Server User Guide > Security Configurations > Securing Process Server Components

Securing Process Server Components

You can provide permission to groups of users to access Process Serve by configuring the security roles provided.
Note: Configuration of one role is required. It is abTaskClient, which is required for access to Process Central. The remaining roles are optional and can be configured during the config-deploy process. However, if you have a license for the Multi-Tenant feature, you must configure security.

To secure Process Server components:

  1. 1. Run the config-deploy utility (the installation utility), and navigate to the Security page if you have already installed the application.
  2. 2. On the Security page, select the checkboxes for the components you want to secure:
  3. 3. Complete the config-deploy installation. If you are only setting up security, note that all your other settings from a previous installation are still in tact.
  4. 4. Review the security roles definitions in the table below.
  5. 5. Assign the roles to users and groups as desired, to tell your application server to use them. Refer to Configuring Your Application Server to Work with Process Server Security Roles.

Process Server Security Roles

The following sections describe the roles that you use to secure Process Central, Process Console, and deployed processes.

Administrative Functions

These functions add security parameters to the Process Consoles and services by setting the following roles:
Users associated with this role have full administrative rights to Process Server.
Users associated with this role have access to process instance details (but cannot operate on them). They can monitor active processes and tasks, and work queues. They have a read-only view of process instance details.
Users associated with this role have rights restricted to deploying business process archive files to Process Server.
Users associated with this role have rights restricted to service artifacts, endpoint information, and sample messages for the services they consume and expose (that is, processes) after they are deployed. Developers need the ability to deploy process deployment archives, initiate process execution and analyze them. Developers also need to configure global function contexts for custom functions, URN mappings, and the ability to schedule process execution. Specifically, this user has access to the Active Process list, the Process Instance View, the Active Task and Work Queues lists, the Server Log, the Dashboard and all reports, and the catalog's content.
Users associated with this role have rights restricted to operating the system. These include observing the functionality of processes, managing process instances using the process instance detail view, running reports, logging, viewing exceptions, acquiring information on service operations, adding and removing tenants, and managing the scheduled database delete schedule.
Required. You must configure permission to access Process Central for all users. In addition, users who interact with the Human Task (WS-HT) API must have this role.
Process Central presents a login page to users.

Process Services

The process services adds security parameters to the Web Services handler for all deployed BPEL services with a role. The services listed at http://[host]:[port]/active-bpel/services are secured. The process services (roles) are:
Users associated with this role cannot access a service unless it is deployed with allowed roles specified in the pdd and the user belongs to at least of these roles. If no roles are specified in the pdd, access to services with no roles specified in the pdd are also denied. Users in this role can view the wsdl files for other services like abServiceConsumer; however, they are blocked at runtime.
Users associated with this role have rights restricted to start process instances of deployed processes, including from Process Central, the Eclipse Web Tools Project, or other client application,such as SOAPUI.
(For a Multi-Tenant licensed server only.) Users associated with this role have rights to deploy and manage contributions into a configured tenant on the server.
Based on a Tenant Definition configured by the Process Server administrator (with the abAdmin role), a tenant administrator user can log into the tenant context on the server. A service consumer user can create process instances for processes deployed to the tenant context.

Identity Service Consumer

The identity service consumer adds security parameters to the Web Services handler for Process Identity service used by the Process Central application using the following roles:
Only users associated with this role or abAdmin have rights to submit Web Service requests to the identity service from Process Developer.