IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications > Get started with security > Understanding elements of application security
Access control
When authenticating a user for IBM BPM, it is important for security purposes that access to all operations is not automatically be granted to that user. Allowing some users to perform certain operations, while denying access to those same operations for other users, is termed access control.
Access control can be arranged for components that you develop to make them secure. You provide access control for components by using service component architecture qualifiers at development time.
Some IBM BPM components, packaged as enterprise archive (EAR) files, secure their operation using Java EE role-based security. In contrast to code-based security, which secures the operation of components, role-based access control secures resources.
For example, in the Business Calendars widget, you can specify the type of access that users have to individual timetables.
Security Roles widget
Use the Security Roles widget in Business Space to specify, for each timetable, the owner of the timetable as well as those who have writer and reader access to the timetable.
The following table shows the administrative roles and their default permissions:
| Roles | Default permission |
|---|---|
| BPMAdmin | Primary administrative user |
| BPMRoleManager | All authenticated users |
EAR files and associated roles
The Business Process Choreographer and the Common Event Infrastructure are installed as part of IBM BPM.
| Name of .ear file | Role | Default |
|---|---|---|
| BPEContainer_ nodeName_ serverName.ear
OR BPEContainer_ clusterName | APIUser | All Authenticated |
| SystemAdministrator | None | |
| SystemMonitor | None | |
| JMSAPIUser | All Authenticated | |
| AdminJobUser | All Authenticated | |
| JAXWSAPIUser | Everyone | |
| BPCExplorer_ nodeName_ serverName.ear
OR BPCExplorer_ clusterName | WebClientUser | All Authenticated |
| BPCArchiveExplorer_ nodeName_ serverName.ear
OR BPCArchiveExplorer_ clusterName | WebClientUser | All Authenticated |
| BSpaceEAR_ nodeName_ server.ear | businessspaceusers | All Authenticated |
| BSpaceForms_ nodeName_ server.ear | WebFormUsers | All Authenticated |
| BusinessRulesManager.ear | BusinessRuleUsers | All Authenticated |
| NoOne | None | |
| AnyOne | Everyone | |
| BusinessRules_ nodeName_ server.ear | Administrator | All Authenticated |
| EventService.ear | eventAdministrator | All Authenticated |
| eventConsumer | All Authenticated | |
| eventUpdater | All Authenticated | |
| eventCreator | All Authenticated | |
| catalogAdministrator | All Authenticated | |
| catalogReader | All Authenticated | |
| mm.was_ nodeName_ server.ear | All Authenticated | All Authenticated |
| everyone | Everyone | |
| REST Services Gateway.ear | RestServicesUser | All Authenticated |
| REST Services Gateway Dmgr .ear | RestServicesUser | All Authenticated |
| TaskContainer_ nodeName serverName.ear
OR TaskContainer_ clusterName | APIUser | All Authenticated |
| SystemAdministrator | None | |
| SystemMonitor | None | |
| EscalationUser | All Authenticated | |
| AdminJobUser | All Authenticated | |
| JAXWSAPIUser | Everyone | |
| wpsFEMgr_7.0.0 Security | WBIOperator | Everyone |
Business Process Choreographer Java EE roles
The following table lists Business Process Choreographer Java EE roles:
| Component | Roles | Value |
|---|---|---|
| BPEContainer | BPEAPIUser | All authenticated users |
| BPESystemAdministrator | User names, group names, or both, entered during configuration | |
| BPESystemMonitor | All authenticated users | |
| JMSAPIUser | User name entered during configuration | |
| AdminJobUser | User name entered during configuration | |
| JAXWSAPIUser | Everyone | |
| TaskContainer | TaskAPIUser | All authenticated users |
| TaskSystemAdministrator | SystemAdministrator | |
| TaskSystemMonitor | SystemMonitor | |
| EscalationUser | EscalationUser | |
| AdminJobUser | AdminJobUser | |
| JAXWSAPIUser | Everyone |
RunAs roles
In addition, applications make use of securityIdentity or RunAs roles as follows:
| .ear file | Java EE Role |
|---|---|
| BPEContainer_ nodeName serverName.ear | JMSAPIUser
AdminJobUser |
| TaskContainer_ nodeName serverName.ear | EscalationUser
AdminJobUser |
- Access control in business process and human task applications
Business Process Choreographer, which is installed as part of the IBM BPM installation, uses roles to determine the capabilities of the user on a production system.
Understanding elements of application security
Related concepts:
Securing access to timetables in the Business Calendars widget
Administrative security roles