IBM Business Process Manager


Automating Role Generation and Population


What I am trying to do is, as the title suggests, automate the creation and population of our roles within bpm. I have already completed the automatic population of the already created roles. The Javascript API does not let me create role nor assign a managing role to an existing role. My question is, have I overlooked something or does any one else have ideas how I can also automate the creation and association of a managing role?
Thank you for your time -
kolban
1000000446
‏2013-06-04T22:07:58Z
I am thinking that a "role" is a WAS group of users. What is your WAS system configured to use as a user repository?
Neil
More...
Actually, no matter what security provider you are using IBM BPM allows you to create Roles in the Admin screen. These are essentially user groups that are global to your BPM install but only exist in BPM. Unlike Participant Groups, they are not part of the artifacts that are in a given process app or toolkit, so they may not be part of your solution when you promote your code.
Now, there are lots of caveats and asides to the above statement. As you may or may not be aware, you can create a Participant group that contains a Role as well as directly containing users. When your promote a snapshot that does this, the system checks the security provider for the target system to see if it already has a role with that name. If it does then nothing has to be done. The Participant Group will use the role from the current security provider to determine membership. If however your security provider does not have the role defined, then a new role is created on the internal user/group tables to support the PG's design.
If you do hook up to an LDAP, I seem to remember you will see the LDAP roles in your ProcessAdmin screen. You can then add users to them there. This gets really confusing because you aren't changing the membership in LDAP, you are actually saying "For the purposes of BPM, this role has all the people from LDAP, as well as the following". Not ideal. (This may have gone away. Haven't tried recently).
Now, while all of the above is very interesting, it is true that there is no API for the creation of new roles. This is likely because the Product Designers would really much rather that you have an LDAP or other system that is in charge of this and not attempt to manage user group membership in your BPM system (Just as, hopefully, your LDAP isn't going to try and do process). If you really wanted to you could hack the DB to insert a new role and then use the API to find it and add/remove users from it, but there is no supported OOTB way to do this.
In my experience when people want to do things like this, it is sometimes due to lack of understanding of the various options available to them for task routing. Perhaps if you told us your underlying use case we could either say "Oh yeah, I see why you need that" or "Here is an alternative approach for you..."
Andrew Paier | Director | BP3 Global, Inc.
BP3 Global's Website | Twitter | Linkedin | Google+ | Blogs
I am thinking that a "role" is a WAS group of users. What is your WAS system configured to use as a user repository?
Neil
kolban
1000000446
‏2013-06-04T22:07:58Z
I am thinking that a "role" is a WAS group of users. What is your WAS system configured to use as a user repository?
Neil
More...
Thanks Neil -
Yes, by role I mean a BPM/WAS group. We are using LDAP for the user repository. Is there a way to programmatically create a WAS group?
kolban
1000000446
‏2013-06-04T22:07:58Z
I am thinking that a "role" is a WAS group of users. What is your WAS system configured to use as a user repository?
Neil
More...
Actually, no matter what security provider you are using IBM BPM allows you to create Roles in the Admin screen. These are essentially user groups that are global to your BPM install but only exist in BPM. Unlike Participant Groups, they are not part of the artifacts that are in a given process app or toolkit, so they may not be part of your solution when you promote your code.
Now, there are lots of caveats and asides to the above statement. As you may or may not be aware, you can create a Participant group that contains a Role as well as directly containing users. When your promote a snapshot that does this, the system checks the security provider for the target system to see if it already has a role with that name. If it does then nothing has to be done. The Participant Group will use the role from the current security provider to determine membership. If however your security provider does not have the role defined, then a new role is created on the internal user/group tables to support the PG's design.
If you do hook up to an LDAP, I seem to remember you will see the LDAP roles in your ProcessAdmin screen. You can then add users to them there. This gets really confusing because you aren't changing the membership in LDAP, you are actually saying "For the purposes of BPM, this role has all the people from LDAP, as well as the following". Not ideal. (This may have gone away. Haven't tried recently).
Now, while all of the above is very interesting, it is true that there is no API for the creation of new roles. This is likely because the Product Designers would really much rather that you have an LDAP or other system that is in charge of this and not attempt to manage user group membership in your BPM system (Just as, hopefully, your LDAP isn't going to try and do process). If you really wanted to you could hack the DB to insert a new role and then use the API to find it and add/remove users from it, but there is no supported OOTB way to do this.
In my experience when people want to do things like this, it is sometimes due to lack of understanding of the various options available to them for task routing. Perhaps if you told us your underlying use case we could either say "Oh yeah, I see why you need that" or "Here is an alternative approach for you..."
Andrew Paier | Director | BP3 Global, Inc.
BP3 Global's Website | Twitter | Linkedin | Google+ | Blogs
AndrewPaier
2700040K2Q
‏2013-06-05T15:22:40Z
Actually, no matter what security provider you are using IBM BPM allows you to create Roles in the Admin screen. These are essentially user groups that are global to your BPM install but only exist in BPM. Unlike Participant Groups, they are not part of the artifacts that are in a given process app or toolkit, so they may not be part of your solution when you promote your code.
