Manage IBM BPM users and groups

IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications
Manage IBM BPM users and groups

The way that IBM BPM handles security for users and groups depends on whether you are using IBM BPM Advanced or IBM BPM Standard.
IBM BPM Standard includes an internal security provider, which you can use to create and maintain IBM BPM users and groups as outlined in the following sections. You can also use the internal IBM BPM security provider in conjunction with an external security provider (such as LDAP with Microsoft Active Directory) that you have registered with the IBM BPM embedded application server.
The IBM BPM internal security provider includes several default users and groups.
Do not remove the default IBM BPM administrator account, tw_admin, or the default administrator group, tw_admins. Administration of IBM BPM is not possible without these default accounts.
When you use the internal IBM BPM security provider in conjunction with an external provider, the users and groups from both providers are available for selection from IBM BPM Standard components. The users from the internal provider cannot be added as a part of groups from an external provider.
For NDs, the internal security provider manages groups only; it does not manage users. The users are managed by the federated file repository.
The following table describes where these user accounts are made available in IBM BPM:

Task Interface To learn more..
Granting access to the repository Process Center Console See "Managing access to the Process Center repository" in the related links.
Binding users to participant groups during process development Designer in Process Designer See "Creating a participant group" in the related links.
Binding users to participant groups at run time Process Admin Console See "Configuring installed snapshots" in the related links.

Create and maintaining users for a stand-alone server

You can use the Process Admin Console to create, update and delete users for a stand-alone server.
Create and maintaining users for a deployment environment server

You can use the IBM WebSphere administrative console to create and configure user accounts for a deployment environment server. A deployment environment is an environment in which server processes, which are typically on different physical computer systems, are managed together.
Create and managing groups

If you have configured IBM BPM to work with an external security provider, you can view the groups from that external provider in the Process Admin Console, but you cannot edit the external groups. You can, however, add users and groups from your external provider to any IBM BPM security groups created. You can also combine accounts from different providers into one group.
Assigning user attributes
In the Designer in IBM Process Designer, you can create user attribute definitions to associate unique capabilities or qualities with one or more users. The Process Admin Console enables you to assign existing user attributes to multiple users simultaneously
Modify authentication aliases
Existing authentication aliases can be modified from the administrative console and running the administrative task.

Securing IBM BPM and applications

Task	Interface	To learn more..
Granting access to the repository	Process Center Console	See "Managing access to the Process Center repository" in the related links.
Binding users to participant groups during process development	Designer in Process Designer	See "Creating a participant group" in the related links.
Binding users to participant groups at run time	Process Admin Console	See "Configuring installed snapshots" in the related links.