Overview
TIBCO Administrator User Management allows you to create users and roles and assign them access rights to resources available in the administration domain. It provides the ability to manage access restrictions on users of the BusinessConnect administration console.
TIBCO BusinessConnect User Management works in conjunction with TIBCO Administrator User Management. The access rights defined for a user with TIBCO Administrator User Management can be further restricted using TIBCO BusinessConnect User Management.
TIBCO Administrator User Categories
Users and roles are first created using TIBCO Administrator User Management.
The user categories that are created are:
• TIBCO Administrator User
• TIBCO BusinessConnect Super User
• TIBCO BusinessConnect User (internal and external) For more details about the different categories of users, see also:
• TIBCO Administrator User’s Guide, Chapter 4, Managing Users and Roles.
•
User Management
TIBCO BusinessConnect User Management provides the ability to reduce access for the users of the BusinessConnect administration console.
Using TIBCO BusinessConnect User Management, the access rights of users can be further restricted by participant and business agreement. For participants (Host or Trading Partner), users can be assigned access rights to all participants or to particular participants.
To read general information about user management, see TIBCO BusinessConnect
To learn how to proceed with managing groups and users see:
• Managing Users with TIBCO BusinessConnect User Management, page 89
• Managing Groups with TIBCO BusinessConnect User Management, page 102.
Using TIBCO Administrator User Management
|
87Using TIBCO Administrator User Management
TIBCO Administrator User Management allows you to create users and roles and assign them access rights to resources available in the administration domain; you can give users Read, Write or Administer access to the TIBCO BusinessConnect components. After creating users with TIBCO Administrator User Management, you will obtain a list of users with different access rights (see Figure 17).
Figure 17 List of Users Created by TIBCO Administrator User Management
The created user categories are:
• TIBCO Administrator User (with various levels or privileges). The domain administrator user has Super User privileges in TIBCO Administrator and can assign other users to the Super User role. To learn more, see TIBCO
Administrator User’s Guide, Chapter 5, Granting Security Access to Objects.
The TIBCO Administrator Super User will always have full access to the configuration information of TIBCO BusinessConnect. However, this user will not be automatically assigned as a BusinessConnect Super User unless it is the user who created the BusinessConnect installation.
• TIBCO BusinessConnect Super User In addition to the TIBCO Administrator Super User, a TIBCO BusinessConnect Super User can use TIBCO
BusinessConnect User Management to add other TIBCO Administrator Users to BusinessConnect and manage the access rights of those users. There must always be at least one BusinessConnect Super User
The TIBCO Administrator user who creates the BusinessConnect installation is automatically a BusinessConnect Super User. For more details, see TIBCO
• TIBCO BusinessConnect Internal User (with various levels or privileges).
88
|
Chapter 5 User Access ManagementSet BusinessConnect Access Rights for a User
To set BusinessConnect access rights for a user under TIBCO Administrator User Management, log in as a user that has Administer access to the resources of BusinessConnect to which you wish to allow access for that user and do this:
1. Select User Management>Users.
2. Double click on the user needing access rights, such as bcsuper (BusinessConnect Super User).
3. Select the Permissions tab.
4. Expand the resource list under 'TIBCO Administrator' by clicking on the '+' next to the item TIBCO Administrator.
5. Expand the resource list under BusinessConnect by clicking on the '+' next to the item BusinessConnect.
6. Click on the appropriate box for the BusinessConnect component to allow Read, Write or Administer permissions.
Figure 18 Allow Permissions for BusinessConnect Components
In the example on Figure 19, the user has been given Read/Write/Administer access to all BusinessConnect components.
When users log in, they will not be able to see the BusinessConnect components they were given access to unless they are also given read access to the top-most BusinessConnect component.
Managing Users with TIBCO BusinessConnect User Management
|
89Managing Users with TIBCO BusinessConnect User Management
TIBCO BusinessConnect User Management is integrated with the user management capabilities of TIBCO Administrator.
First you need to add users and give them access rights to one or more
components of BusinessConnect using TIBCO Administrator User Management.
After that, you will add these users to TIBCO BusinessConnect User Management and give them access rights fine tuned with respect to trading partner access, business agreement access, log viewer access, and reports access.
Finally, you can add groups and join users to these groups in order to facilitate management of user permissions.
