IBM ODM 8.8 Business Console

Copyright IBM Corporation 2016 All rights reserved
IBM Operational Decision Manager V8.8 Lab exercise
IBM Operational Decision Manager

Administration in Business Console
LDAP User and Group Administration
What this exercise is about .................................................................................................................................... 1

Lab requirements ................................................................................................................................................... 1
What you will learn ................................................................................................................................................ 1
Part 1: Set up LDAP users and groups (Optional) ................................................................................................ 2
Part 2: Delegate authorization to Decision Center ..............................................................................................13
Part 3: Administrate groups and users ................................................................................................................20
What you did in this exercise ...............................................................................................................................25
What this exercise is about

IBM Operational Decision Manager V8.8 introduces a new administrative interface to facilitate connections to
LDAP directories and management of users and groups, with roles and simplified permission assignment.
In this lab, you use the users and groups from LDAP as the participants of project governance in Decision Center.
To let you quickly explore this feature without building a project from scratch, this lab uses the sample built-in Loan
Validation Service project. The lab uses Apache Directory as LDAP and Apache Directory Studio as LDAP
Administration tool. You can also use your own LDAP server and tool.
This lab is provided AS-IS, with no formal IBM support.
Lab requirements
The following project is required:
IBM Operational Decision Manager Standard V8.8
o Decision Server (with Sample profile created)
o Decision Center
LDAP, for example, IBM Directory Server, Apache Directory, etc.
o LDAP Administration tool, for example: Apache Directory Studio
Note: Throughout the lab, Apache Directory server is referred as LDAP server, and Apache Directory Studio is
referred as Studio in short.
What you will learn

The goal of this lab:
Learn how to authorize all authenticated users from LDAP and delegate authorization to Decision Center
Learn how to administrate users and groups from LDAP, including LDAP connection, role selection, and
permission assignment.
IBM ODM User and Group Administration in Business Console Lab exercise Page 1 of 25
Copyright IBM Corporation 2016. All rights reserved
Part 1: Set up LDAP users and groups (Optional)

This part is optional. If you have your own LDAP server setup with pre-defined users and groups created under a
unique base distinguished name, you can skip this part and directly go to Part 2.
____ 1. Create LDAP Server connection in Studio
__ a. Start LDAP server instance and launch Studio.

__ b. In the LDAP perspective Connections view, click New Connection icon.
__ c. In the New LDAP Connection wizard, enter the LDAP connection name (for example: LocalADS) and
network parameters. Then click Next.
__ d. Enter the Bind DN and password. You can click Check Authentication to verify.
__ e. Keep clicking Next until the last page, click Finish.
The connection is established and the entries from LDAP are loaded in the LDAP Browser view.
____ 2. Create a new base distinguished name (DN)
__ f. Right click the LocalADS connection and choose Open Configuration.

__ g. The configuration editor is opened. Click Partitions tab. And then, click the Add button in the All
partitions section.
__ h. The Partition General Details section is displayed. Enter Loan Service Co. in the ID field and
dc=loanserviceco,dc=com as the Suffix.
__ i. Save the configuration change.

__ j. Restart the LDAP server to get the configuration changes in effect.
__ k. In Studio LDAP Browser view, right click Root DSE and choose Reload Entry. New base DN is listed.
____ 2. Add users

__ a. Before creating the actual users, you first create an organizational unit to contain all the users. Right click
dc=loanserviceco,dc=com entry, choose New > New Entry
__ b. On the New Entry wizard, choose Create entry from scratch. Click Next.
__ c. On the Object Classes page, type org in the left side Available object classes filter field. Then select
organizationalUnit in the list and click Add.
__ d. The organizationalUnit and top object classes are listed in the Selected object classes bucket. Click
Next.
__ e. On the Distinguished Name page, choose or enter ou as RDN attribute, and enter users as RDN
value. Click Next.
__ f. Review the attribute list, and then, click Finish. LDAP Browser shows that the users is created.
__ g. To create a user, right click ou=users entry, chose New > New Entry
__ h. Choose Create entry from scratch. Click Next.
__ i. On the Object Classes page, in the left side Available object classes filter field, type inet. Then select
inetOrgPerson in the list and click Add.
__ j. A list of person related object classes are selected. Click Next.
__ k. Enter uid=Jane as RDN. Click Next.
__ l. On the Attributes page, cn and sn values are required. Enter Jane as cn and Doe as sn.
__ m. Click the New Attribute icon in the toolbar.
__ n. Enter userPassword as Attribute type. Click Finish.

