As @Stuart Jones touched on the choice to use a Team defined internally to IBM BPM vs. LDAP largely has to do with the requirements of your process. I'm unaware of any technical reason to prefer one over the other. The members of a group are confirmed against LDAP each time a user of that group logs in, so if someone was removed from the LDAP group, that change should be synched to the underlying group the next time a user in that group logs in.
Determining which to use largely comes down to the management of the users. At one of our customers we effectively needed several hundred user groups. The LDAP team had a firm rule that no application could have more than 50 groups in LDAP. Add to this they viewed all of BPM as one "Application" so internal groups were our only real option. Another aspect is if the business users want to be able to modify the group membership directly without having to go through another entity with (for example) a 2 day SLA on changes / updates.
The flip side - some customers are in highly regulated fields and any changes to group membership have to go through a very formal process, so for them having a separate group in charge of the changes, tracking the request etc. is a feature, not a flaw, so they like using LDAP because they already have practices / procedures established for this.
------------------------------
Andrew Paier
------------------------------
Original Message:
Sent: Sun June 14, 2020 11:27 PM
From: Rameshkumar Chandrasekar
Subject: How do I manage LDAP users in Team and Internal Group with BPM
Thank you Stuart. May i know the disadvantage of having Team -> LDAP Group ?
Lets say, if any user resigned fromthe organisation and user id is removed from LDAP group, what will happen to the task which are assigned to the user and what will happen for the future task ? Automatically sync will happen and removed from BPM product DB ?
------------------------------
Rameshkumar Chandrasekar
Original Message:
Sent: Fri April 10, 2020 09:06 AM
From: Stuart Jones
Subject: How do I manage LDAP users in Team and Internal Group with BPM
If the "sets of users" that handle tasks in a particular swim lane map nicely to some set of LDAP groups then mapping a Team to that set of LDAP groups is the best practice. However, this is not always the case and it is not always straightforward to have new/different LDAP groups created by your a security organization so BPM Teams are provided to provide another grouping construct for users. A second best practice is to minimize the individual users that are included in a Team.
The advantage that you asked for is that an internal (BPM) group enables more control over grouping of users. The cost of this is that you have to administer these BPM groups. Ideally, you would map a Team to some set of LDAP groups.
------------------------------
Stuart Jones
Hybrid Cloud Architect
IBM
Chicago IL
6303904436
Original Message:
Sent: Thu April 09, 2020 01:26 PM
From: Rameshkumar Chandrasekar
Subject: How do I manage LDAP users in Team and Internal Group with BPM
Hi All,
What is the best way to setup teams and why ?
Currently our existing application has the setup like this below.
Team -> LDAP group.
If we change that to Team-> Internal Group -> LDAP, what are the advantage and disadvantage ?
------------------------------
Rameshkumar Chandrasekar
------------------------------