- evolosoft

Transcription

- evolosoft
Metastorm BPM
Version 9.0
Administration Guide
December 2009
Metastorm Inc.
email: [email protected]
http://www.metastorm.com
Metastorm BPM Version 9.0
Copyright Notice
© 1996–2009 Metastorm Inc. All Rights Reserved.
Trademark Information
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Metastorm®, Metastorm BPM®, Process Pod®, Enterprise Process Advantage®, ProVision®, The Best Process Wins®,
Proforma®, Metastorm Knowledge Exchange®, Metastorm DNA®, Metastorm Discovery™, Business to the Power of 3™
and the See.Think.Do image are either registered trademarks or trademarks of Metastorm in the United States and/or other
countries.
Microsoft®, Outlook®, Word®, SQL Server™, Windows®, Vista®, Active Directory®, Visual Basic®, JScript®,
SharePoint® and BizTalk® are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Adobe® is a registered trademark of Adobe Systems, Inc.
AIX®, AIX 5L™, CICS®, CICSPlex®, DB2®, DB2 Universal Database™, HACMP™, Integrated Language
Environment®, i5/OS®, IBM®, ibm.com®, IMS™, IMS/ESA®, iSeries™, Language Environment®, MQSeries®,
MVS™, OS/390®, OS/400®, Parallel Sysplex®, pSeries™, RACF®, S/390®, SupportPac™, WebSphere®, z/OS™,
zSeries® are either registered trademarks or trademarks of the International Business Machines Corporation in the United
States and/or other countries.
JBoss, Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and
other countries.
SuSE® is a registered trademark of SuSE Linux AG.
Sun, Sun Microsystems and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in
the U.S. and other countries.
SPARC® is a registered trademark of SPARC International, Inc. SPARCstation® is licensed exclusively to Sun
Microsystems, Inc. Products bearing SPARC trademarks are based on an architecture developed by Sun Microsystems, Inc.
DataDirect®, DataDirect Connect® for JDBC™, DataDirect Connect® for ODBC are registered trademarks of Progress
Software Corporation or one of its subsidiaries or affiliates in the United States and other countries.
EJB, J2EE, Java, Java runtime environment, JavaScript, JMX, JRE, JSP, JVM and all Java-based trademarks are
trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Linux is a trademark of Linus Torvalds in the United States and/or other countries.
Intel® and Itanium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Eclipse is a trademark of the Eclipse Foundation, in the United States and other countries.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
"Apache Tomcat" and "Tomcat" are trademarks of the Apache Software Foundation.
HP, HP-UX and PA-RISC are registered trademarks of the Hewlett-Packard Company.
BusinessObjects™, Crystal Reports® are trademarks or registered trademarks of Business Objects S.A. in the United States
and in other countries. Business Objects is an SAP company.
Other trademarks are the property of their respective owners.
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Metastorm accepts no responsibility, and offers no warranty whether expressed or implied, for the accuracy of this publication.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, recording, or otherwise, without the express written permission of Metastorm Inc.
The information in this document is subject to change without notice.
Metastorm BPM Version 9.0
December 2009
Page ii
Metastorm BPM Version 9.0
Metastorm BPM Version 9.0
Administration Guide
Table of Contents
1 Process Engine.................................................................................................................................... 1 1.1 Overview ........................................................................................................................................................ 1 1.2 Engine Operating Environment .................................................................................................................... 1 1.2.1 Starting the Engine ............................................................................................................................. 2 1.2.2 Additional configuration steps for Windows XP ............................................................................. 3 1.2.3 Troubleshooting: Problems Starting the Engine ............................................................................... 3 1.2.4 Troubleshooting: Engine Failure ....................................................................................................... 4 1.3 Database Connections ................................................................................................................................... 4 1.4 Engine Security Settings................................................................................................................................ 5 1.4.1 Role Checking .................................................................................................................................... 5 1.4.2 Binding Roles to Users or Groups..................................................................................................... 5 1.5 Event Manager ............................................................................................................................................... 6 1.5.1 Configuring the Event Manager ........................................................................................................ 6 1.5.2 Event Manager Registry Settings ...................................................................................................... 7 1.6 Alert Generator .............................................................................................................................................. 7 1.6.1 Alert Generator Configuration Columns .......................................................................................... 8 1.6.2 Alert Generator Registry Settings...................................................................................................... 8 1.7 Engine Registration ....................................................................................................................................... 9 1.7.1 Reviewing Engine Registration Settings........................................................................................... 9 1.8 Error Logging............................................................................................................................................... 11 1.8.1 Operation and Transaction Protocol Logging................................................................................. 11 1.9 Engines and Time Zones ............................................................................................................................. 12 1.10 Engine and Invalid XML............................................................................................................................. 12 1.11 Re-registration of the Engine....................................................................................................................... 12 1.11.1 EngineConfig ................................................................................................................................... 13 1.12 Problems with Re-Registration ................................................................................................................... 14 1.12.1 Problems Running regsvr32 ............................................................................................................ 14 1.12.2 Problems Running EngineConfig ................................................................................................... 15 1.13 Engine .NET Interface Clients .................................................................................................................... 15 1.14 Configuring the Engine Service .................................................................................................................. 16 1.14.1 Configuration.................................................................................................................................... 16 1.14.2 .NET CLR Configuration ................................................................................................................ 17 1.14.3 Engine Parameters............................................................................................................................ 18 1.14.4 HKEY_LOCAL_MACHINE ......................................................................................................... 19 1.14.5 Engine Registry Settings.................................................................................................................. 23 1.14.6 Non Registry Settings ...................................................................................................................... 26 2 Metastorm Designer.......................................................................................................................... 28 2.1 Designer Settings ......................................................................................................................................... 28 3 Metastorm Deployment .................................................................................................................... 29 3.1 Deployment Service .................................................................................................................................... 29 3.1.1 Overview .......................................................................................................................................... 29 3.1.2 Configuration Files........................................................................................................................... 30 3.1.3 SSO Configuration ........................................................................................................................... 30 3.1.4 Deployment Debugging................................................................................................................... 31 3.2 Deployment Client....................................................................................................................................... 31 Metastorm BPM Version 9.0
