7 Replies Latest reply on Jul 14, 2006 3:53 PM by kazam

    Regarding Identity Management Component

    kazam Newbie

      I have been using JBPM 3.1.1 for almost a month over here and really prefer it over my previous not so BPM tool, Oracle BPEL.

      In JBPM I came across the identity management component. I found out that an application I was working on had users and roles but no group associations. The identity component model seems like an excellent model to use in that scenario.
      I wished to ask, some directions or pointers as how to bring in permissions for roles into the JBPM identity component.

      Thanks for your time and creating a great BPM framework.

        • 1. Re: Regarding Identity Management Component
          Koen Aers Master

          At this point introducing and checking permissions has not been a priority because in most cases this responsibility is assumed by the application (webapp, standalone app) hosting jBPM. Moreover it is very difficult to provide a generic system that does not impact performance and that satisfies every user.
          So the way to do this is to define the permissions you want to have in your system, develop your own AuthorizationService and the checkPermission method of this service, and insert calls to this service at the appropriate places in the jBPM code as this service is not yet used for the reasons stated above.

          Hope this helps,

          • 2. Re: Regarding Identity Management Component
            kazam Newbie

            Thanks, Koen for your reply.
            Just out of curiousity, is there a specification on which the JBPM Identity component is based or extracted from, like portlets for instance.
            I just wish to use it to grab a better understanding of the JBPM Identity component model.
            Thanks, Kenan.

            • 3. Re: Regarding Identity Management Component
              Ronald van Kuijk Master

              No, it is not based on any standards, just "gezond boeren verstand" (try translating that with any system ;-)) and some academic studies.

              • 4. Re: Regarding Identity Management Component
                Koen Aers Master

                Hmm as usual, babelfish messes up: 'healthy farming verstand'. And if you specify 'gezond boerenverstand' it says: 'healthy farmer verse cog' :-)
                But indeed, it is not based on any standard. It is there for convenience and if you need something else (more or less powerful) you can easily change it... In the future we will align the identity component with the one used in JBoss Portal.


                • 5. Re: Regarding Identity Management Component
                  jbpmndc Newbie

                  Because jBPM works right in the app, why have a separate authentication/authorization mechanism from the server?

                  I assume the reason the big vendors often have a separate identity component is becuase their implementations are often separate from the application server.

                  • 6. Re: Regarding Identity Management Component
                    Koen Aers Master

                    The reason is that jBPM is also able to run outside of an app server, e.g. in Tomcat or in a rich client application. But to do interesting things wrt task management and task assignment, you need an identity component. So we provided a default system that is *very* easily changeable by any system provided by some 'big vendor' :-))
                    The only thing you have to do to implement this is provide your own implementation of a configurable assignment handler.


                    • 7. Re: Regarding Identity Management Component
                      kazam Newbie

                      Thanks all.
                      I am now trying to use jbpm identity component model to point to my applications datasource, as I already have information for users and roles in the application and wish to extend the model by including groups and memberships.

                      I am newbie to hibernate so I am not exactly sure if I am doing it correctly.

                      I have a user and a role table and have created a group and memberships table in my schema.

                      I have taken out the identity components mappings from hibernate.cfg.xml and created another hibernate configuration file and placed in those mappings there, with connection properties for my application database.

                      However, I am having trouble connecting to two oracle schema's at the same time, one for JBPM and the other for my application with JBPM_ID component tables.

                      Any ideas or directions are much appreciated.
                      Thanks, Kazam.