Manage Lombardi users

WebSphere Lombardi Edition 7.2 > Administer the Lombardi environments > Manage Lombardi Process Servers

Manage Lombardi users

Understand Lombardi security

IBM Websphere Lombardi Edition includes an internal security provider, which you can use to create and maintain Lombardi users and groups as outlined in the following sections. You can use the internal Lombardi security provider in conjunction with an external LDAP security provider (such as Active Directory) that you have registered with the Lombardi embedded application server. To learn how to configure Lombardi to work with your external provider, see the Lombardi Installation and Configuration Guide appropriate for your environment.
The Lombardi internal security provider includes several default users and groups
Do not remove the default Lombardi administrator account, tw_admin, or the default administrator group, tw_admins. Administration of Lombardi is not possible without these default accounts.
When you use the internal Lombardi security provider in conjunction with an external provider, the users and groups from both providers are available for selection throughout Lombardi. The following table describes where these user accounts are made available in Lombardi:

Task Interface To learn more..
Granting access to the Lombardi repository Process Center Console See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
Binding users to participant groups during process development Designer in Authoring Environment See Create a participant group in the Authoring Environment User Guide or online help.
Binding users to participant groups at run time Process Admin Console See Configure installed snapshots.

Go to the Process Admin console and log in

Set up user accounts

The best way to manage security in Lombardi is by using groups. For example, the best way to grant administrative access to Lombardi is to add pre-existing groups of users from your external security provider to tw_admins, which is a Lombardi security group whose members have administrative access to Lombardi by default. Then, when changes are required, you can simply add or remove individual users from the groups that exist in your external security provider. This practice ensures that the security maintenance you perform in your external provider does not require additional work in Lombardi.
When initially configuring Lombardi, you should complete tasks similar to the following to set up your users:

Task Interface To learn more..
1. Start the Process Admin console and log in using the default administrative account (tw_admin). Process Admin Console See Access the Process Admin console
2. (Optional) Create the different types of users and groups that your users will need in Lombardi. Process Admin Console See Maintain users and Maintain groups
3. Add members to the default Lombardi groups or groups that you have created. You can add users and groups from any configured external provider (such as LDAP) and internal Lombardi users and groups.
To learn how to configure Lombardi to work with your external provider, see the Lombardi Installation and Configuration Guide appropriate for your environment.
Process Admin Console See Manage group membership
4. Open your web browser to http://[host_name]:[port]/ProcessCenter and log in using the default administrative account (tw_admin). Process Center Console See Start Lombardi Authoring Environment in the Authoring Environment User Guide or online help
5. In the Process Center Console, add the users and groups who need access to the repository, grant administrative access to the appropriate users, and then establish who can access each process application and toolkit.
The best way to grant access to the repository is to add members to the default Lombardi group, tw_authors.
Process Center Console See Manage access to the Process Center repository in the Authoring Environment User Guide or online help

Maintain users

To create Lombardi users:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the User Management option.

In the User Management > Maintain User Settings dialog, enter a user name, a full name, and a password.
Passwords must meet the following requirements:

Must include at least six characters.
Must not be the same as the user name.
Must not be the same as the existing password.
Must be different from the three most recently used passwords.

Enter the password a second time to confirm it.
Click the Add button.

To update Lombardi users by changing password or other account settings:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the User Management option.
In the User Management > Maintain User Settings dialog, enter a complete or partial user name (like tw_a) in the Retrieve Profile field.
Click the Retrieve button.
Change settings as required and click the Update button.

To delete Lombardi users:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the User Management option.
In the User Management > Maintain User Settings dialog, enter a complete or partial user name (like tw_a) in the Retrieve Profile field.

Click the Retrieve button.
Select the account that you want from the Internal Lombardi Users list.
Click the Delete button.

Maintain groups

If you have configured Lombardi to work with your external security provider, you can view the groups from that external provider in the Process Admin console, but you cannot edit the external groups. You can, however, add users and groups from your external provider to any Lombardi security groups that you create.
To create Lombardi groups:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the Group Management option.
In the Group Management dialog, click the New Group option.

