripts/ProcessChoreographer/ database_type INSTALL_ROOT/dbscripts/ProcessChoreographer/ database_type INSTALL_ROOT\dbscripts\ProcessChoreographer\ database_type Where database_type is one of the following: DB2 DB2zOS Oracle SQLServer
Integration developer	Customize	To use people assignment with a Lightweight Directory Access Protocol (LDAP) or Virtual Member Manager (VMM) people directory provider, you will have to customize a copy of the sample XSL transformation file.	Either read access to the Staff directory, or a copy of the files in the directory: INSTALL_ROOT/ProcessChoreographer/Staff INSTALL_ROOT/ProcessChoreographer/Staff INSTALL_ROOT\ProcessChoreographer\Staff The integration developer will also need write access to a suitable directory to make the customized XSL transformation file available to the server.

User ID or role	When the user ID is used	What the user ID is used for	Which rights the user ID must have
Database administrator	Before configuring	To create the BPEDB database.	Create the database.
Database administrator or an administrator who will run the bpeconfig.jacl script	Configure	You or your database administrator must run Business Process Choreographer database scripts, unless you are using the default database.	For the BPEDB database: Alter tables, connect, insert tables, and create indexes, schemas, tables, table spaces, and views.
Data source user name If you use the bpeconfig.jacl script, this is the -dbUser parameter.	Configure	If you select the Create Tables option, this user ID is used to create the database tables.	To use the Create Tables configuration option, this user ID must also be authorized to perform the following actions on the BPEDB database: Alter tables, connect, insert tables, and create indexes, tables, and views.
Run time	The Business Flow Manager and Human Task Manager use this user ID to connect to the BPEDB database.	This user ID must be authorized to perform the following actions on the BPEDB database: Connect, delete tables, insert tables, select tables and views, and update tables.
After applying service or a fix pack	When necessary, the database schema is updated automatically after applying service. This only works if this user ID has the necessary database rights, otherwise schema updates must be performed manually.	This user ID must be authorized to perform the following actions on the BPEDB database: Alter, create, insert and select tables, connect to the database, create and drop indexes and views.

User ID	When the user ID is used	What the user ID is used for	Which rights the user ID must have
JMS authentication user	Run time	The authentication alias for the system integration bus. Specify it when configuring Business Process Choreographer. If you use the bpeconfig.jacl script, this user IDs and its password are the parameters -mqUser and -mqPwd.	It must be a user name that exists in the WebSphere user registry. It is automatically added to the Bus Connector role for the Business Process Choreographer bus.
JMS API authentication user	Run time	Any Business Flow Manager JMS API requests will be processed on using this user ID. If you use the bpeconfig.jacl script, this user IDs and its password are the parameters -jmsBFMRunAsUser and -jmsBFMRunAsPwd.	The user name must exist in the WebSphere user registry.
Escalation authentication user	Run time	Any Human Task Manager escalations will be processed using this user ID. If you use the bpeconfig.jacl script, this user ID and its password are the parameters -jmsHTMRunAsUser and -jmsHTMRunAsPwd.	The user name must exist in the WebSphere user registry.

User ID or role	When the user ID is used	What the user ID is used for
Administrator user	Run time	The system administrator and monitor security roles for both the Business Flow Manager and Human Task Manager are each mapped to a list of user IDs, groups, or both. The values defined here create the mapping that gives users in this role the access rights that they need. If you use the bpeconfig.jacl script, these users and groups correspond to the following parameters: -adminUsers -adminGroups -monitorUsers -monitorGroups
Administrator group	Run time
Monitor user	Run time
Monitor group	Run time

User ID or role	When the user ID is used	What the alias and user ID are used for	Which rights the user ID must have	Planned alias and user ID
LDAP plug-in property: AuthenticationAlias	Run time	The alias is used to retrieve the user ID used to connect to the LDAP server. You specify this alias ID when customizing the properties for the LDAP plug-in, for example mycomputer/My LDAP Alias.	The JAAS alias must be associated with the LDAP user ID.
LDAP user ID	Run time	This user ID is used to connect to the LDAP server.	If the LDAP server uses simple authentication, this user ID must be able to connect to the LDAP server. This user ID is either a short name or a distinguished name (DN). If the LDAP server requires a DN you cannot use the short name.