Setting up security for the Business Space component and Process Portal

If you are using Process Portal with your environment, you must consider security options for the Business Space component. If you want to turn on security, set up application security and designate a user repository. To define administrators, assign a Business Space superuser role.

About this task

For best results, enable security before you configure the Business Space component. If you enable security later, use the administrative console Global security administration page, to enable both administrative security and application security. On the same administrative console page, you also can designate a user account repository, including changing from the default federated repositories option to another user repository. To designate which users can perform administrator actions in Process Portal, assign the Business Space superuser role. Other security configuration might be needed for your specific environment.

Restriction: The Business Space component does not support fine-grained access control in Java 2 security.
Important: By default, the Ajax proxy configuration used with widgets does not restrict access to any IP addresses. For convenience, the Ajax proxy is configured by default to be open, which is not secure for production scenarios. To configure the Ajax proxy so that it displays only content from selected sites or blocks content from selected sites, follow the steps at Blocking IP addresses using the Business Space Ajax proxy.
  • Enabling security for the Business Space component
    If you expect to use a secured environment, enable security before you configure Process Portal. However, if needed, you can enable security manually later. To turn on security for Process Portal you must enable both application security and administrative security for the Business Space component.
  • Selecting the user repository for Process Portal
    The federated repositories option is the default user account repository option for profiles. You can change the type of user account repository if needed for your environment.
  • Setting up SSO and SSL for Process Portal
    For remote environments where Process Portal and your product server are in different cells, set up single-sign-on (SSO) and Secure Sockets Layer (SSL) configuration manually.
  • Designating HTTP or HTTPS settings for Process Portal
    The Business Space component is configured to be accessed by HTTPS by default. You can change the protocol from the default or back to the default by running a script.
  • Setting up security for system REST services
    To set up security for the data in the widgets based on users and groups, you must modify the users that are mapped to the REST services gateway application.
  • IBM Business Process Manager widget security considerations
    Depending on the widgets you use in Process Portal for your product, you might assign either administrative user group roles to control access to data in a widget, or you might assign an additional layer of role-based access for your widget.
  • Assigning the superuser role
    You can assign users to be superusers (or Process Portal administrators). A superuser can view, edit, and delete all spaces and pages, can manage and create templates, and can change ownership of a space by changing the owner ID.
  • Assigning the superuser by user group
    You can assign users to be superusers (or Process Portal administrators) based on user groups.
  • Preventing users from creating spaces
    You can customize IBM Business Process Manager so that only users logging in with a superuser role can create spaces.
  • Enabling searches for user registries without wildcards
    If your user registry is set up to not use wildcards, you must complete additional configuration steps so that searches work properly in Process Portal and for widgets that search the user registry.
Parent topic: Securing IBM Business Process Manager and applications
Related information:
WebSphere Application Server security documentation
Configuring Lightweight Directory Access Protocol search filters
Managing the realm in a federated repository configuration
Selecting a registry or repository