In the Create Group pop-up dialog, enter a name and a description for the group and click the Save button.
You can add members to the new group

To delete Lombardi groups:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the Group Management option.
In the Group Management dialog, enter a partial or complete group name in the Select Group to Modify text box.

In the list of groups displayed, click the Remove icon for the group that you want to delete.
The group is removed from the list and is no longer available in Lombardi.

Manage group membership

When you create a group in Lombardi, you can add users and groups from your external security provider to the Lombardi group. You can also add Lombardi users and groups, which enables you to combine accounts from different providers into one group.
In addition to managing group membership, you can designate a Team Manager Group for each group. This enables you to establish a hierarchy for the My Team Performance scoreboard available in Lombardi Process Portal.
To add members to Lombardi groups:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the Group Management option.
In the Group Management dialog, enter a partial or complete group name in the Select Group to Modify text box.
From the list of groups displayed, click the group that you want to update.
Click the Add Members option (displayed next to the selected group).

In the Add Users and Groups pop-up dialog, enter the name of the user or group that you want to add in the Search for Name field. You can enter part of the name and Lombardi displays all accounts that match.
The added users and groups now show as members of the selected group.

To designate a Team Manager group for a group:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the Group Management option.
In the Group Management dialog, enter a partial or complete group name in the Select Group to Modify text box.
From the list of groups displayed, click the group for which you want to designate a Team Manager.

Enter a partial or complete group name in the Team Manager Group text box, and then select the group that you want from the drop-down list.

When you establish a Team Manager Group, that group is above the other chosen group in the hierarchy for the My Team Performance scoreboard available in Lombardi Process Portal. The Team Manager Group can view data for the group directly below it in the hierarchy. For example, if a group named Directors is the Team Manager Group for another group named Managers, the members of the Directors group can view statistics for the Managers group in the My Team Performance scoreboard. For more information, see the Reporting section in Lombardi Authoring Environment User Guide or online help.
To remove users from Lombardi groups:

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the Group Management option.
In the Group Management dialog, enter a partial or complete group name in the Select Group to Modify text box.

From the list of groups displayed, click the group that you want to update.
The Process Admin Console lists the members of the group.

Click the Remove icon for the users and groups that you want to remove.
The removed users and groups are no longer displayed in the list of members and are removed from the selected group.

Manage default users and groups

The Lombardi internal security provider includes the following default users:

Default user account Default password Description
tw_admin tw_admin Provides full access to all Lombardi interfaces, enabling users to alter or delete all types of available library items and assets including process applications and toolkits. This account also enables administration of Process Servers, Performance Data Warehouses, and internal Lombardi users and groups.
Do not remove this account. Administration of Lombardi is not possible without this account. You can change the password for this account. See Lombardi Installation and Configuration Guide.
tw_author tw_author Provides access to the Designer and other interfaces in Lombardi Authoring Environment, including Process Center Console. Users who log in to Process Center Console as tw_author can create process applications and toolkits and control access to those projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators. See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
tw_portal_admin tw_portal_admin Provides direct access to Process Admin console from Process Portal via an Admin link at the top right of the portal. Clicking the provided link opens Process Admin console in a new browser window. Searches saved by this user in Lombardi Process Portal can be shared with other portal users.
tw_runtime_server tw_runtime_server For runtime environments, used to connect to the designated Process Center. This is the default account specified in [Lombardi_home]/process-server/config/system/99Local.xml.
See Connecting a runtime environment to a Process Center in the WebSphere Lombardi Edition Runtime Installation and Configuration Guides.
tw_user tw_user Provides a default account for Lombardi users who are not authors or administrators. Authors can add the tw_user account to the participant groups that they create in the Designer in Lombardi Authoring Environment to enable other Lombardi users to run processes and services in the Inspector.
tw_webservice tw_webservice The tw_webservice user account is invoked when a Web service implemented in Lombardi is not protected.
This account is publicly available and so you may want to change it. To do so, copy the entire <webservices> section from the 99.Local.xml file, edit it to change the tw_webservice user name and password, and copy the changes to the 100Custom.xml file. You can find these files in: [Lombardi_home]/process-server/config