Now, there are lots of caveats and asides to the above statement. As you may or may not be aware, you can create a Participant group that contains a Role as well as directly containing users. When your promote a snapshot that does this, the system checks the security provider for the target system to see if it already has a role with that name. If it does then nothing has to be done. The Participant Group will use the role from the current security provider to determine membership. If however your security provider does not have the role defined, then a new role is created on the internal user/group tables to support the PG's design.
If you do hook up to an LDAP, I seem to remember you will see the LDAP roles in your ProcessAdmin screen. You can then add users to them there. This gets really confusing because you aren't changing the membership in LDAP, you are actually saying "For the purposes of BPM, this role has all the people from LDAP, as well as the following". Not ideal. (This may have gone away. Haven't tried recently).
Now, while all of the above is very interesting, it is true that there is no API for the creation of new roles. This is likely because the Product Designers would really much rather that you have an LDAP or other system that is in charge of this and not attempt to manage user group membership in your BPM system (Just as, hopefully, your LDAP isn't going to try and do process). If you really wanted to you could hack the DB to insert a new role and then use the API to find it and add/remove users from it, but there is no supported OOTB way to do this.
In my experience when people want to do things like this, it is sometimes due to lack of understanding of the various options available to them for task routing. Perhaps if you told us your underlying use case we could either say "Oh yeah, I see why you need that" or "Here is an alternative approach for you..."
Andrew Paier | Director | BP3 Global, Inc.
BP3 Global's Website | Twitter | Linkedin | Google+ | Blogs
More...
Thanks Andrew for the above explanation. It definitely could be due to lack of understanding on my part.
What we are trying to due is prevent a lot of manual administration of maintaining the BPM Roles and memberships by automating the process. In this particular flow, most of the participants are designated to specific clients. We want to have an individual role for each client one for account managers and one for their managers. The role creation and assigning a manager to a specific role would come into place during initial creations and when adding a new client.
The problem with LDAP, is that our group does not maintain it and it also would require manual procedure (and time) to implement any new clients which is what we are trying to avoid. I hope this explains our scenario sufficiently to answer your questions.
I would be interested to hear other solutions ideas. Thanks for your time.
Mike
Frik&Frak
270005FTFH
‏2013-06-07T16:32:06Z
Thanks Andrew for the above explanation. It definitely could be due to lack of understanding on my part.
What we are trying to due is prevent a lot of manual administration of maintaining the BPM Roles and memberships by automating the process. In this particular flow, most of the participants are designated to specific clients. We want to have an individual role for each client one for account managers and one for their managers. The role creation and assigning a manager to a specific role would come into place during initial creations and when adding a new client.
The problem with LDAP, is that our group does not maintain it and it also would require manual procedure (and time) to implement any new clients which is what we are trying to avoid. I hope this explains our scenario sufficiently to answer your questions.
I would be interested to hear other solutions ideas. Thanks for your time.
Mike
More...
Well, I can think of 2 options that would avoid having to create actual roles. Not sure if either works for you. One is "list of users" a.k.a. dynamic groups. The 2nd is user attribute based routing.
List of Users
BPM allows you to assign a task to a list of users that you create on the fly in your process. So if you had a set of data tables that had the relationship between the client and the users, you could query the table(s) in that data source and get back the list of user names to assign the task to. In recent releases this functionality has gotten better in that, if you return the same list of users multiple times, rather than create a new group under the covers each time, the solution will reuse the list if it already exists.
This will likely be a better solution if each user can work with multiple customers. The down side is you need to create the schema and maintenance screens.
Attribute Based Routing
In your process app you can create "User Attributes" and there is a JS API to allow you to assign values for a given user. I haven't used them in a while, but I don't believe they support multiple entries (you might want to check) but if each user really only works with one customer, you could use this to route tasks to the correct user(s).
Hopefully one of these will help you.
Andrew Paier | Director | BP3 Global, Inc.
BP3 Global's Website | Twitter | Linkedin | Google+ | Blogs
AndrewPaier
2700040K2Q
‏2013-06-07T17:01:27Z
Well, I can think of 2 options that would avoid having to create actual roles. Not sure if either works for you. One is "list of users" a.k.a. dynamic groups. The 2nd is user attribute based routing.
List of Users
BPM allows you to assign a task to a list of users that you create on the fly in your process. So if you had a set of data tables that had the relationship between the client and the users, you could query the table(s) in that data source and get back the list of user names to assign the task to. In recent releases this functionality has gotten better in that, if you return the same list of users multiple times, rather than create a new group under the covers each time, the solution will reuse the list if it already exists.
This will likely be a better solution if each user can work with multiple customers. The down side is you need to create the schema and maintenance screens.
Attribute Based Routing
In your process app you can create "User Attributes" and there is a JS API to allow you to assign values for a given user. I haven't used them in a while, but I don't believe they support multiple entries (you might want to check) but if each user really only works with one customer, you could use this to route tasks to the correct user(s).
Hopefully one of these will help you.
Andrew Paier | Director | BP3 Global, Inc.
BP3 Global's Website | Twitter | Linkedin | Google+ | Blogs
More...
Andrew,
Thanks again for your time and ideas. I will give the first idea some thought and see if that will work for us. One possible issue is that each account manager has a different manager (the ability to reassign is necessary) and that can only be specified through roles, correct?
Mike