__ o. The userPassword attribute is in the list. Double click the Empty password field to enter the value.
__ p. On the Password Editor, enter Jane as new password and confirm password. For simplicity, choose
Plaintext hash method.
You can also select Show new password details to see the password in clear text. Click OK.
__ q. Click Finish to close the New Entry wizard. User Jane is created in the LDAP.
__ r. Repeat Step 3.g 3.q to create another user John Doe.
uid=John; cn=John; sn=Doe; userPassword=John.
You have finished creating two users in LDAP.
____ 3. Add groups

__ a. First you create a groups orgUnit to hold the groups. Right click dc=loanserviceco,dc=com entry,
choose New > New Entry
__ b. On the New Entry wizard, choose Create entry from scratch. Click Next.
__ c. On the Object Classes page, select organizationalUnit and move it to the Selected Object classes
bucket. Click Next.
__ d. On the Distinguished Name page, choose ou as RDN attribute, and enter groups as RDN value.
Click Next.
__ e. Review the attribute list, and then, click Finish. LDAP Browser view shows that the groups orgUnit entry
is created.
__ f. Right click ou=groups entry, choose New > New Entry

__ g. Choose Create entry from scratch. Click Next.
__ h. On the Object Classes page, in the ledt side Available object classes filter field, type group. Then
select groupOfNames in the list and click Add.
__ i. The groupOfNames and top object classes are selected. Click Next.
__ j. Enter cn=management as RDN. Click Next.
__ k. The DN Editor dialog is opened. A group member is required. Click Browse.

__ l. Expand the DN tree and choose uid=Jane. Click OK.
__ m. Back to DN editor, click OK. The member attribute with Janes DN value is added to the New Entry
Attributes list. Click Finish.
__ n. Repeat Step 4.f 4.m to create another group development with John Doe as member.
You have finished creating two groups in LDAP.
Part 2: Delegate authorization to Decision Center

To authorize all authenticated users from LDAP and delegate authorization to Decision Center, you need to modify the
security realm of the application server, and add LDAP to the federated repositories. In this step, you give all
authenticated users the rtsUser role to access Decision Center.
____ 1. Modify the security role of rtsUser in the Decision Center application
__ a. Launch WAS Administrative Console.
__ b. Login with WAS administrators credentials.
__ c. From the navigation panel, expand Applications > Application Types, and click WebSphere
enterprise applications.
__ d. Click teamserver-WAS85 in the application table.

__ e. On the configuration page, under the Detail Properties section, click Security role to user/group
mapping.
__ f. Select the checkbox in the rtsUser row, click the Map Special Subjects list, and select the All
Authenticated in Applications Realm option.
__ g. Select the checkbox in the rtsUser row again. Then click Map Groups
__ h. On the Search and Select Groups page, choose rtsUser from the Selected list. Click the Remove
button. Then scroll the page down and click the OK button at the bottom.
__ i. The security role mapping table is reloaded. The rtsUser role now only has special subjects set. Click the
OK button blow the table.
__ j. On the top if the page, click Save to save all the changes to the master configuration. You do NOT need
to restart the server at this time.
____ 2. Add LDAP server to security federated repositories.

