BPM, Workflow, and Case

 View Only
Expand all | Collapse all

Full User Sync Job

  • 1.  Full User Sync Job

    Posted Tue May 12, 2020 08:56 PM
    Hi All,

    We have an application where user accesses the BPM Dashboard in external portal and never get a chance to login to BPM portals so they will not have any records in BPM DBs. Is there any REST API we can use to create a nightly job so that all the users gets sync up in BPM DB and we don't have to do it from process admin?

    Thanks



    ------------------------------
    Harish Gupta
    ------------------------------


  • 2.  RE: Full User Sync Job

    Posted Wed May 13, 2020 03:19 PM
    1Create a Service flow in BPM,
    2 have a script in that service, which will have the code to sync users(as shown below)
         a. if you can some how pass all the newly created users to this service and run the below API in a loop
             tw.system.org.findUserByName(userName)
            (or)
         b. if you don't know the newly created users names then use the api  tw.system.org.getAllUsers()
    3. include this service in a time elapsed UCA or call this service using a start service rest api

    APIs mentioned in step 2 will sync up the newly created LDAP users to BPM


    ------------------------------
    Suhas Vasudevamurthy
    Package Solution Consultant
    IBM India Pvt Ltd
    Bangalore
    9844691504
    ------------------------------

    Original Message


  • 3.  RE: Full User Sync Job

    Posted Wed May 13, 2020 05:23 PM
    This may work for some use cases, but from my experience (granted a bit old) -

    findUserByName only searches the DB.  It doesn't go to the security provider as part of its search.  If the user has never logged into IBM BPM, they won't be in the database.  As such this will not work.

    getAllUsers() - if it goes to the security provider (I'm not convinced it does), the BPM Server has a setting that caps the number of users returned from LDAP and similar.  If your number of users is below that number you will be fine, but if it is higher, then you may still be missing users.

    At a minimum I strongly advise testing prior to implementing these.  @Suhas Vasudevamurthy - apologies if you've tested these scenarios and seen them work.  If you have, please let us know the version (and ideally how you tested).​

    ------------------------------
    Andrew Paier
    ------------------------------

    Original Message


  • 4.  RE: Full User Sync Job

    Posted Wed May 13, 2020 05:26 PM
    @Harish Gupta - I find your question a bit confusing.  I didn't think there was a way to allow a user to access a BPM Dashboard unless they have authenticated against the BPM server in some way.  Or are using "Dashboard" to represent "A generic report" and not the entity created in IBM BPM?

    Note - if the "Syncronize Users" in BPM Admin is working for you then you can likely ignore my comment below about LDAP query limits as you are likely below that threshold size (or my data is dated).  


    ------------------------------
    Andrew Paier
    ------------------------------

    Original Message


  • 5.  RE: Full User Sync Job

    Posted Wed May 13, 2020 05:42 PM
    @Andrew Paier We have the BPM Dashboard located on external portal and we are using TAI to allow SSO. So if the user is authenticated by the external portal, he will be allowed to access BPM Dashboard using TAI SSO.

    I am using below REST API as an option : 

    Once i run this for a particular User ID, the refreshUser=true parameter should sync the user between BPM DB and LDAP. This is my expectation. Please let me know your thoughts on this.

    /rest/bpm/wle/v1/user?userName=12345678&includeInternalMemberships=true&refreshUser=true&includeEditableUserPreferences=false&parts=memberships  ​

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 6.  RE: Full User Sync Job

    Posted Thu May 14, 2020 04:21 AM
    Have a look at https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm.admin.doc/topics/sync_users_and_groups.html

    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 7.  RE: Full User Sync Job

    Posted Fri May 15, 2020 11:18 AM
    @Jens Engelke I looked at that document but all the given options need manual intervention. I am looking for an automated solution. ​​

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 8.  RE: Full User Sync Job

    Posted Mon May 18, 2020 10:16 AM
    The items that @Jens Engelke pointed you to include WAS Admin scripts.  These could be executed as Chron jobs on the server at regular times if you've run the test to prove they solve your problems.  The ReST options you pose might also work, but I don't have an environment with this problem to use to attempt to validate them for you.  It doesn't seem like anyone in the community has hit this exact problem.  

    TBH, I'm a little confused as I would have thought your TAI would assert the user's ID to the BPM system, thereby running through the normal ​​steps when a new user is encountered.  This would ensure that the user has access to the dashboard.  I suspect that maybe your TAI isn't fully formed and is asserting a shared account when it receives and validates the security token.  Assuming that something like this is going on, the reason your problem is a bit unique is due to the unorthodox approach to the user Authentication you have taken.

    ------------------------------
    Andrew Paier
    ------------------------------

    Original Message


  • 9.  RE: Full User Sync Job

    Posted Mon May 18, 2020 08:53 PM
    @Andrew Paier

    in TAI, we are authenticating the user session id against a​n external system. If that session id is valid, we are sending OK response to WAS so user gets authenticated. What is the way to synchronize the user with BPM System after user's session gets authenticated ?

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 10.  RE: Full User Sync Job

    Posted Tue May 19, 2020 11:15 AM
    @Harish Gupta

    When we have created a TAI for situations where one didn't already exist for the SSO technology we were using, the TAI asserts a UserID as part of the response.  As documented in this article WAS is supposed to take that UserID and see that the user exists in the user registry (in your case the LDAP).

