Security considerations

IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications > Get started with security
Security considerations

This section contains information that you need to know when determining how security will be implemented in standalone and network deployment environments in IBM BPM.
For more information about registries and repositories, see Selecting a registry or repository.

Security considerations for IBM BPM
Security consideration Standalone environment Network deployment environment
User Registry setup The User Registry is federated across the file registry and the Process Center internal User Registry (which points to the database). If the User Registry configuration is modified, then the new registry should be federated with the internal User Registry.
If the user registry setup is modified, follow the instructions that require the new registry to be pre-populated with out of the box users.
The user registry is federated across the file registry. If the user registry setup is modified, follow the instructions that require the new registry to be pre-populated with the internal users.
Management of users and groups for IBM BPM Advanced Internal users and groups: Internal users and groups are managed through the Process Admin Console.

User-defined users and groups: With the out of the box user registry setup, users can be created using the Process Admin Console or the WebSphere Application Server administrative console. If the following considerations:

Users and groups created in the Process Admin Console are stored in the internal User Registry whereas those created in the WebSphere Application Server administrative console are stored in the file registry.
When users and groups are synchronized in the Process Admin Console or at server startup, the users and groups from the file registry are synchronized to the internal User Registry.
The User and Group management in the Process Admin Console creates, modifies and deletes users and groups from the internal User Registry. It does not manage the users and groups from the file registry.
The users and groups created in the file registry can be added as members of the groups in the internal User Registry. The groups in the internal User Registry are not visible to the WebSphere Application Server administrative console, business process component, Business Space, or business calendars.
The users and groups created in the WebSphere Application Server administrative console are stored in the file registry.
The users in the internal User Registry are visible to the WebSphere Application Server administrative console "Manage Users" but they cannot be modified or deleted from the WebSphere Application Server administrative console.
These users cannot be added as members to the groups of the file registry. The groups in the internal User Registry are not visible to the WebSphere Application Server administrative console.

Internal users and groups: Internal users are managed through the WebSphere Application Server administrative console, while internal groups are managed through the Process Admin Console.

User-defined users and groups: Users and groups are managed using the WebSphere Application Server administrative console.
Management of users and groups for IBM BPM Standard Internal users and groups: The internal users and groups are managed through the Process Admin Console. If the following considerations:

User-defined users and groups: User-defined users and groups managed using the Process Admin Console.

Users and groups created in the Process Admin Console are stored in the internal User Registry.
You can grant administrative access to IBM BPM by adding pre-existing groups of users from your external User Registry to tw_admins, which is the IBM BPM security group whose members have administrative access to IBM BPM by default.
When changes are required, you can simply add or remove individual users from the groups that exist in your external User Registry. This practice ensures that the security maintenance you perform in your external provider does not require additional work in IBM BPM.

Internal users and groups: Internal users are managed through the WebSphere Application Server administrative console, while internal groups are managed through the Process Admin Console.

User-defined users and groups: Users and groups are managed using the WebSphere Application Server administrative console.

Get started with security

Related concepts:
Get started with security

Security consideration	Standalone environment	Network deployment environment
User Registry setup	The User Registry is federated across the file registry and the Process Center internal User Registry (which points to the database). If the User Registry configuration is modified, then the new registry should be federated with the internal User Registry. If the user registry setup is modified, follow the instructions that require the new registry to be pre-populated with out of the box users.	The user registry is federated across the file registry. If the user registry setup is modified, follow the instructions that require the new registry to be pre-populated with the internal users.
Management of users and groups for IBM BPM Advanced	Internal users and groups: Internal users and groups are managed through the Process Admin Console. User-defined users and groups: With the out of the box user registry setup, users can be created using the Process Admin Console or the WebSphere Application Server administrative console. If the following considerations: Users and groups created in the Process Admin Console are stored in the internal User Registry whereas those created in the WebSphere Application Server administrative console are stored in the file registry. When users and groups are synchronized in the Process Admin Console or at server startup, the users and groups from the file registry are synchronized to the internal User Registry. The User and Group management in the Process Admin Console creates, modifies and deletes users and groups from the internal User Registry. It does not manage the users and groups from the file registry. The users and groups created in the file registry can be added as members of the groups in the internal User Registry. The groups in the internal User Registry are not visible to the WebSphere Application Server administrative console, business process component, Business Space, or business calendars. The users and groups created in the WebSphere Application Server administrative console are stored in the file registry. The users in the internal User Registry are visible to the WebSphere Application Server administrative console "Manage Users" but they cannot be modified or deleted from the WebSphere Application Server administrative console. These users cannot be added as members to the groups of the file registry. The groups in the internal User Registry are not visible to the WebSphere Application Server administrative console.	Internal users and groups: Internal users are managed through the WebSphere Application Server administrative console, while internal groups are managed through the Process Admin Console. User-defined users and groups: Users and groups are managed using the WebSphere Application Server administrative console.
Management of users and groups for IBM BPM Standard	Internal users and groups: The internal users and groups are managed through the Process Admin Console. If the following considerations: User-defined users and groups: User-defined users and groups managed using the Process Admin Console. Users and groups created in the Process Admin Console are stored in the internal User Registry. You can grant administrative access to IBM BPM by adding pre-existing groups of users from your external User Registry to tw_admins, which is the IBM BPM security group whose members have administrative access to IBM BPM by default. When changes are required, you can simply add or remove individual users from the groups that exist in your external User Registry. This practice ensures that the security maintenance you perform in your external provider does not require additional work in IBM BPM.	Internal users and groups: Internal users are managed through the WebSphere Application Server administrative console, while internal groups are managed through the Process Admin Console. User-defined users and groups: Users and groups are managed using the WebSphere Application Server administrative console.