Super Users
As explained in TIBCO Administrator User Categories, page 86, there are two types of super users:
• The TIBCO Administrator Super User has the full access to the configuration information of TIBCO BusinessConnect, but is not automatically assigned to be a BusinessConnect Super User unless it is the user who created the BusinessConnect installation.
• The TIBCO BusinessConnect Super User is the only user who can use TIBCO BusinessConnect User Management to add other TIBCO Administrator Users and manage the access rights of those users. There must always be one BusinessConnect Super User.
Internal Users
Internal Users in BusinessConnect are used for authentication from requests sent by Interior private process applications, such as the CMI protocol, to manage participant, business agreement as well as operation level information for business protocols such as X12, EDIFACT, RosettaNet, ebXML, SOAP, TIBCO BusinessConnect Services Plug-in, and so on.
For more details, see:
• User Access Tab for Participants, page 28
• User Access Tab for Business Agreements, page 40
The process of adding or deleting users through BusinessConnect User
Management does not actually add or remove users from the application: it only changes their permissions and access rights with respect to BusinessConnect.
90
|
Chapter 5 User Access ManagementExternal Users
BusinessConnect External users are specified only in the BusinessConnect administrative GUI and they are associated with a trading partner, not with a specific protocol.
The same administrative GUI is used to assign the Server (PartnerExpress or FTPS) with which these external users will communicate.
Add Users
Select BusinessConnect>User Management>Users in the TIBCO Administrator console.
Three types of users are available: Admin, Internal, and External.
Figure 19 Three Types of Users
You can now add other users who were granted permission to access BusinessConnect using TIBCO Administrator.
Add Administrative Users
To add a TIBCO BusinessConnect administrative user:
1. Select BusinessConnect>User Management>Users> Admin.
2. Click Add.
Select the BusinessConnect administrator user to add.
A list will appear showing users who have been added using TIBCO Administrator and granted permissions to access BusinessConnect (as explained in Set BusinessConnect Access Rights for a User, page 88).
3. Check the checkbox next to the user names.
4. Click OK.
Managing Users with TIBCO BusinessConnect User Management
|
91Continue editing this administrative user as explained in the section Edit Users, page 93.
The list shows whether the TIBCO Administrator user is a BusinessConnect Super User. There are two types of super users:
— The TIBCO Administrator Super User has the full access to the configuration information of TIBCO BusinessConnect, but is not
automatically assigned to be a BusinessConnect Super User unless it is the user who created the BusinessConnect installation.
— The TIBCO BusinessConnect Super User is the only user who can use TIBCO BusinessConnect User Management to add other TIBCO Administrator Users and manage the access rights of those users. There must always be one BusinessConnect Super User.
Add Internal Users
To add a TIBCO BusinessConnect internal user:
1. Select BusinessConnect>User Management>Users> Internal.
2. Click Add.
3. Set a user name and click OK.
Continue editing this internal user as explained in the section Edit Users, page 93.
Add External Users
External users are specified in the BusinessConnect administrative GUI and associated with a trading partner, not with a specific protocol. The same administrative GUI is used to assign the Server with which these external users will communicate.
To set up external users , do the following:
1. To add an external user, select User Management> Users> External.
2. Click on Add.
3. In the Set Email dialog, enter the following information:
— Email Enter the Email address for the new external user.
— Belongs to Partner From the drop-down list, select the name of the partner with which this external user will be associated.
If you want to create external users that will use LDAP as authentication source, the following steps 1-6 are not needed.
92
|
Chapter 5 User Access Management4. Click OK.
5. In the Edit New User window, enter information as explained in Table 23.
6. Click Save.
Once the external users are added, you need to add an authentication source, BC Database od LDAP database, with which the external users will be authenticated. See Authenticate External Users, page 99.
Table 23 Edit External User
Field Description
General
Email This field initially contains user’s name. Enter the email of the new external user.
Password Click Set to enter the password that will be used to authenticate the user.
First Name First name of the user you are creating.
Last Name Last name of the user you are creating.
Belongs to Partner
The previously selected Partner is displayed.
This information cannot be changed using the external user’s settings.
Access: GatewayServerPX
(available only if PartnerExpress is installed
ReadWrite Select whether this external user will have read and write permissions for the PartnerExpress Server.