Related Links

Creating Coach Views Dynamically
rest call from a service
BPM 8.5 Portal Customization
How to Change Comment Color
Read user\'s session data at server side
Getting error while running service / task in BPM 7.5
Help: WS Security Implementation IBM BPM 8.0.1
Validation On Legacy Document Attach Control
TWSearch not working for migrated instances
Help with Selecting value from DatePicker in dojo
Duplicate Entries in Process Designer
Process Portal Collaberation Feature Not Working
CV - share data in coachview behaviours
CWLLG0371W: There is no script content.
Building a Mobile App in IBM BPM 8.5
IBM BPM on SQL Server 2008r2 on Windows 2008r2

Categories

DW
Application Performanc...
Worklight
Sterling Commerce
dW Korea
Communities category
Linux on Power Community
IBM Connections Cloud ...
IBM Kenexa Click and H...
IBM Kenexa CompetencyM...
IBM Mobile & device me...
Detect
PredictiveInsight
Cloud assurance
Facilities Management ...
Endpoint Protection
Integration Products
Education
Cast Iron Web Manageme...
Cast Iron PIPs and TIPs
WebSphere Cast Iron Ex...
Cast Iron Documentation
HATS HotSpot
IBM ILOG Optimization
Cognos TM1 (Applix)
IBM Cognos 论坛 - 中文
AIX и UNIX
IBM Rational Rhapsody
Rational Developer for...
opensource
grid
aix
tivoli
Test for Aparna
Test Forum for Alberto
Comunita' tecnica AIX ...
Solaris to Linux Migra...
Retail
Education and Learning
Architecture
Wireless
InfoSphere Master Data...
IBM InfoSphere Guardium
Informix developer and...
DB2 for Linux, UNIX, a...
IBM Forms Experience B...
Part 3 - Challenge #08...
WebSphere Message Broker
IBM WebSphere Transfor...
IBM Support Assistant ...
AppScan Standard
Administration
Investigating with QRadar
Reporting
Gentran Integration Su...
Sterling Secure Proxy
Business Solutions Forums
Developer Tools, Utilt...
Customer Order Managem...
Mobile Store Channel
Gentran Server for Win...
Connect:Direct for Win...
Connect:Express Windows
Connect:Direct for Win...
Connect:Direct Mainframe
Analytics & Reporting
Application Best Pract...
Suggestion Box
The Selling System Use...
Dealing With Your ERP ...
System Performance
Web Services, Messagin...
C3 Partner.com/C3 Stor...
Commerce/Order Management
Release 6.3
Announcements -
Value added services/L...
Shipping
Integration with other...
Configuring Warehouse ...
Usability
RPG Cafe
HATS HotSpot
Business/IT challenges...
Business Rules Best Pr...
Constraint Programming...
Mathematical Programmi...
Rule Execution Server
Форумы Open Source
OMEGAMON Performance M...
SmartCloud Analytics -...
IBM i: iDoctor for IBM...
IBM i Access for Linux
Performance Tools Forum
AIX Forum
AIX Security
System i Hardware Mana...
IBM WebSphere Portal a...
Enterprise Application...
IBM WebSphere SDK for ...

Resources

Encrypt Message



code
soft
python
ios
c
html
jquery
cloud
mobile