Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 2 Creating and Maintaining iProcess User Data in the LDAP Directory : Managing User Information

Managing User Information
All changes to iProcess user data must be made in the LDAP directory. Use your normal LDAP directory management tools to perform the following operations.
Adding a User to the LDAP Directory
To add an iProcess user to the LDAP directory, create or modify a directory entry as follows:
1.
2.
3.
Adding a Group to the LDAP Directory
To add an iProcess group to the LDAP directory, create or modify a directory entry as follows:
1.
Assign the value GROUP to the <MENUNAME> attribute.
2.
3.
4.
Defining Group Membership
You can use the <GROUPUSERS> attribute to define iProcess group membership in a number of ways:
or
Using iProcess User Names to Define Group Membership (MEMBER LIST Format)
A <GROUPUSERS> attribute value can be either a single iProcess user name, or a comma-separated list of iProcess user names. In the following example, the groupusers attribute value defines johnb, roystonh and bobb as members of the reviewers group:

 
menuname=group
groupname=reviewers
groupusers=johnb,roystonh,bobb

 
Note that:
A specified name must not contain an @ or = character, as this will cause the value to be truncated. For example, the value:

 
groupusers = johnb,roystonh@acme,bobb

 
will result in johnb and roystonh being added as group members. bobb will not be added to the group.

 
groupusers = swusr*

 
Using LDAP Distinguished Names to Define Group Membership (LDAP DN Format)
A <GROUPUSERS> attribute value can contain either a single DN, or a list of DNs. Each DN references another entry in the LDAP directory, that must contain the iProcess user name that is to be added to the group.
When iProcess user data is synchronized with the LDAP directory, LDAPCONF reads the LDAP entry defined by each DN. If it finds:
In the example on the next page, the groupusers attribute value contains a list of three DNs. The LDAP attribute that maps to the iProcess user name is uid. When iProcess user data is synchronized with the LDAP directory, LDAPCONF searches the LDAP entry defined by each DN for a uid value. Users johnb, roystonh and bobb are therefore added to the reviewers group.
In this example, the # character is the delimiter for individual DNs in the groupusers value. The # character is the MS Active Server delimiter; other LDAP Directory servers may use different characters.


 
Note that:
A DN must not contain an @ character, as this will cause the DN to be truncated. For example, the value:

 
groupusers = cn=jbloggs,ou=Dev,o=ACME#
cn=rharper@ACME,ou=Tst,o=ACME#
cn=bbaggins,ou=Dev,o=ACME

 
will result in the second DN being interpreted as cn=rharper. The first and third DNs will be interpreted normally.
In the following example, we again assume that uid is the LDAP attribute that maps to the iProcess user name.


 
LDAPCONF reads the DN and, finding that it already contains a uid value, checks if jon_b is an iProcess user:
If jon_b is an iProcess user, jon_b is added to the groupusers group. The entry pointed to by the full DN is not examined.
If jon_b is not an iProcess user, LDAPCONF searches the entry pointed to by the full DN. It finds the uid value johnb, and so adds user johnb to the groupusers group.
Adding a Role to the LDAP Directory
To add an iProcess role to the LDAP directory, create or modify a directory entry as follows:
1.
Assign the value ROLE to the <MENUNAME> attribute.
2.
3.
4.
Deleting a User, Group or Role
You can delete an iProcess user, group or role from the LDAP directory in three ways:
Set the <MENUNAME> attribute for the relevant entry to NONE. The user, group or role will be removed when iProcess is next synchronized with the LDAP directory.
Changing the Membership of a Group
Each entry defining a group should have one or more <GROUPUSERS> values, which define the members of that group. To change the membership of the group, add users to or remove them from this list. See Defining Group Membership for more information.
Changing a Role Assignment
Each entry defining a role should have a <ROLEUSER> attribute, which specifies the <USERNAME> assigned to that role. To change this assignment, edit this value.
Creating, Deleting or Editing Attributes
You can create, delete or edit any attributes for use with the iProcess Engine as required. See Application Specific Attributes.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved