| Author |
Message
|
| ucbus1 |
 Posted: Tue Apr 03, 2007 6:21 am Post subject: Authenticating Worfklow users |
 |
|
Knight
Joined: 30 Jan 2002
Posts: 560
|
Hello,
I have 10 users who access the Workflow system through the Web client (OutOfBox) all use the generic id "admin". Well, the id and password for the "admin" is given to the users. All 10 can access the Worklists, delete instances, transfer users. Now I am looking into how I can monitor who actually doing what: To be precise,
I would like to have "authuntication system" that would validate the user against the WIndows domain and once authenticated I would like to check if the user is authorized or not. What are the options:
Option 1: Change admin password and allot each user a separate workflow ID which will have the same access as the Admin. I may get lot of heat from the users for doing this.
Option 2:WebSphere offers Java2 security option. Since our web client runs on this, can I make use of this and set up role based authentication.
Please discuss various options for doing this.
Thanks |
|
| Back to top |
|
 |
| jmac |
| Posted: Tue Apr 03, 2007 7:14 am Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
It is my opinion that your best solution looking strictly at MQWF (maybe the only solution) is to give each user their own userid. Only that way will you be able to identify who did what. If you are using the audit trail, the audit records would then contain everything that I believe you need to see who is affecting what instances.
It may be possible to do something in WebSphere by storing some identifier in the session context when a user logs in that would identify that particular ADMIN user, but then you would need to modify the out of the box client to make use of this.
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| hos |
| Posted: Wed Apr 04, 2007 12:00 am Post subject: |
|
|
Chevalier
Joined: 03 Feb 2002
Posts: 470
|
| You could make use of the MQWF authentication exit. Pass user specific credentials (like the userId that you get from the OS) together with the userId 'admin' to your authentication exit implementation (vial logon3()), verify the userId and map it to a dedicated MQWF userId 'under the covers'. |
|
| Back to top |
|
|
| jmac |
| Posted: Wed Apr 04, 2007 5:49 am Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
I like Volker's suggestion also... However, as you see in his and my preferred solution, you will need to add users to MQWF so that you can identify the specific user who takes action.
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| ucbus1 |
| Posted: Wed Apr 04, 2007 6:49 am Post subject: |
|
|
Knight
Joined: 30 Jan 2002
Posts: 560
|
JMAC,HOS
While I agree with what you are saying. Here is the design dilemma.
The 10 users I speak are not really 10 and the number may vary depending business needs, some get trasnferred, some join new or some quit. Having to maintian the users in the Workflow is going to be a nightmare.
Since we know what access is needed before hand for these users, in our case all the above users need "Admin" type access. I am thinking if we can make use of the LDAP Here is the plan:
1create a group with ADmin user
2When user signs on to the webclient, present him a form to get the user id and password for the domain
3 Authenticate the user with LDAP and if he/she is in Admin group I would like to grant acces to the workitems/lists of the ADMIN
The advantage from the above , it reduces the admin work
I know WebSphere offers such an integration with LDAP for securing Web applications, trying to figure out if it is possible. Any ideas? |
|
| Back to top |
|
|
| ucbus1 |
| Posted: Tue Apr 10, 2007 7:54 am Post subject: |
|
|
Knight
Joined: 30 Jan 2002
Posts: 560
|
| I appreciate if you can please share your views |
|
| Back to top |
|
|
| jmac |
| Posted: Tue Apr 10, 2007 8:05 am Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
I really know nothing about LDAP, so whether that will help you or not I do not know. But, I believe the best way to go is to use the authentication exit to verify your users, then log them in to MQWF as an admin type user. However, you are not going to be able to tell them apart if they all use the same admin user.
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| tsrisudh |
| Posted: Tue Apr 10, 2007 4:24 pm Post subject: |
|
|
Centurion
Joined: 11 Aug 2005
Posts: 113
|
One thing i am not able to understand is whether you want to track this at app level or WF level, if you want to do at the app level then yes you can integrate with LDAP and do the authentication,
But if you want to do it at the WF level then you will have to add different users to WF, there is no going around this.
_________________
Srisudhir Tadepalli |
|
| Back to top |
|
|
| ucbus1 |
| Posted: Fri Apr 20, 2007 1:31 pm Post subject: |
|
|
Knight
Joined: 30 Jan 2002
Posts: 560
|
tsrisudh
At Worfklwo level I agree that you need to create individual users. So it got to be done at the application level. But at the application level how can this be done with "out of box" client. Any ideas? |
|
| Back to top |
|
|
|
|