The Lombardi internal security provider includes the following default groups:

Default group Users included by default Description

tw_admins tw_admin Members have full access to all Lombardi interfaces, assets, servers, and security.
Do not remove this group. Administration of Lombardi is not possible without this group.
tw_authors tw_admin, tw_author Members have access to the Designer and other interfaces in Lombardi Authoring Environment, including Process Center Console. From Process Center Console, members can create process applications and toolkits and control access to those projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators.
See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
tw_portal_admins tw_portal_admin Members have the ability to directly access Process Admin console from Process Portal via an Admin link at the top right of the portal. Clicking the provided link opens Process Admin console in a new browser window. Also, when members save searches in Lombardi Process Portal, those searches can be accessed by other portal users.
Debug tw_admin Can be used to restrict access to service debugging in the Inspector in Lombardi Authoring Environment.
tw_allusers tw_admin, tw_author, tw_portal_admin, tw_user, tw_webservice This group is the default lane assignment for non-system lanes when creating business process definitions (BPDs) in the Designer in Lombardi Authoring Environment. Plus, the reports and scoreboards that you create in the Designer are exposed to this group by default. For more information, see the Authoring Environment User Guide or online help.

Synchronize with an external security provider

Some Lombardi functionality requires current data from your external security provider in order to function properly. If you see results with routing of activities, team data in scoreboards, or other aspects of Lombardi that may be caused by a lag between Lombardi and your external security provider, you can use the Synchronization option in Process Admin Console to resolve those issues.

In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
Click the User Synchronization option.

In the User Management > Synchronize dialog, you can:

Action Results

Click the Full Synchronize button Synchronizes Lombardi with all user accounts in your configured external provider.
Click the Add button, enter a user name, and repeat this action to create a list of user names. Then click the Synchronize button. Synchronizes Lombardi with the user accounts in the created list.

Restricting installation access to runtime servers

The following procedure describes how to restrict the users who can install snapshots of process applications to runtime servers that are online.
By default, to install to runtime servers that are online, you must have access to the process application that you want to install as follows: administrative access to install to Process Servers in Production environments; write access to install to any non-production Process Server; read access to install to Process Servers in Development environments. See Install process applications: online Process Servers in the Authoring Environment User Guide or online help.

Access the host of the online Lombardi Process Server that you want to configure.
Stop the Lombardi Process Server.
Open the [Lombardi_home]/process-server/config/100Custom.xml file.

Add the following property to the <server> tag in the 100Custom.xml file that you opened in the previous step:
<process-center-install-group>[group_name]</process-center-install-group>
Where [group_name] is the group of users to whom you want to grant this access. You can use an existing group or create a new one
Your 100Custom.xml file should look like the following example when you are finished with your edits:

Start the Lombardi Process Server.

Assign user attributes

Parent topic: Manage Lombardi Process Servers

+
Search Tips | Advanced Search

Task	Interface	To learn more..
Granting access to the Lombardi repository	Process Center Console	See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
Binding users to participant groups during process development	Designer in Authoring Environment	See Create a participant group in the Authoring Environment User Guide or online help.
Binding users to participant groups at run time	Process Admin Console	See Configure installed snapshots.