    If this TAI was hand created for this use case I'd check the underlying code as I suspect either it is using some sort of path that doesn't expect a UserID, or someone skipped the part of "figure out the LDAP User ID from the SSO token" and just hardcoded a user to use that had the "right" authorizations.

    If the TAI was supplied by an SSO vendor, I'd check on how it was configured as it seems to be not supplying the correct user ID to WebSphere in its response.

    Basically my read on all of this is that the problem you are trying to solve would not be a problem if the TAI was doing exactly what it is supposed to do, but somewhere along the line a step was skipped or something was misconfigured and the TAI isn't performing correctly.  As such the user ID isn't getting set, so then the logic that kick's in on BPM when a user is first seen isn't getting invoked, causing the problems you are seeing.

    If you are in fact setting the userID correctly but IBM BPM isn't syncing that user on login as is normal, you should open a ticket with IBM as that is a significant problem that would potentially affect any SSO solution on IBM BPM.

    (Note: It has been a long time since I wrote a TAI, mainly my team does that now, but back when I first did it, my first attempt was always something like 'If X is present (e.g. a cookie) then just say this is wasadmin and move forward".  Obviously I'd only put this on a local box, but it proved the base line is working.  I would then layer the more complex logic over that to get to the right end point.  There are likely examples on the web that basically say "figuring out the right userID is left as an exercise for the student."  If you have a session that has gone through the SSO process you can just call rest/bpm/wle/v1/user/current in that browser against the BAW server and it will tell you who it thinks the user is.)


    ------------------------------
    Andrew Paier
    ------------------------------

    Original Message


  • 11.  RE: Full User Sync Job

    Posted Fri May 22, 2020 07:46 AM
    @Andrew Paier  Thanks Andrew for detailed response. I raised an IBM PMR and we observed that for the first time user, the group membership is not getting refreshed when TAI is involved.

    If the same user login into BPM portals like Process admin or Process Portal then user and its group memberships are update in the BPM DB and he does not face any issue in accessing the Custom Dashboard from external portal. ​​

    IBM mentioned that for the first time user "initializeNewLogin" script runs but in my case they don't find this log in the trace logs file.

    Waiting for more updates from IBM on this.

    Thanks again for providing more clarity on the issue.

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 12.  RE: Full User Sync Job

    Posted Mon May 25, 2020 02:10 AM
    Which URLs is the user's request accessing on the BPM system?
    Calling any REST API will trigger the initializeNewLogin() Java method in the product code. There are other situations when the same method is invoked. It is close to impossible to trigger anything useful without invoking this replication.

    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 13.  RE: Full User Sync Job

    Posted Mon May 25, 2020 03:03 AM
    I found the PMR, found the URL and asked the team to open an APAR.

    This has probably not been found during testing as initializeNewLogin is invoked immediately after the second request in order to get the user's locale via REST.

    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 14.  RE: Full User Sync Job

    Posted Mon May 25, 2020 05:55 AM
    @Jens Engelke  ​Could you please elaborate more on your 2nd statement? When you say "second request", which request you are referring to?

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 15.  RE: Full User Sync Job

    Posted Mon May 25, 2020 07:32 AM

    "second request":

    When you observe what happens when calling the CSHS: there is a request to /teamworks/executecf and then there is a REST request to the user profile API for getting the locale. This REST request is "the second".



    ------------------------------
    Jens Engelke
    ------------------------------

    Original Message


  • 16.  RE: Full User Sync Job

    Posted Mon May 25, 2020 05:50 AM
    @Jens Engelke  User is trying to access CSHS URL exposed as a dashboard. ​

    Does the initializeNewLogin() refreshes the user's group membership as well? I executed the REST API "Current State" but in SystemOut.log I don't find that it triggered the initializeNewLogin() script.

    Whereas, When I trigger the CSHS URL, I see below statement in the SystemOut.log which confirms that it updates the group memberships for the existing BPM Users at least.

    CWLLG0468I: Checking information for user userId(false) = User.1234, userName(false) = ABCD, fullName(false) = FN ABCD LN ABCD, provider(false) = uid=ABCD,ou=InternalAlt,ou=Users,dc=abc,dc=com, userState(false) = 0, lastStateModified(false) = null, state = RECORD_STATE_UP_TO_DATE, saveSyncId = null for updates.
    [5/24/20 17:36:29:163 EDT] 000003be SecurityCore I com.lombardisoftware.server.ejb.security.SecurityCore updateGroupMembership CWLLG1088I: Initializing session is done for user ABCD

    Thanks

    ------------------------------
    Harish Gupta
    ------------------------------

    Original Message


  • 17.  RE: Full User Sync Job

    Posted Mon May 25, 2020 07:06 AM
    Edited by Jens Engelke Mon May 25, 2020 07:08 AM
    Does the initializeNewLogin() refreshes the user's group membership as well? 
    > yes
     
    I executed the REST API "Current State" but in SystemOut.log I don't find that it triggered the initializeNewLogin() script.
    > initializeNewLogin() is triggered once per HTTP session with the REST API.
     
    Whereas, When I trigger the CSHS URL, I see below statement in the SystemOut.log which confirms that it updates the group memberships for the existing BPM Users at least.
    > Yes, there is a request to get the user's locale via REST, which calls initializeNeLogin() - but only after the CSHS was successfully triggered, that's why you see issues for users who have never logged into BPM before.
     
     

    Original Message