6. Server User Guide

6. Server User Guide

Securing Process Server Components

Securing Process Server Components

You can provide permission to groups of users to access Process Serve by configuring the security roles provided.
Configuration of one role is required. It is
abTaskClient
, which is required for access to Process Central. The remaining roles are optional and can be configured during the config-deploy process. However, if you have a license for the Multi-Tenant feature, you must configure security.

To secure Process Server components:

  1. Run the
    config-deploy
    utility (the installation utility), and navigate to the Security page if you have already installed the application.
  2. On the Security page, select the checkboxes for the components you want to secure:
    • Administrative functions. This setting enables you to configure three levels of authenticated users for access to the Process Console and deployed processes.
    • Process services. This setting enables you to configure authenticated users to initiate process instances of deployed processes.
    • Process Server Identity Service Consumer. This setting enables you to configure authenticated users of Process Developer to open and use the Identity Service (member directory) configured in Process Server Console. The Identity Service is a resource used in many types of processes.
  3. Complete the
    config-deploy
    installation. If you are only setting up security, note that all your other settings from a previous installation are still in tact.
  4. Review the security roles definitions in the table below.
  5. Assign the roles to users and groups as desired, to tell your application server to use them.

Process Server Security Roles

The following sections describe the roles that you use to secure Process Central, Process Console, and deployed processes.

Administrative Functions

These functions add security parameters to the ActiveVOS Consoles and services by setting the following roles:
abAdmin
Users associated with this role have full administrative rights to ActiveVOS Server.
abBusinessManager
Users associated with this role have access to process instance details (but cannot operate on them). They can monitor active processes and tasks, and work queues. They have a read-only view of process instance details.
abDeployer
Users associated with this role have rights restricted to deploying business process archive files to ActiveVOS Server.
abDeveloper
Users associated with this role have rights restricted to service artifacts, endpoint information, and sample messages for the services they consume and expose (that is, processes) after they are deployed. Developers need the ability to deploy process deployment archives, initiate process execution and analyze them. Developers also need to configure global function contexts for custom functions, URN mappings, and the ability to schedule process execution. Specifically, this user has access to the Active Process list, the Process Instance View, the Active Task and Work Queues lists, the Server Log, the Dashboard and all reports, and the catalog's content.
abOperator
Users associated with this role have rights restricted to operating the system. These include observing the functionality of processes, managing process instances using the process instance detail view, running reports, logging, viewing exceptions, acquiring information on service operations, adding and removing tenants, and managing the scheduled database delete schedule.
abTaskClient
Required. You must configure permission to access ActiveVOS Central for all users. In addition, users who interact with the Human Task (WS-HT) API must have this role.
ActiveVOS Central presents a login page to users.

Process Services

The process services adds security parameters to the Web Services handler for all deployed BPEL services with a role. The services listed at
http://[host]:[port]/active-bpel/services
are secured. The process services (roles) are:
abRestrictedServiceConsumer
Users associated with this role cannot access a service unless it is deployed with allowed roles specified in the
pdd
and the user belongs to at least of these roles. If no roles are specified in the
pdd
, access to services with no roles specified in the
pdd
are also denied. Users in this role can view the
wsdl
files for other services like
abServiceConsumer
; however, they are blocked at runtime.
abServiceConsumer
Users associated with this role have rights restricted to start process instances of deployed processes, including from ActiveVOS Central, the Eclipse Web Tools Project, or other client application,such as SOAPUI.
abTenantAdmin
(For a Multi-Tenant licensed server only.) Users associated with this role have rights to deploy and manage contributions into a configured tenant on the server.
Based on a Tenant Definition configured by the ActiveVOS Server administrator (with the abAdmin role), a tenant administrator user can log into the tenant context on the server. A service consumer user can create process instances for processes deployed to the tenant context.

Identity Service Consumer

The identity service consumer adds security parameters to the Web Services handler for Process Identity service used by the ActiveVOS Central application using the following roles:
abIdentityListConsumer
Only users associated with this role or
abAdmin
have rights to submit Web Service requests to the identity service from Process Developer.


Updated March 13, 2020