If this checkbox is checked, the external user can log into the PartnerExpress Server; otherwise, the external user has no permission to log in.
Access: GatewayServerFTPS
(available only if FTP Server is installed
ReadWrite Select whether this external user will have read and write permissions for the FTPS Server.
If this checkbox is checked, the external user can log into the FTP Server;
otherwise, the external user has no permission to log in.
Managing Users with TIBCO BusinessConnect User Management
|
93Edit Users
To edit any of the listed administrative users, do the following:
1. Select User Management> Users> Admin|Internal|External.
2. Select the user name link.
The Edit User dialog appears with three tabs: General, Group Membership, and Permissions.
General Tab for Administrative Users
The General tab has a non-editable field for User Name. This name was created using the TIBCO Administrator User Management function and cannot be changed by the TIBCO BusinessConnect User Management.
Figure 20 Edit Administrative Users: General Tab
1. When the Super User checkbox is checked, the user is granted the permissions to act a a BusinessConnect Super User for this BusinessConnect installation.
See TIBCO BusinessConnect Concepts, BusinessConnect Super User for more information.
Change of user roles (promoting users to super users or removing the super user role) can be done by the following users:
— TIBCO BusinessConnect Super User
— TIBCO Administrator Super User
— The administrative user who has created the installation.
2. Click Apply to continue editing other two tabs, or Save if you have finished with editing this user.
The role of the last BusinessConnect Super User is locked with the system and cannot be changed.
94
|
Chapter 5 User Access ManagementGeneral Tab for Internal Users
The General tab for non-administrative users has only two fields that are both editable: user name and password.
Figure 21 Edit Non-Administrative Users: General Tab
1. If needed, edit the name or password of this user.
2. Click Apply to continue editing other two tabs, or Save if you have finished with editing.
Group Membership Tab for Administrative and Internal Users
This tab verifies user’s group membership and adds or removes the user from groups.
Add a Group
1. Select the Group Membership tab.
The Group Membership window shows the (list of) groups that this user belongs to.
Figure 22 Group Membership Tab
2. To add this user to a group, click Add Groups.
The Add Groups dialog appears.
Managing Users with TIBCO BusinessConnect User Management
|
95Figure 23 Add Groups
3. Check the checkbox next to the group to which you want to add the user.
4. Click OK.
Remove a Group
1. Check the checkbox next to the group.
2. Click Remove.
3. Click Apply to continue editing other two tabs, or Save if you have finished with editing this user.
Permissions Tab for Administrative and Super Users
Currently, all added internal users by default are super users and have all permissions. The permissions of super users cannot be edited.
The access rights of users can be further restricted by participant and business agreement. For participants (Host or Trading Partner), users can be assigned access rights to all participants or to particular participants: access rights can be fine tuned with respect to trading partner access and business agreement access.
When you select this tab, the two subtabs appear: Participant Permission and Business Agreements Permission.
96
|
Chapter 5 User Access ManagementFigure 24 Edit User Permissions
Participant Permissions Tab for Administrative and Internal Users
In the Participant Permissions subtab, you can add or remove participants (host or trading partners), as well as change the permission that a particular user has regarding its access to these participants.
Add Participants
1. Click on Add Participants.
The list of trading partners configured for the current BusinessConnect installation appears.
Figure 25 Add Participants
2. Check the checkboxes next to the trading partners for which you want to change user’s access rights.
3. Click OK.
Change Permissions
The list of trading partners appears, with the user access rights for dealing with these participants.
Managing Users with TIBCO BusinessConnect User Management
|
97Figure 26 Participant Permissions for Users
4. Check or uncheck checkboxes for any permissions that you want to fine tune:
Read, Create, Update, Delete, Logs and Reports, or Select All.
For an overview of user access rights, see TIBCO BusinessConnect Concepts,
Again, you can only reduce the level of access rights that the specific user has in dealing with the selected trading partners.
When you select the checkbox Select All in the category ALL, all permissions will be checked.
Remove Participants
5. Select the checkbox next to any participant name.
6. Click Remove.
7. The participant is removed.
Business Agreements Permission Tab for Administrative and Internal Users For Business Agreements, users can be assigned access rights to all Business Agreements or to particular Business Agreements.
