Is it supported to change the role name of admin from BPMS 6 ?

Solution Unverified - Updated -

Environment

  • Red Hat JBoss Business Process Management Suite (BPMS)
    • 6.0.x
    • 6.1.x

Issue

  • Is it supported to change the role name of admin used in BPMS 6.0 ? Basically the requirement is to avoid using generic role names like admin (e.g. people using Active Directory) with Business Central and Dasbuilder applications and give a random role name who has same administration privileges.

Resolution

  • Please note that currently (as of BPMS 6.0.x) it is not possible to completely remove the role named admin from an administrative user's roles as this name is hard-coded into the source code of Business Central . It has already been filed in this Bugzilla [1] and it might get fixed in BPMS 6.1 once it is released. Existing users of BPMS 6.0.2 can apply the BPMS Roll up patch#1 (once it is released) for the same release to avail the fix for this issue.
  • For Dashbuilder's role, ther would be 2 scenarios. If you want to change role names from the beggining, you would just need to edit web.xml, jbpmWorkspace.xml and showcaseWorkspace.xml as illustrated below. If you want to change role names after you used business-central with the default role names, you will need some additional steps. See "Changing Dashbuilder role names after using default role names" section below. This is because Dashbuilder's role infomation is stored in database which is reported in a Bugzilla [2].
  • Still, in order to add a custom role (e.g. adminOne) of user's choice for Business Central, apart from the one which are shipped out-of-the-box , please try to modify the following files, while keeping the admin role intact. Do make sure that updated role names are already mapped in the Active Directory for the desired BPMS user.

Business Central

1. business-central.war/WEB-INF/web.xml

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>console</web-resource-name>
      <url-pattern>/org.kie.workbench.KIEWebapp/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>     
      <role-name>adminOne</role-name>
      <role-name>analyst</role-name>
      <role-name>developer</role-name>
      <role-name>user</role-name>
      <role-name>manager</role-name>
    </auth-constraint>
  </security-constraint>
...
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>formModeler</web-resource-name>
          <url-pattern>/formModeler/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>admin</role-name>  
          <role-name>adminOne</role-name>
          <role-name>analyst</role-name>
          <role-name>developer</role-name>
          <role-name>user</role-name>
          <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>
...
  <security-role>
    <description>Administrator - Administrates the BPMS system. Has full access
      rights to make any changes necessary. Also has the
      ability to add and remove users from the system.
    </description>
    <role-name>admin</role-name>
    <role-name>adminOne</role-name>
  </security-role>
...

2. business-central.war/WEB-INF/web-ui-server.xml

    <security-constraint>
        <web-resource-collection>
          <web-resource-name>console</web-resource-name>
          <url-pattern>/org.kie.workbench.KIEWebapp/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>admin</role-name> 
          <role-name>adminOne</role-name>
          <role-name>analyst</role-name>
          <role-name>developer</role-name>
          <role-name>user</role-name>
          <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>
...
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>formModeler</web-resource-name>
          <url-pattern>/formModeler/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>admin</role-name> 
          <role-name>adminOne</role-name>
          <role-name>analyst</role-name>
        </auth-constraint>
    </security-constraint>
...

  <security-role>
    <description>Administrator - Administrates the BPMS system. Has full access
      rights to make any changes necessary. Also has the
      ability to add and remove users from the system.
    </description>
    <role-name>admin</role-name>
    <role-name>adminOne</role-name>
  </security-role>
...

3. business-central.war/WEB-INF/web-exec-server.xml

    <security-constraint>
        <web-resource-collection>
          <web-resource-name>rest</web-resource-name>
          <url-pattern>/rest/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>admin</role-name> 
          <role-name>adminOne</role-name>
          <role-name>analyst</role-name>
          <role-name>developer</role-name>
          <role-name>user</role-name>
          <role-name>manager</role-name>
        </auth-constraint>
    </security-constraint>
...
  <security-role>
    <description>Administrator - Administrates the BPMS system. Has full access
      rights to make any changes necessary. Also has the
      ability to add and remove users from the system.
    </description>
    <role-name>admin</role-name>
    <role-name>adminOne</role-name>
  </security-role>
...

4. business-central.war/WEB-INF/classes/workbench-policy.properties

...
roles.wb_everything=admin, adminOne
roles.wb_for_developers=developer
roles.wb_for_business_analysts=analyst
roles.wb_for_business_users=user
roles.wb_for_managers=manager

5. business-central.war/WEB-INF/classes/restricted-groups.properties

# list all groups that should not be inserted int task service data base
# in general all web application roles should be listed here to avoid
# any clash between application roles and the actual human task groups
admin,adminOne

Dashbuilder

1. dashbuilder.war/WEB-INF/web.xml

...
    <security-role>
        <description>Administrator - Administrates the BPMS system. Has full access
            rights to make any changes necessary. Also has the
            ability to add and remove users from the system.
        </description>
        <role-name>admin</role-name>
        <role-name>adminOne</role-name>
    </security-role>
...
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Restricted access</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
            <role-name>adminOne</role-name>
            <role-name>analyst</role-name>
        </auth-constraint>
    </security-constraint>
...

2. dashbuilder.war/WEB-INF/etc/appdata/initialData/showcaseWorkspace.xml

Note: Version 6.1.x, dashbuilder.war/WEB-INF/deployments/showcaseWorkspace.workspace

<permission principalClass="org.jboss.dashboard.security.principals.RolePrincipal" permissionClass="org.jboss.dashboard.security.WorkspacePermission" readonly="true" principal="role-adminOne" actions="login,admin,createPage,edit,delete,edit perm,admin providers" ></permission>

3. dashbuilder.war/WEB-INF/etc/appdata/initialData/jbpmWorkspace.xml

Note: Version 6.1.x, dashbuilder.war/WEB-INF/deployments/jbpmWorkspace_v2.workspace

 <permission principalClass="org.jboss.dashboard.security.principals.RolePrincipal"
                    permissionClass="org.jboss.dashboard.security.WorkspacePermission" readonly="true"
                    principal="role-adminOne" actions="login,admin,createPage,edit,delete,edit perm,admin providers"></permission>
...
 <permission principalClass="org.jboss.dashboard.security.principals.RolePrincipal"
                    permissionClass="org.jboss.dashboard.security.PanelPermission" readonly="true"
                    principal="role-adminOne" actions="view,edit,edit perm"></permission>
 <permission principalClass="org.jboss.dashboard.security.principals.RolePrincipal"
                    permissionClass="org.jboss.dashboard.security.SectionPermission" readonly="true"
                    principal="role-adminOne" actions="view,edit,delete,edit perm"></permission>
...

Changing Dashbuilder role names after using default role names

  1. Edit dashbuilder.war/WEB-INF/web.xml. For example, change 'analyst' to 'analystX'. This time, you don't need to edit showcaseWorkspace.xml and jbpmWorkspace.xml
  2. Start BPMS
  3. Login as admin
  4. Go to [Dashboards] -> [Business Dashboard]
  5. Go to "General Configuration" -> both "Workspace/Showcase/Permissions" and "Workspace/jBPM Dashboard/Permissions" in order to add a role 'analystX'.
  6. In '"Permissions assignation:" section, choose 'analystX' from the "Select role" select box.
  7. Select 'Yes' for Actions
  8. Press "Save"
  9. You can see role 'analystX' is added to the "Permissions:" table

[1] Submenu entries are tied to admin role only
[2] Dashbuilder's roles not reflected correctly after changes made to xml files

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.