Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 2. Business Central Configuration

As Business Central is a web application, any configuration settings are loaded from DEPLOY_DIRECTORY/business-central.war/WEB-INF/web.xml and the referenced files, and if deployed on Red Hat JBoss EAP 6, also in jboss-web.xml and jboss-deployment-structure.xml.

Note that the entire application can be run in different profiles (refer to the Red Hat JBoss BPM Suite Installation Guide).

2.1. Access Control
复制链接

The access control mechanism includes authorization and authentication. In the unified environment of Red Hat JBoss BPM Suite, users are able to update the default user roles located within JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/classes/userinfo.properties.

To grant a user access to JBoss BPM Suite, the user needs to have the respective role assigned:

  • admin: Administrates JBoss BPM Suite system and has full access rights to make any changes necessary including the ability to add and remove users from the system.
  • developer: Implements code required for processes to work and has access to everything except administration tasks.
  • analyst: Creates and designs processes and forms, instantiates the processes and deploys artifacts. This role is the similar to a developer, without access to asset repository and deployments.
  • user: Claims, performs, and invokes other actions (such as, escalation, rejection, etc.) on the assigned Tasks and has no access to authoring functions.
  • manager: Monitors the system and its statistics and only has access to the dashboard.
  • business user: Takes action on business tasks that are required for processes to continue forward. Works primarily with the task list.

If using Red Hat JBoss EAP, to create a user with particular roles, run the JBOSS_HOME/add-user.sh script and create an Application User in the ApplicationRealm with the respectives roles.

Workbench Configuration

Within Red Hat JBoss BPM Suite, users may set up roles using LDAP to modify existing roles. Users may modify the roles in the workbench configuration to ensure the unique LDAP based roles conform to enterprise standards by editing the deployments directory located at JBOSS_HOME/standalone/deployments/business-central.war/WEB-INF/classes/workbench-policy.propeties.

If authenticating user via LDAP over Git, administrators must set system property org.uberfire.domain to the name of login module it should use to authenticate users via the Git service. This must be set in the standalone.xmlfile in EAP.

Note

You can further customize Business Central with parameters no_build or no_search. The parameters disable the build and search functionality. Include one or both parameters in the Business Central URL, for example http://SERVER:PORT/business-central/kie-wb.html?no_build&no_search.

Authentication in Human Tasks

Every Task that needs to be executed is assigned to one or multiple roles or groups, so that any user with the given role or the given group assigned can claim the Task instance and execute it. Tasks can also be assigned to one or multiple users directly. JBoss BPM Suite uses the UserGroupCallback interface to assign tasks to user.

Warning

A group for a Human Task must not be named after an existing user of the system. Doing so causes intermittent issues.

LDAP Configuration

You can configure LDAP domain during the installation of Red Hat JBoss BPM Suite. See the Red Hat JBoss BPM Suite Installation Guide for further information. When already installed, Business Central uses JBoss Security Domains defined in EAP_HOME/standalone/configuration/standalone/configuration/standalone.xml by default. The security domain is referenced in business-central.war/WEB-INF/jboss-web.xml.

To configure LDAP on your existing Red Hat JBoss BPM Suite installation:

  1. Define an LDAP security domain.

    1. In standalone.xml, locate <security-domains>.

    2. Add your login module: 

      <!-- Including an LDAP based security domain to enable LDAP based authentication and authorization for users of Business Central console  -->
      1 
      
 <security-domain name="ldap" cache-type="default">
  <authentication>
      2 
      
   <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
    <module-option name="java.naming.provider.url" value="ldap://10.10.10.10:389"/>
    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
    <module-option name="java.naming.security.authentication" value="simple"/>
    <module-option name="bindDN" value="uid=admin,ou=system"/>
    <module-option name="bindCredential" value="secret"/>
    <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
    <module-option name="baseFilter" value="(uid={0})"/>
    <module-option name="rolesCtxDN" value="ou=Groups,dc=jboss,dc=org"/>
    <module-option name="roleFilter" value="(member={0})"/>
    <module-option name="roleAttributeID" value="cn"/>
    <module-option name="roleNameAttributeID" value="cn"/>
    <module-option name="roleRecursion" value="2"/>
    <module-option name="roleAttributeIsDN" value="false"/>
    <module-option name="parseRoleNameFromDN" value="false"/>
    <module-option name="java.naming.referral" value="follow"/>
    <module-option name="searchScope" value="SUBTREE_SCOPE"/>
   </login-module>
  </authentication>
 </security-domain>
...
      Copy to Clipboard Toggle word wrap
      1
      Name of your security domain referenced in jboss-web.xml.
      2
      A required attribute for external LDAP authentication.

      For more information about the LDAP login module, see Ldap Login Module from the Red Hat JBoss EAP Login Module Reference.

    3. Locate <hornetq-server> and add the following lines: 

      <security-domain>ldap</security-domain>
<security-enabled>true</security-enabled>
      Copy to Clipboard Toggle word wrap

    4. Refer to your LDAP security domain in jboss-web.xml: 

      <jboss-web>
    <security-domain>ldap</security-domain>
</jboss-web>
      Copy to Clipboard Toggle word wrap

  2. If you require LDAP integration in task services, provide the task service configuration.

    1. Open EAP_HOME/standalone/deployments/business-central.war/WEB-INF/beans.xml.
    2. Change <class>org.jbpm.services.cdi.producer.JAASUserGroupInfoProducer</class> to <class>org.jbpm.services.cdi.producer.LDAPUserGroupInfoProducer</class>.

    3. Create a jbpm.usergroup.callback.properties file in EAP_HOME/standalone/deployments/business-central.war/WEB-INF/classes/jbpm.usergroup.callback.properties and provide your usergroup callback properties, for example: 

      java.naming.provider.url=ldap://localhost:10389
ldap.bind.user=uid\=admin,ou\=system
ldap.bind.pwd=secret
ldap.user.ctx=ou\=People,dc\=jboss,dc\=org
ldap.role.ctx=ou\=Groups,dc\=jboss,dc\=org
ldap.user.roles.ctx=ou\=Groups,dc\=jboss,dc\=org
ldap.user.filter=(uid\={0})
ldap.role.filter=(cn\={0})
ldap.user.roles.filter=(member\={0})
ldap.search.scope=SUBTREE_SCOPE
      Copy to Clipboard Toggle word wrap

    4. Create a jbpm.user.info.properties file in EAP_HOME/standalone/deployments/business-central.war/WEB-INF/classes/jbpm.user.info.properties and provide your user info properties, for example: 

      java.naming.provider.url=ldap://localhost:10389
ldap.bind.user=uid\=admin,ou\=system
ldap.bind.pwd=secret
ldap.user.ctx=ou\=People,dc\=jboss,dc\=org
ldap.role.ctx=ou\=Groups,dc\=jboss,dc\=org
ldap.user.filter=(uid\={0})
ldap.role.filter=(cn\={0})
ldap.search.scope=SUBTREE_SCOPE
      Copy to Clipboard Toggle word wrap
  3. Ensure correct roles assigned to the users in your LDAP server, for example admin, analyst, and others.

You can define your own roles in EAP_HOME/standalone/deployments/business-central.war/WEB-INF/classes/workbench-policy.properties.

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat