Securing access to Common Event Infrastructure functions

IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications
Securing access to Common Event Infrastructure functions

You can use WebSphere method-level declarative security to secure access to Common Event Infrastructure functions.
Common Event Infrastructure defines six security roles, each one associated with a related group of functions. These security roles control access to both programming interfaces and commands.
The following table describes the security roles and the types of users associated with each role.

Security roles and user types
Security role User types
eventCreator Event sources that need to submit events to an emitter using synchronous EJB calls. This role provides access to the following interfaces:

Emitter.sendEvent()
Emitter.sendEvents()
eventemit command

The eventCreator role restricts access to event submission only if the emitter is configured to use synchronous EJB calls for event transmission. If the emitter uses asynchronous JMS messaging for event transmission, use JMS security to restrict access to the destination used to submit events.
eventUpdater Event consumers that need to update events stored in the event database. This role provides access to the following interfaces:

EventAccess.updateEvents()
EventAccess.eventExists()
EventAccess.queryEventByGlobalInstanceId()
EventAccess.queryEventsByAssociation()
EventAccess.queryEventsByEventGroup()
eventquery command

eventConsumer Event consumers that need to query events stored in the event database. This role provides access to the following interfaces:

EventAccess.eventExists()
EventAccess.queryEventByGlobalInstanceId()
EventAccess.queryEventsByAssociation()
EventAccess.queryEventsByEventGroup()
eventquery command

eventAdministrator Event consumers that need to query, update, and delete events stored in the event database. This role provides access to the following interfaces:

EventAccess.purgeEvents()
EventAccess.eventExists()
EventAccess.queryEventByGlobalInstanceId()
EventAccess.queryEventsByAssociation()
EventAccess.queryEventsByEventGroup()
EventAccess.updateEvents()
Emitter.sendEvent()
Emitter.sendEvents()
eventquery command
eventpurge command
eventemit command
eventbucket command

catalogReader Event catalog applications that need to retrieve event definitions from the event catalog. This role provides access to the following interfaces:

EventCatalog.getAncestors()
EventCatalog.getChildren()
EventCatalog.getDescendants()
EventCatalog.getEventDefinition()
EventCatalog.getEventDefinitions()
EventCatalog.getEventExtensionNamesForSourceCategory()
EventCatalog.getEventExtensionToSourceCategoryBindings()
EventCatalog.getParent()
EventCatalog.getRoot()
EventCatalog.getSourceCategoriesForEventExtension()
eventcatalog command (-listdefinitions option)
eventcatalog command (-listcategories option)
eventcatalog command (-exportdefinitions option)

catalogAdministrator Event catalog applications that need to create, update, delete, or retrieve event definitions in the event catalog. This role provides access to all methods of the EventCatalog interface and all functions of the eventcatalog command. Because changes to the event catalog can result in generation of events, this role also provides access to event submission interfaces.

The event service message-driven bean runs using the server user identity. If you are using asynchronous JMS transmission to submit events to the event service, and you have enabled method-based security, you must map this user identity to the eventCreator role.

From the Process Server administrative console, select Service integration > Common Event Infrastructure > Event service.
Select Map security roles to users or groups.
Select permission for role.
Save your changes to the master configuration.

Security: If your event source is running with Java™ security enabled, and you want to generate your own globally unique identifiers (GUIDs), you must modify your policy file to enable correct processing. Add the following entries:
permission java.io.FilePermission "${java.io.tmpdir}${/}guid.lock",   "read, write, delete";
permission java.net.SocketPermission "*", "resolve";
Related tasks:
Configure the Common Event Infrastructure server
Configure the JMS authentication alias

Security role	User types
eventCreator	Event sources that need to submit events to an emitter using synchronous EJB calls. This role provides access to the following interfaces: Emitter.sendEvent() Emitter.sendEvents() eventemit command The eventCreator role restricts access to event submission only if the emitter is configured to use synchronous EJB calls for event transmission. If the emitter uses asynchronous JMS messaging for event transmission, use JMS security to restrict access to the destination used to submit events.
eventUpdater	Event consumers that need to update events stored in the event database. This role provides access to the following interfaces: EventAccess.updateEvents() EventAccess.eventExists() EventAccess.queryEventByGlobalInstanceId() EventAccess.queryEventsByAssociation() EventAccess.queryEventsByEventGroup() eventquery command
eventConsumer	Event consumers that need to query events stored in the event database. This role provides access to the following interfaces: EventAccess.eventExists() EventAccess.queryEventByGlobalInstanceId() EventAccess.queryEventsByAssociation() EventAccess.queryEventsByEventGroup() eventquery command
eventAdministrator	Event consumers that need to query, update, and delete events stored in the event database. This role provides access to the following interfaces: EventAccess.purgeEvents() EventAccess.eventExists() EventAccess.queryEventByGlobalInstanceId() EventAccess.queryEventsByAssociation() EventAccess.queryEventsByEventGroup() EventAccess.updateEvents() Emitter.sendEvent() Emitter.sendEvents() eventquery command eventpurge command eventemit command eventbucket command
catalogReader	Event catalog applications that need to retrieve event definitions from the event catalog. This role provides access to the following interfaces: EventCatalog.getAncestors() EventCatalog.getChildren() EventCatalog.getDescendants() EventCatalog.getEventDefinition() EventCatalog.getEventDefinitions() EventCatalog.getEventExtensionNamesForSourceCategory() EventCatalog.getEventExtensionToSourceCategoryBindings() EventCatalog.getParent() EventCatalog.getRoot() EventCatalog.getSourceCategoriesForEventExtension() eventcatalog command (-listdefinitions option) eventcatalog command (-listcategories option) eventcatalog command (-exportdefinitions option)
catalogAdministrator	Event catalog applications that need to create, update, delete, or retrieve event definitions in the event catalog. This role provides access to all methods of the EventCatalog interface and all functions of the eventcatalog command. Because changes to the event catalog can result in generation of events, this role also provides access to event submission interfaces.