__ a. In WAS Admin Console, expand Security, then click Global security.
__ b. On the Global security configuration page, under User account repository section, make sure
Federated repositories is selected as the current realm definition. Click Configure
__ c. On the Federated repositories configuration page, scroll to the repositories in the realm table. By
default, only WIM file repository is selected. Click Add repositories (LDAP, custom, etc) above the
table.
__ d. On the repository general properties setting, click New Repository > LDAP repository.
The access configuraiton of LDAP repository page is loaded.
__ e. Inside the LDAP server section, choose your LDAP directory type. For Apache Directory, choose
Custom. Also enter the LDAP host name and port number.
__ f. Inside the Security section, enter the binding DN and password. Update other fields to match your LDAP
settings. Click OK.
__ g. The LDAP1 repository is defined. The General Properties setting is reloaded. Now enter the base DN,
i.e. dc=loanserviceco,dc=com. Click OK.
__ h. Back to the Federated repositories page, LDAP is now listed in the table. Click OK.
__ i. On the top of the Global security page, click Save in the Messages box.
____ 3. Verify the federated repositories configuration

__ a. Restart the sample server to ensure the federated repositories configuration.
__ b. Once the server is up, login onto WAS Administrative Console.
__ c. Expand Users and Groups, and click Manage Users.
__ d. In the users list table, you should see the LDAP users in the list.
__ e. Click Manage Groups on the left, you can also find the LDAP groups in the groups list.
__ f. Click development group name link. The Group Properties page is displayed.
__ g. Click Members tab, you can see the LDAP group member is listed.
__ h. Logout of Administrative Console.
____ 4. Check Decision Center authentication

__ a. Launch Decision Center Business Console.
__ b. Enter Jane/Jane as the username and password.
Jane can successfully login on the console.
__ c. Upon login, Jane can see HOME, LIBRARY, and WORK tabs. But no ADMINISTRATION tab. Because
Jane has the rtsUser role at this moment. Only the users with rtsAdministrator role can work on
ADMINISTRATION. You will assign Jane the rtsAdministrators role in part 3.
__ d. Click LIBRARY tab.
__ e. Select Loan Validation Service. On the Releases page, click green sign to add a new release.
__ f. On the Create a Release dialog, click the Owner selection dropdown.
At this moment, Jane and John can only access Decision Center as a regular rtsUser. They cannot
participant in any decision service project governance.
__ g. Close the dialog and logout of Business Console.
In the next part, you will add LDAP connection into Decision Center and import its groups and users by using
Administration feature. After assigning the proper roles to the groups, the users can participate in the
governance framework.
Part 3: Administrate groups and users

____ 1. Add LDAP connection
__ a. Login to Decision Center Business Console with rtsAdmin/rtsAdmin as ther username/password.
__ b. Click ADMINISTRATION tab.

__ c. On the Connection Settings page, click the green sign.
__ d. The Create Connection dialog is opened. Fill in all the LDAP connection information, click Create.
The LDAP connection is created.
____ 2. Import groups and users

__ a. Click Groups tab.
__ b. On the Groups page, click Import Groups From Ldap icon.
__ c. The Import Groups dialog is opened. The LDAP Groups and Users under the search baseDN are listed
in the tree. Select All groups checkbox and click Import users and groups.
Two selected groups are now imported.
__ d. Click Users tab. The users are imported too along with the groups.
____ 3. Assign roles to groups
__ a. Click Groups tab.

__ b. Hover the mouse over the development group row. Click the Edit icon when it appears.
__ c. On the Edit Group dialog, under the Roles section, click the Click to select a role link.
__ d. Select rtsUser role from the role list.
__ e. Under the Permissions section, click the None link to turn this field to a drop down select list.
__ f. Choose Full Authoring. Then click Done.
The customized permissions can also be displayed here if they are defined in Enterprise
Console. The permission customization feature is out of scope of this lab. For more
details, visit ODM Decision Center Permissions topic on IBM Knowledge Center.
__ g. Edit the management group. Assign rtsAdministrator role and Full Authoring permission. Click Done.
__ h. Youve finished assigning permissions to the groups. Logout of Business Console.
____ 4. Verify the role assignments and permissions

