| Author |
Message
|
| kriersd |
 Posted: Mon Dec 23, 2002 10:52 am Post subject: Central BT environment or multiple BT environments? |
 |
|
Master
Joined: 22 Jul 2002
Posts: 209
Location: IA, USA
|
Ok..
Here is the question....
How does everyone address Build Time on a corporate enterprise level. Let me explain... In my company we have a central support team for Workflow. We support the runtime and build time environment for our customers (The developers, and business unit IT staff). The business units all have their own development staff and they support the actual users. Ok, Now that Workflow is beginning to be a popular choice among the business unit developers, I have a huge problem. Well, so far I have been deploying the build time environment in each business area. This has been working great because we only have a few select developers doing the modeling. Now, I am faced with keeping multiple build time environments in sync with the single runtime environment. The big reason I went this direction was to keep security risks low. We simply must have security at the process category level. Developers from one business unit should not have the authority to make changes on categories they do not own. So, here is my thought..... I would like to know if I can have one central Build Time database and let all developers remotely connect to this build time database. The only issue is security. How can I enforce "process definition" security at the process category level?
Any thoughts?
_________________
Dave Krier
IBM WebSphere MQ Workflow V3.4 Solution Designer |
|
| Back to top |
|
 |
| vennela |
| Posted: Mon Dec 23, 2002 11:07 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
Dave:
We are using centralized BT since the inception. We were debating on going the distributed vs centralized BT. Merging various BTs is a nightmare. You can have control over who can define what. Security definitely shouldn't be a problem in a Centralized BT environment.
| Quote: |
How can I enforce "process definition" security at the process category level?
|
Have you taken a close look at the authorizations tab of a Person definition?
---
venny |
|
| Back to top |
|
|
| kriersd |
| Posted: Mon Dec 23, 2002 12:36 pm Post subject: |
|
|
Master
Joined: 22 Jul 2002
Posts: 209
Location: IA, USA
|
Ok, I do see in the documentation that I could authorize people for modeling, however, how would I restrict them to a given category?
AUTHORIZED_FOR PROCESS_MODELING
_________________
Dave Krier
IBM WebSphere MQ Workflow V3.4 Solution Designer |
|
| Back to top |
|
|
| jmac |
| Posted: Mon Dec 23, 2002 1:05 pm Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
Dave:
I am pretty sure that the categories that a user is authorized to access will apply in Buildtime as well as Runtime. I do not have time to check this out right now, but I can tell you that that was DEFINITELY the case with FlowMark, so I assume it to be true with MQWF.
GOOD LUCK... And enjoy the Holidays.
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| vennela |
| Posted: Mon Dec 23, 2002 1:38 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
Dave:
If you want to allow a person to model a process in a particular category then in the Authorizations tab
in the "Functions" box check the Process Definition and
in the "Categories" box select "Selected Categories" and add what all categories you want to authorize him to work on. That should serve the purpose.
---
Venny |
|
| Back to top |
|
|
| Ratan |
| Posted: Mon Dec 23, 2002 1:50 pm Post subject: |
|
|
Grand Master
Joined: 18 Jul 2002
Posts: 1245
|
Venny,
Did you try it? I just tried it out and it doesn't seem to work. atleast for me.
-Laze |
|
| Back to top |
|
|
| vennela |
| Posted: Mon Dec 23, 2002 3:03 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
I never did. But I thought that's how it's done. I tried it now and I guess I am mistaken. Tomorrow I will see if we are implementing it right at work. I guess we are in deep trouble if this is the case......
---
Venny |
|
| Back to top |
|
|
| jmac |
| Posted: Tue Dec 24, 2002 7:06 am Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
Well, I just checked this out, and I agree, it appears that categories are not honored in Buildtime. This is not what I had expected. I am afraid that the only way to have the desired restrictions is going to be to have multiple Buildtime Databases, obviously not a good solution do to the headache of trying to keep them in synch.
I assume that this is probably Working As Designed from IBM's point of view, but you might consider openning a PMR on this.
GOOD LUCK
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| kriersd |
| Posted: Thu Dec 26, 2002 5:07 am Post subject: |
|
|
Master
Joined: 22 Jul 2002
Posts: 209
Location: IA, USA
|
Thanks for the input folks... I was beginning to think I was going crazy. I couldn't get it to work either.
This really does pose a huge problem with security for a central buldtime environment. I will be foreced to support multiple buildtime environments, which isn't the best way to keep buildtime and runtime sync.
Actually this poses a much larger problem than I first expected. Think about this..... If I have multiple developers working in differet buildtime environments with the same people defined in each buld time environment, Who's build time environment has the correct people & authorizations for those people. Importing people from both build time environments could be very dangerous, because the authorizations would likely be different.
_________________
Dave Krier
IBM WebSphere MQ Workflow V3.4 Solution Designer |
|
| Back to top |
|
|
| jmac |
| Posted: Thu Dec 26, 2002 6:01 am Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
Dave:
I had been thinking of exactly what you are worried about. I think the best way to solve this is to have a "Staff only" Database. You will need to check this out, as I do not trust the doc.... but IF you define all of your "Modelers" such that they do not have Staff or Staff authorization authority, they should not be able to define staff. Of course this means yet another database, but I think it would solve the problem of the overlapping staff.
IMHO, MQWF should never have split the databases, i.e it should have used the FlowMark model of a single DB for both BT and RT.... Oh Well...
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| Ratan |
| Posted: Tue Dec 31, 2002 10:36 am Post subject: |
|
|
Grand Master
Joined: 18 Jul 2002
Posts: 1245
|
I found this in the IBM MQWF FAQS. Interesting to know. -Laze
| Quote: |
Problem
There seems to be no security in Buildtime to prevent a user from modeling a new process in a different category (other than a category to which the user is authorized). Setting that a user can only do administration tasks on certain categories ("Administration" field on the "Authorization" tab of the person properties notebook in Buildtime) does not prevent that user from modeling a new process in another category. This was tested via following process:
1) set up a user called "TEST",
2) set up a new process category called "Test"
3) "TEST" user has authorizations as indicated:
(Functions: Process Definition)
(Person Workitem: Selected persons window is empty)
(Categories: Selected categories window is empty)
(Categories: Administration: Selected categories "Test")
4) note TEST can create new processes for any category, not just "Test" category.
This seems odd, since with this authorization setup, Buildtime prevents TEST from defining other users, modifying topology, etc., but doesn't prevent TEST from modeling processes in any category.
Solution
This is working as designed. Buildtime doesn't take categories into account when checking for modelling authority. Instead it just uses the 'Process definition' flag to determine if a user may create or edit processes, no matter what category they have assigned.
|
|
|
| Back to top |
|
|
| educos |
| Posted: Thu Jan 02, 2003 12:50 pm Post subject: |
|
|
Apprentice
Joined: 18 Jul 2001
Posts: 34
Location: Salt Lake City, UT
|
You probably should also consider that Buildtime is fading quickly in favor of another (now IBM) BT product. IBM is - and will be - pushing heavily toward IBM/Holosofx BPM Workbench as the modeling platform of choice for MQWF - which has no connection to the BT DB and won't be using any part of Buildtime whatsoever. BPM Workbench can work with its own central repository, with its own locking & access control capabilities, etc...
So you probably don't want to launch in an all out effort to work with (and more particularly around) Buildtime before understanding IBM's direction for that part of the product...
_________________
Eric Ducos
EmeriCon, LLC.
Phone: (801) 789-4348
e-Mail: Eric.Ducos@EmeriCon.com
Website: www.EmeriCon.com |
|
| Back to top |
|
|
|
|
