Chapter 2. Business Central Configuration

As Business Central is a web application, any configuration settings are loaded from DEPLOY_DIRECTORY/business-central.war/WEB-INF/web.xml and the referenced files, and if deployed on Red Hat JBoss EAP 6, also in jboss-web.xml and jboss-deployment-structure.xml.
Note that the entire application can be run in different profiles (refer to the Red Hat JBoss BPM Suite Installation Guide).

2.1. Access control

The access control mechanism includes authorization and authentication. In the unified environment of Red Hat JBoss BPM Suite, users are able to update the default user roles located within $JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/classes/userinfo.properties.
To grant a user access to JBoss BPM Suite, the user needs to have the respective role assigned:
  • admin: administrates JBoss BPM Suite system and has full access rights to make any changes necessary including the ability to add and remove users from the system.
  • developer: implements code required for processes to work and has access to everything except administration tasks.
  • analyst: creates and designs processes and forms, instantiates the processes and deploys artifacts. This role is the similar to a developer, without access to asset repository and deployments.
  • user: claims, performs, and invokes other actions (such as, escalation, rejection, etc.) on the assigned Tasks and has no access to authoring functions.
  • manager: monitors the system and its statistics and only has access to the dashboard.
  • business user: takes action on business tasks that are required for processes to continue forward. Works primarily with the task list.
If using Red Hat JBoss EAP, to create a user with particular roles, run the $JBOSS_HOME/add-user.sh script and create an Application User in the ApplicationRealm with the respectives roles.

Workbench Configuration

Within Red Hat JBoss BPM Suite, users may set up roles using LDAP to modify existing roles. Users may modify the roles in the workbench configuration to ensure the unique LDAP based roles conform to enterprise standards by editing the deployments directory located at $JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/classes/workbench-policy.propeties.
If authenticating user via LDAP over GIT, administrators must set system property org.uberfire.domain to the name of login module it should use to authenticate users via the GIT service. This must be set in the standalone.xml file in EAP.

Authentication in Human Tasks

Every Task that needs to be executed is assigned to one or multiple roles or groups, so that any user with the given role or the given group assigned can claim the Task instance and execute it. Tasks can also be assigned to one or multiple users directly. JBoss BPM Suite uses the UserGroupCallback interface to assign tasks to user.

Warning

A group for a Human Task must not be named after an existing user of the system. Doing so causes intermittent issues.