__ a. Login to Business Console using Janes credentials.
__ b. Since Jane belongs to the management group and this group has rtsAdministrators role assigned,
Jane can now work on the ADMINISTRATION page now.
__ c. Click Library tab, then Loan Validation Service.
__ d. On the Releases page, click green sign.
__ e. Set Winter Release as the name.
__ f. The Owner is set to Jane by default. Click the dropdown icon for Owner field, you can see both Jane and
John are in the list.
__ g. On the Winter Release page Activities subpage, create a new change activity called Minimum Age
Update.
__ h. Choose Jane as Owner and Approver, then choose John as Author. Click Create.
__ i. Jane finished creating new release and new activity as an rtsAdministrator. Jane logs out.
__ j. Now login to Business Console with Johns credential, i.e. John/John.
__ k. Click WORK tab.
__ l. The Minimum Age Update change activity is listed in Johns work items. John can participate in
governance work too.
You can continue to work on the change activity as John to complete the activity and
logout. Then, login as Jane to approve and complete the release.
The decision governance workflow is out of the scope of this lab. You can refer to
Exploring decision services in a governance workflow tutorial on IBM Knowledge Center
or watch its corresponding online education demo video.
What you did in this exercise

In this exercise, you
First set up new users and groups in the LDAP.

Then, you configured the sample application server to delegate user authorization to Decision Center.
Next, on Decision Center Business Console Administration page, you connected LDAP, assigned roles and
permissions to the imported LDAP groups.
At the end, you verified the proper access and role assignments to the end users for decision service
governance framework participation.
This completes the ODM User and Group Administration in Business Console lab.

IBM ODM 8.8 Business Console

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM ODM 8.8 Business Console

Uploaded by

Copyright:

Available Formats

Copyright IBM Corporation 2016 All rights reserved

IBM Operational Decision Manager V8.8 Lab exercise

IBM Operational Decision Manager

What this exercise is about .................................................................................................................................... 1

What this exercise is about

What you will learn

Part 1: Set up LDAP users and groups (Optional)

____ 1. Create LDAP Server connection in Studio

__ a. Start LDAP server instance and launch Studio.

__ e. Keep clicking Next until the last page, click Finish.

____ 2. Create a new base distinguished name (DN)

__ f. Right click the LocalADS connection and choose Open Configuration.

__ i. Save the configuration change.

____ 2. Add users

__ j. A list of person related object classes are selected. Click Next.

__ k. Enter uid=Jane as RDN. Click Next.

__ m. Click the New Attribute icon in the toolbar.

__ n. Enter userPassword as Attribute type. Click Finish.

__ r. Repeat Step 3.g 3.q to create another user John Doe.

uid=John; cn=John; sn=Doe; userPassword=John.

You have finished creating two users in LDAP.

____ 3. Add groups

__ f. Right click ou=groups entry, choose New > New Entry

__ k. The DN Editor dialog is opened. A group member is required. Click Browse.

You have finished creating two groups in LDAP.

Part 2: Delegate authorization to Decision Center

__ d. Click teamserver-WAS85 in the application table.

____ 2. Add LDAP server to security federated repositories.

The access configuraiton of LDAP repository page is loaded.

____ 3. Verify the federated repositories configuration

__ h. Logout of Administrative Console.

____ 4. Check Decision Center authentication

__ g. Close the dialog and logout of Business Console.

Part 3: Administrate groups and users

__ b. Click ADMINISTRATION tab.

The LDAP connection is created.

____ 2. Import groups and users

Two selected groups are now imported.

____ 3. Assign roles to groups

__ a. Click Groups tab.

__ d. Select rtsUser role from the role list.

__ f. Choose Full Authoring. Then click Done.

__ h. Youve finished assigning permissions to the groups. Logout of Business Console.

____ 4. Verify the role assignments and permissions

What you did in this exercise

First set up new users and groups in the LDAP.

You might also like