IBM BPM, V8.0.1, All platforms > Install IBM BPM > IBM BPM Advanced > Install IBM BPM Advanced > On Windows > Network deployment environment > Configure profiles and create an ND environment > Create an ND environment > Use the administrative console > Configure components > Configure additional components > Configure Process Portal > Configure the Business Space component for Process Portal > Set up security for the Business Space component and Process Portal

Assigning the superuser by user group

You can assign users to be superusers (or Process Portal administrators) based on user groups.

Before you complete this task, you must have completed the following tasks:

• Enable application security and administrative security. See Enabling security for the Business Space component: .
• Check that your user ID is registered in the user registry for your product.

If you previously used user groups to assign the Business Space superuser role, you can switch to the simpler way to assign Business Space superusers by role. See Assigning the superuser role: .

A superuser can view, edit, and delete all spaces and pages, can manage and create templates, and can change ownership of a space by changing the owner ID.

If administrative security is enabled when you configure IBM BPM, consider the following information about groups and superusers:

• Users belonging to the special user group, administrators, have a superuser role by default. As a result, the superuser role assignment is handled by user group membership.

• In a single-server environment, the IBM BPM server creates the administrators user group in the default user registry. The administrator ID provided during configuration is automatically added as member of this group.

• In an ND environment, the administrators user group is not created automatically. Use the createSuperUser.py script to create the user group and add members to that group in the default user registry.

• If another user registry (for example, LDAP) is used instead of the default user registry, or if the default user registry is used but you do not want to use the administrators user group, you must identify the user group that you are using for the Process Portal superusers. Verify that the value that you provide can be understood by the user registry.

  For example, for LDAP, you might provide a name like cn=administrators,dc=company,dc=com. For more information about identifying this user group, see the instructions for changing the administrators group in the What to do next section.

• For widgets in WebSphere Portal, the default group wpsadmins is also used for the superuser role. Members of this group are granted the superuser role.

  Security must be enabled if you want to use widgets in WebSphere Portal.

If administrative security is not enabled when you configure IBM BPM, only the special user ID BPMAdministrator has the superuser role.

If you have an ND environment, run the createSuperUser.py script to assign the superuser role: to create the user group and add members. Before you run the script:

• Make sure the default administrators group name is not changed on the administrative console.

• Use the default file-based user repository for the user registry.

• Start the server or the dmgr for your IBM BPM environment for the profile where Process Portal is installed.

Procedure

1. Locate the script INSTALL_ROOT\BusinessSpace\scripts\createSuperUser.py for assigning the superuser role to a user.
2. Open a command prompt, and change directories to the following directory: profile_root\bin, where profile_root represents the directory for the profile where IBM BPM is installed.
3. Type the following command: wsadmin -lang jython -f INSTALL_ROOT\BusinessSpace\scripts\createSuperUser.py user_short_name password where user_short_name is the unique identifier for a user in Virtual Member Manager (VMM), and password is the VMM password for that user. If that user exists in VMM, the user is added to the administrator group.

   When the path contains a space, for example, if INSTALL_ROOT is My install dir, you must enclose the path names in quotation marks.

   For example, type the following command: wsadmin -lang jython -f "\My install dir\BusinessSpace\scripts\createSuperUser.py" user_short_name_in_VMM.

What to do next

To open the Business Space component, use the following URL: http:// host: port/BusinessSpace, where host is the name of the host where your server is running and port is the port number for your server.

You can change the default special user group named adminstrators. Perform the following steps to check the current group name or change it to other name.

Inspect the value for the metric com.ibm.mashups.adminGroupName in the configuration file:

• profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties on a stand-alone server, or
• deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties on a cluster.

Important: For Windows, when you run the updatePropertyConfig command, the value for the propertyFileName parameter must be the full path to the file, and all backslashes must be double, for example: AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName " profile_root\\BusinessSpace\\ node_name\\ server_name\\mm.runtime.prof\\config\\ConfigService.properties" -prefix "Mashups_"]').

If you want to change an administrative group...on a stand-alone server:

1. Verify that the group exists in the user repository.
2. Modify the metric com.ibm.mashups.adminGroupName in the configuration file profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties.

3. Run the command updatePropertyConfig in the wsadmin environment of the profile: $AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
4. Restart the server.

If you want to change an administrative group...on a cluster:

1. Verify that the group exists in the user repository.
2. Modify the metric com.ibm.mashups.adminGroupName in the configuration file deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties.

3. Run the command updatePropertyConfig in the wsadmin environment of the deployment environment profile: $AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
4. Restart the dmgr.

If you want to change the superuser when security is not enabled...on a stand-alone server:

1. Modify the metric noSecurityAdminInternalUserOnly in the configuration file profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties.

2. Run the command updatePropertyConfig in the wsadmin environment of the profile: $AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name -propertyFileName " profile_root\BusinessSpace\ node_name\ server_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
3. Restart the server.

If you want to change the superuser when security is not enabled...on a cluster:

1. Modify the metric noSecurityAdminInternalUserOnly in the configuration file deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties.

2. Run the command updatePropertyConfig in the wsadmin environment of the deployment environment profile: $AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName " deployment_manager_profile_root\BusinessSpace\ cluster_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
3. Restart the dmgr.

Set up security for the Business Space component and Process Portal