Task	Interface	To learn more..
1. Start the Process Admin console and log in using the default administrative account (tw_admin).	Process Admin Console	See Access the Process Admin console
2. (Optional) Create the different types of users and groups that your users will need in Lombardi.	Process Admin Console	See Maintain users and Maintain groups
3. Add members to the default Lombardi groups or groups that you have created. You can add users and groups from any configured external provider (such as LDAP) and internal Lombardi users and groups. To learn how to configure Lombardi to work with your external provider, see the Lombardi Installation and Configuration Guide appropriate for your environment.	Process Admin Console	See Manage group membership
4. Open your web browser to http://[host_name]:[port]/ProcessCenter and log in using the default administrative account (tw_admin).	Process Center Console	See Start Lombardi Authoring Environment in the Authoring Environment User Guide or online help
5. In the Process Center Console, add the users and groups who need access to the repository, grant administrative access to the appropriate users, and then establish who can access each process application and toolkit. The best way to grant access to the repository is to add members to the default Lombardi group, tw_authors.	Process Center Console	See Manage access to the Process Center repository in the Authoring Environment User Guide or online help

Default user account	Default password	Description
tw_admin	tw_admin	Provides full access to all Lombardi interfaces, enabling users to alter or delete all types of available library items and assets including process applications and toolkits. This account also enables administration of Process Servers, Performance Data Warehouses, and internal Lombardi users and groups. Do not remove this account. Administration of Lombardi is not possible without this account. You can change the password for this account. See Lombardi Installation and Configuration Guide.
tw_author	tw_author	Provides access to the Designer and other interfaces in Lombardi Authoring Environment, including Process Center Console. Users who log in to Process Center Console as tw_author can create process applications and toolkits and control access to those projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators. See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
tw_portal_admin	tw_portal_admin	Provides direct access to Process Admin console from Process Portal via an Admin link at the top right of the portal. Clicking the provided link opens Process Admin console in a new browser window. Searches saved by this user in Lombardi Process Portal can be shared with other portal users.
tw_runtime_server	tw_runtime_server	For runtime environments, used to connect to the designated Process Center. This is the default account specified in [Lombardi_home]/process-server/config/system/99Local.xml. See Connecting a runtime environment to a Process Center in the WebSphere Lombardi Edition Runtime Installation and Configuration Guides.
tw_user	tw_user	Provides a default account for Lombardi users who are not authors or administrators. Authors can add the tw_user account to the participant groups that they create in the Designer in Lombardi Authoring Environment to enable other Lombardi users to run processes and services in the Inspector.
tw_webservice	tw_webservice	The tw_webservice user account is invoked when a Web service implemented in Lombardi is not protected. This account is publicly available and so you may want to change it. To do so, copy the entire <webservices> section from the 99.Local.xml file, edit it to change the tw_webservice user name and password, and copy the changes to the 100Custom.xml file. You can find these files in: [Lombardi_home]/process-server/config

Default group	Users included by default	Description
tw_admins	tw_admin	Members have full access to all Lombardi interfaces, assets, servers, and security. Do not remove this group. Administration of Lombardi is not possible without this group.
tw_authors	tw_admin, tw_author	Members have access to the Designer and other interfaces in Lombardi Authoring Environment, including Process Center Console. From Process Center Console, members can create process applications and toolkits and control access to those projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Process Center repository administrators. See Manage access to the Process Center repository in the Authoring Environment User Guide or online help.
tw_portal_admins	tw_portal_admin	Members have the ability to directly access Process Admin console from Process Portal via an Admin link at the top right of the portal. Clicking the provided link opens Process Admin console in a new browser window. Also, when members save searches in Lombardi Process Portal, those searches can be accessed by other portal users.
Debug	tw_admin	Can be used to restrict access to service debugging in the Inspector in Lombardi Authoring Environment.
tw_allusers	tw_admin, tw_author, tw_portal_admin, tw_user, tw_webservice	This group is the default lane assignment for non-system lanes when creating business process definitions (BPDs) in the Designer in Lombardi Authoring Environment. Plus, the reports and scoreboards that you create in the Designer are exposed to this group by default. For more information, see the Authoring Environment User Guide or online help.

Action	Results
Click the Full Synchronize button	Synchronizes Lombardi with all user accounts in your configured external provider.
Click the Add button, enter a user name, and repeat this action to create a list of user names. Then click the Synchronize button.	Synchronizes Lombardi with the user accounts in the created list.