Business Automation Workflow — Controlling access to Process Portal Saved Searches

Security & Privileges

Introduction:

By default, all Process Portal users can create, share, and save searches. But you can restrict update permissions on saved searches, by using action policies in non-federated environments or user roles in federated environments.

A saved search can be personal to its owner or shared with other users. Saved search runs on the system where it was created against the data of that system, for example, on Business Automation Workflow server or a Process Federation Server instance.

Federated systems

Authorization for creating, updating, and deleting shared saved searches is determined by the corresponding security roles for the com.ibm.bpm.federated.rest.authorization REST service. These roles are set in the <authorization-roles> section of the Process Federation Server Liberty server.xml configuration file.

Searches are stored in the Process Federation Server database and run against the federated index on Process Federation Server.

Non-federated systems and action policies

Authorization for creating, updating, and deleting shared saved searches is determined by the ACTION_MANAGE_SAVED_SEARCH, ACTION_CREATE_SHARED_SAVED_SEARCH, and ACTION_ADMINISTER_SHARED_SAVED_SEARCHES action policies.

Hierarchy of privilege levels

Action policies include various permission levels, in this order from most privileged to least privileged.

1. ACTION_ADMINISTER_SHARED_SAVED_SEARCHES
2. ACTION_CREATE_SHARED_SAVED_SEARCH
3. ACTION_MANAGE_SAVED_SEARCH
4. ACTION_RUN_SAVED_SEARCH

Managing action policies

As a consequence, if a user belongs to a group to which action policies with different permission levels are applied, for example ACTION_CREATE_SHARED_SAVED_SEARCH and ACTION_RUN_SAVED_SEARCH, the most previleged action policy prevails.

If you create a new user, user1, this new user is automatically added to the tw_allusers group. The default policy for the tw_allusers group is ACTION_CREATE_SHARED_SAVED_SEARCH.

If later you create a new user group, group1, and add user1 to it, and then apply the ACTION_RUN_SAVED_SEARCH action policy to group1, user1 still keeps its ACTION_CREATE_SHARED_SAVED_SEARCH policy because that user is still part of the tw_allusers group. Therefore, to apply these policies meaningfully and effectively, you must set tw_allusers to ACTION_RUN_SAVED_SEARCH and you can then grant other user groups more permissions by assigning them more permissive action policies.

Configuring the action policies

The configuration properties for the action policies are contained in the BPMActionPolicy configuration object. You can use the AdminConfig object commands in the wsadmin tool to change the default security group for an action policy. Below screenshot is a custom automation for wsadmin created for the task.

SavedSearchActionPolicy.py script

Running the scripts

Starting the wsadmin scripting tool

Use SavedSearchActionPolicy.py to update the action policy. To remove the role, replace tw_admins or tw_allusers with the empty string “”