Oracle BPM 10g FDI (Fuego Directory Interface) Hybrid configuration enables authentication and authorization to be delegated to Microsoft Active Directory while the rest of the metadata needed by Oracle BPM resides in the FDI database managed by Oracle BPM. Discussed here are recommendations on how and where the directory information should be created, maintained and synchronized to ensure participants have their correct permissions.
In Oracle BPM 10g, there is no need to extend Microsoft Active Directory's underlying schema. Oracle BPM only reads and does not directly update Microsoft Active Directory information.
Do not confuse the abstract swim lane role name that you create in Oracle BPM Studio processes with the real roles discussed here. Real roles are the roles you match the abstract roles to when you publish and deploy individual processes on Oracle BPM Enterprise. For this discussion, only the Oracle BPM Enterprise real roles are germane. Similarly, do not confuse the Oracle BPM Organization's groups with the groups discussed here. The groups discussed here refer to Microsoft Active Directory groups.
Participant, group and organizational unit administration is managed by your existing Microsoft Active Directory administrators using the same tools they are already familiar with. Once created, the participants are assigned to the groups by the Microsoft Active Directory administrator. All of this information is stored in Microsoft Active Directory.
Note the dotted lines in the illustration above. Once created in Microsoft Active Directory, Oracle BPM's FDI reads these organizational units, participants, groups and their assignments previously created in Microsoft Active Directory.
In Microsoft Active Directory:
* Participants are created and maintained using the Microsoft Active Directory administration tool
* Groups are created and maintained using the Microsoft Active Directory administration tool
* Organizational Units are created maintained using the Microsoft Active Directory administration tool
* Participants are assigned to Groups and Organizational Units using the Microsoft Active Directory administration tool
In Oracle BPM FDI:
* Roles are created in Oracle BPM
* Oracle BPM Roles are assigned to the Groups already created in Microsoft Active Directory using the Oracle BPM Process Administration tool
* Although Oracle BPM Roles can still be assigned to the Participants using the Oracle BPM Process Administration tool, this is not recommended because it makes management of role assignments much more complex (see "Participant, Role and Group Assignment Best Practices" below)
* Each parametric role is similarly assigned to its own individual group already created in Microsoft Active Directory using the Oracle BPM Process Administration tool. If a parametric role has 12 different parameters, create groups for each of these.
If absence periods, calendar rules or holiday rules are required, these are added in the Oracle BPM Process Administration tool.
Oracle BPM Engine and Microsoft Active Directory Synchronization
In the Process Administration tool, how the Oracle BPM Engine synchronizes with Microsoft Active Directory is defined inside the "Others" tab.
The "Directory" section of this tab defines how often (in minutes) the Oracle FDI metadata is refreshed from the changes made to the Microsoft Active Directory. The "Directory Polling Interval" property defines how frequently the Microsoft Active Directory information is refreshed. The default is 1 minute. For most companies, having a 2 hour refresh rate is sufficient. During the refresh, Oracle BPM's FDI database only retrieves from Microsoft Active Directory:
* new participant ids
* new group ids
* new organization ids and
* changes to the assignments of participants to the various groups
Even if a synchronization has not recently occurred, when users log into the Workspace their group permissions are automatically retrieved from Microsoft Active Directory at runtime.
Large and mid-sized corporations sometimes have thousands of participants, groups and organization units. At least initially, only a small fraction of these are actively used by Oracle BPM at runtime. When assigning participants to Groups that will ultimately be used by Oracle BPM, it is strongly recommended that Microsoft Active Directory administrators use "Master Groups". When master groups are used, Oracle BPM only has visibility to participants who specifically belong to a master group or groups.
Instead of having to synchronize the thousands of Microsoft Active Directory changes throughout a corporation, master groups limits the synchronization to only the changes made to the Oracle BPM related participants and the master groups. This will speed synchronization and improve the engine's startup time.
When using master groups, always ensure that the Oracle BPM Administrator belongs to one of the Master Groups.
There are many permutations that will work, but pick the simplest approach that works best for your needs.
As mentioned previously, one approach that has worked for customers is to create groups and participants in Microsoft Active Directory and to manage the relationship between groups and participants there. Taking this approach, an Oracle BPM administrator using the Oracle BPM Process Administration tool assigns the Oracle BPM real roles with the groups created in Microsoft Active Directory.
The simplest approach is to have a one to one correspondence between these groups and roles. For each role, assign it a separate group. For each parameter in a parametric role, assign it a separate group. Not all groups will need to be created - sometimes groups with participants already exist that coincide with Oracle BPM roles. Use these groups if this is the case.
Be careful assigning a single group to more than one role. While this is allowed, a role named Client Manager in a marketing process will involve a completely different group of people than the Account Manager role inside a sales process. First understand the role in the process and then determine the people (group) that should be assigned. Even though the roles might have similar sounding names, always verify who should be in the group
Although assigning participants to specific individual Oracle BPM roles is still permitted in this scenario, this should do not be done when using Microsoft Active Directory as Oracle BPM's hybrid LDAP. There must be just one system of record for participant assignments to their work and it needs to be Microsoft Active Directory in this scenario.
* Microsoft Active Directory is the central location for all organization unit, participant, group and participant assignment to groups and organization units. The Oracle BPM FDI database stores the assignment of roles to groups and assignment of absence periods to participants.
* Assign participants to groups using Microsoft Active Directory - do not assign participants to roles in the Oracle Process Administrator tool.
* In large and mid-sized corporations, use Master groups to reduce synchronization and Engine startup time.
Join the Conversation
I have been following your blog posts and tutorials over internet to understand and learn Oracle SOA & BPM Technology.
Recently I came across a scenario which appears to be an understanding issue from my end for which I need your expert advice. I have configured Weblogic Security Realm to authenticate against Microsoft Active Directory and able to populate users/gropus from AD in WLS User & Groups. But if I want to use the same users to associate with my BPM process roles (Swimlanes) I am getting stuck. As all I came across the blogs is configuration of AD for Weblogic and I assume once users & groups are linked from AD to WLS same should be usable in mapping users for BPM Processes. But its not populating when I tried through BPM Composer Administration tab.
Is there a specific setting I need to change at BPM Administration screen or EM to populate users from AD in BPM Workspace?
Please advice as honestly I couldn't find a single blog mentioning this sceanrio.