Assigning the superuser by user group
You can assign users to be superusers (or Process Portal administrators) based on user groups.
Before you begin
- Enable application security and administrative security. See Enabling security for the Business Space component.
- Check that your user ID is registered in the user registry for your product.
A superuser can view, edit, and delete all spaces and pages, can manage and create templates, and can change ownership of a space by changing the owner ID.
- Users belonging to the special user group, administrators, have a superuser role by default. As a result, the superuser role assignment is handled by user group membership.
- In a single-server environment, the IBM Business Process Manager server creates the administrators user group in the default user registry. The administrator ID provided during configuration is automatically added as member of this group.
- In a network deployment environment, the administrators user group is not created automatically. Use the createSuperUser.py script to create the user group and add members to that group in the default user registry.
- If another user registry (for example, LDAP) is used instead of the default user registry, or if the default user registry is used but you do not want to use the administrators user group, you must identify the user group that you are using for the Process Portal superusers. Make sure that the value that you provide can be understood by the user registry. For example, for LDAP, you might provide a name like cn=administrators,dc=company,dc=com. For more information about identifying this user group, see the instructions for changing the administrators group in the What to do next section.
- For widgets in WebSphere Portal, the default group wpsadmins is
also used for the superuser role. Members of this group are granted
the superuser role.Note: Security must be enabled if you want to use widgets in WebSphere Portal.
If administrative security is not enabled when you configure IBM Business Process Manager, only the special user ID BPMAdministrator has the superuser role.
- Make sure the default administrators group name is not changed on the administrative console.
- Use the default file-based user repository for the user registry.
- Start the server or the deployment manager for your IBM Business Process Manager environment for the profile where Process Portal is installed.
Procedure
What to do next
To open the Business Space component, use the following URL: http://host:port/BusinessSpace, where host is the name of the host where your server is running and port is the port number for your server.
You can change the default special user group named adminstrators. Perform the following steps to check the current group name or change it to other name.
- profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties on a stand-alone server, or
- deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties on a cluster.
- Make sure that the group exists in the user repository.
- Modify the metric com.ibm.mashups.adminGroupName in the configuration file profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties.
- Run the command updatePropertyConfig in the wsadmin environment of the profile:$AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name -propertyFileName "profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
- Restart the server.
- Make sure that the group exists in the user repository.
- Modify the metric com.ibm.mashups.adminGroupName in the configuration file deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties.
- Run the command updatePropertyConfig in the wsadmin environment of the deployment environment profile:$AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName "deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
- Restart the deployment manager.
- Modify the metric noSecurityAdminInternalUserOnly in the configuration file profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties.
- Run the command updatePropertyConfig in the wsadmin environment of the profile:$AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name -propertyFileName "profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
- Restart the server.
- Modify the metric noSecurityAdminInternalUserOnly in the configuration file deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties.
- Run the command updatePropertyConfig in the wsadmin environment of the deployment environment profile:$AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName "deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"} and run $AdminConfig save.
- Restart the deployment manager.