This tab allows you to add and/or remove business agreements, as well as to change access rights that the specific user has regarding these agreements.
This window shows the list of business agreements to which the edited user has access rights, as well as the level of these access rights: Read, Create, Update, Delete, and Select All.
The participant is not removed from the installation; it only means that the user you are editing has no configured permissions to deal with this trading partner.
98
|
Chapter 5 User Access ManagementFigure 27 Business Agreement Permissions
Add Business
Agreements 1. Click on Add Business Agreements.
The list of configured business agreements for the current BusinessConnect installation appears.
2. Check the checkboxes next to the business agreements for which you want to change user’s access rights.
3. Click OK.
Change Permissions
The list of business agreements appears, with the user access rights for dealing with these agreements.
Figure 28 Business Agreements Permissions for Users
4. Check or uncheck checkboxes for any agreements that you want to fine tune:
Read, Create, Update, Delete, or Select All.
For an overview of user access rights, see TIBCO BusinessConnect Concepts,
Managing Users with TIBCO BusinessConnect User Management
|
99Again, you can only reduce the level of access rights that the specific user has in dealing with the selected business agreements.
When you select the checkbox Select All in the category ALL, all permissions will be checked.
Remove a Business Agreement
5. Select the checkbox next to any business agreement.
6. Click Remove.
7. The business agreement is removed.
Authenticate External Users
To add an authentication source for external users:
1. Select BusinessConnect> System Settings> User Authentication Configuration.
2. In the External tab, configure settings as explained in Table 24.
The business agreement is not removed from the installation; it only means that the user you are editing has no configured permissions to deal with this business agreement.
Table 24 Configure the Authentication Source for the External User
Field Description
Add To add the authentication source:
1. Click Add.
2. In the Type drop-down list, select the source type with which the external user will be authenticated:
— LDAP If the LDAP server is selected, proceed with configuring its settings as described in Edit LDAP Connection, page 100.
— BC Database This is the internal BusinessConnect database.
3. Click OK.
The added type, LDAP or BC Database, will now be available as the Authentication Source.
4. In the Edit LDAP Connection screen, click Test Connection.
If the test is not successful, review the configuration steps.
100
|
Chapter 5 User Access Management5. Click Done.
Edit LDAP Connection
If you select the LDAP server for authentication source, enter information as described in Table 25.
Authentication Source Defaults Authentication
Source
From the drop-down list, select LDAP or BC database previously added as the authentication source.
Table 24 Configure the Authentication Source for the External User
Field Description
Table 25 Edit LDAP Connection
Field Description
alias Define an alias for the new LDAP server.
Host Name The IP address or name of the machine on which the LDAP server resides.
Port Number The port number on the LDAP machine to use for connecting to LDAP.
Bind DN and Bind password
The Bind DN provided can be an LDAP user that has only read access to LDAP.
The user needs permission to:
• Read LDAP user objects
• Read LDAP group objects
• Authenticate other users to LDAP (that is, call the LDAP authenticate API or have read access to password/credentials of LDAP user objects)
BaseDN The base DN is an X.500 distinguished name, which denotes the sub-tree of an LDAP directory where the to-be-authenticated user records are posted, such as:
ou=people,dc=unit,dc=company.
Base DN gets prepended to Bind DN when searching for users User Search
Filter
You can specify a user search filter and only users that have the specified attribute are returned. Using the defaults for the user search filters, all users are returned.
For example,
Base DN: dc=na,dc=tibco,dc=com
User Search Filter: objectclass=person
Managing Users with TIBCO BusinessConnect User Management
|
101Remove Users
You can remove any of the users from this list by checking the user checkbox and then clicking Delete.
Search for Users
Use the function Search (use * for wildcard) to search for the users that are not displayed on the list.
User Name Attribute
Provide the LDAP attribute name that represents the user name in the LDAP directory server. For example, uid for the Sun ONE Directory server.
User to Group Membership Attribute
isMemberOf
Provide the LDAP attribute that represents the User to Group (or Role)
membership attribute in the LDAP directory server. The value for this attribute lists the Groups or Role the user is enrolled for the DN. For example, nsRoleDN
for the Sun ONE Directory server, memberOf for openLDAP and MemberOf for
for the Sun ONE Directory server, memberOf for openLDAP and MemberOf for