Selecting the user repository for Process Portal
The federated repositories option is the default user account repository option for profiles. You can change the type of user account repository if needed for your environment.
Before you begin
- Enable application security and administrative security. See Enabling security for the Business Space component.
- Check that your user ID is registered in the user registry for your product.
About this task
To enable authenticated access to Process Portal, you must have a user registry configured and application security enabled. For information about application security, see Enabling security for the Business Space component.
- Based on the type of LDAP configuration that you are using, your settings can impact your ability to access Business Space correctly. Make sure that the user filters, the group filters, and mapping settings are configured properly. For more information, see Configuring Lightweight Directory Access Protocol search filters in the WebSphere Application Server documentation.
- Based on the type of federated repository configuration that you are using, your settings can affect your ability to access Business Space correctly. Make sure that the realms are configured properly. For more information, see Managing the realm in a federated repository configuration in the WebSphere Application Server documentation.
- The LDAP security is set up by default to use the login property uid (user ID) for searching in Business Space. If your LDAP security is changed to use another unique LDAP field, such as mail (email address) for the login property, then you must modify the userIdKey property in the ConfigServices.properties file in order for searching to work in Business Space. Follow step 3 below.
- Process implementations must use user and group name forms that
match the form of the name being returned from the configured registry.
Some user registry configurations expose user and group names in a long form. For example, the Lightweight Directory Access Protocol (LDAP) registry uses the long form ("cn=User1,ou=test,o=ibm,c=us"). Other configurations expose user and group names in a short form ("User1").
When users and groups are assigned to participant groups in a process, either the short form or the long form is used. If you switch to a different user registry configuration, your existing process implementations stop working if the new user registry configuration uses a different form for the names. A stand-alone LDAP registry returns group names in the long name format, while a federated repository returns only the short names.
- If you are using a Microsoft SQL Server database and the Standalone LDAP registry, make sure that the user distinguished name (user DN) does not exceed 450 characters. If any of the user DN entries exceed 450 characters, you must designate the Federated repositories option for the user account repository.
- If you are using Federated repositories, you have additional capabilities in your widgets and framework, such as enhanced search capabilities. When searching for users to share spaces and pages, the search scope includes email, a full user name, and user ID.
Procedure
What to do next
- To set authorization to pages and spaces in Process Portal, you can manage authorization when creating the pages and spaces.
- To designate who can perform administrator actions in Process Portal, see Assigning the superuser role.
If you find the following errors in the SystemOut.log file, you might have extra attributes in your user registry that cannot be processed:
00000046 SystemErr R Caused by: com.ibm.websphere.wim.exception.WIMSystemException: CWWIM1013E
The value of the property secretary is not valid for entity uid=xxx,c=us,ou=yyy,o=ibm.com.
00000046 SystemErr R at com.ibm.ws.wim.adapter.ldap.LdapAdapter.setPropertyValue(LdapAdapter.java:3338)
com.ibm.mashups.user.userProfile = LIMITED
com.ibm.mashups.user.groupProfile = LIMITED
The ConfigServices.properties file is located at profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties for a stand-alone server or deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster.The ConfigServices.properties file is located at deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster. After modifying the ConfigServices.properties file, run the updatePropertyConfig command using the wsadmin scripting client by following the instructions in step 4.d.
If you have Java EE security enabled in a cluster, consider tightening the entry in the server policy applied to the Business Space help location.
The Business Space help location policy is:
grant codeBase "file:${was.install.root}/profiles/profile_name/temp/node_name/-" {
permission java.security.AllPermission;
};
Tighten the policy by changing it to:
grant codeBase "file:${was.install.root}/profiles/profile_name/temp/node_name/server_name/BSpaceHelpEAR_node_name_server_name/BSpaceHelp.war/-" {
permission java.security.AllPermission;
};