December 2009
Page iii
Metastorm BPM Version 9.0
3.2.1 Overview .......................................................................................................................................... 31 3.2.2 Configuration Files........................................................................................................................... 32 3.2.3 Command Line................................................................................................................................. 35 4 Managing Authentication ................................................................................................................. 37 4.1 Overview ...................................................................................................................................................... 37 4.2 Open Authentication .................................................................................................................................... 37 4.2.1 Server Authentication Provider (SAP) scripts ................................................................................ 37 4.2.2 Process Definition Document (PDD).............................................................................................. 38 4.2.3 How Open Authentication works .................................................................................................... 38 4.3 Metastorm Web client Authentication ........................................................................................................ 40 4.3.1 Authentication Architecture............................................................................................................. 40 4.3.2 Username and Password Configuration .......................................................................................... 41 4.3.3 Single Sign On Configuration ......................................................................................................... 42 4.3.4 Public Access Authentication .......................................................................................................... 48 4.3.5 Web Farm Deployment ................................................................................................................... 52 5 Metastorm Administrative Tools .................................................................................................... 54 5.1 Overview ...................................................................................................................................................... 54 5.1.1 Installing the Administrative Tools ................................................................................................. 54 5.1.2 Launching the Administrative Tools............................................................................................... 54 5.1.3 Recovery Mode Authentication ...................................................................................................... 55 5.2 Users ............................................................................................................................................................. 55 5.2.1 User & Role Concepts ..................................................................................................................... 55 5.2.2 Managing Users ............................................................................................................................... 55 5.2.3 Create users ...................................................................................................................................... 57 5.2.4 Delete Users...................................................................................................................................... 58 5.2.5 Update User ...................................................................................................................................... 58 5.2.6 Create Attributes .............................................................................................................................. 59 5.2.7 Assign Static Roles to Users ............................................................................................................ 60 5.2.8 Find Users......................................................................................................................................... 61 5.2.9 Create a Reports To Structure.......................................................................................................... 63 5.3 Roles ............................................................................................................................................................. 63 5.3.1 Role-based Work Management....................................................................................................... 63 5.3.2 Identifying the User & Role Assignments in Your Organization.................................................. 64 5.3.3 Managing Roles ............................................................................................................................... 65 5.3.4 Searching Roles ................................................................................................................................ 65 5.3.5 Checking Roles ................................................................................................................................ 66 5.3.6 Assign Static Roles to Users ............................................................................................................ 67 5.4 Log................................................................................................................................................................ 67 5.4.1 Managing Error Logs ....................................................................................................................... 67 5.5 Metastorm Repository ................................................................................................................................. 68 5.5.1 Managing Metastorm Repository.................................................................................................... 68 5.5.2 Managing Service Level Settings .................................................................................................... 69 5.5.3 Session Timeout Period ................................................................................................................... 70 5.5.4 Folder Lock Timeout ....................................................................................................................... 71 5.5.5 View Projects and Libraries............................................................................................................. 72 5.5.6 Deleting a Project ............................................................................................................................. 73 5.5.7 Deleting a Library ............................................................................................................................ 74 5.5.8 Administer Folders........................................................................................................................... 74 5.5.9 Administer Procedure and Library Elements.................................................................................. 77 5.6 Authentication .............................................................................................................................................. 80 5.6.1 Administering Server Authentication Provider (SAP) Scripts....................................................... 80 5.7 Services ........................................................................................................................................................ 82 5.7.1 Registering Services......................................................................................................................... 82 5.7.2 Configuring Registered Services ..................................................................................................... 83 5.8 SSO Configuration....................................................................................................................................... 84 Metastorm BPM Version 9.0
December 2009
Page iv
Metastorm BPM Version 9.0
6 Administrative Processes ................................................................................................................ 85 6.1 Browser Settings .......................................................................................................................................... 85 Metastorm BPM Version 9.0
December 2009
Page v
Metastorm BPM Version 9.0
1
PROCESS ENGINE
1.1
Overview
The Metastorm Process Engine serves the Metastorm web client, it authenticates Metastorm users and
processes all Business Process Management (BPM) logic. The Process engine allows access to the
Metastorm Database, external databases and allows integration between other systems and services via
server-side integration.
The Process Engine is implemented as a layered design, the four central layers – ECL Server, Operations
Handler, Executable Elements, and Engine Services execute in a single server process, hosted by COM+.
The ECL Client component executes within the Web Client ASP.NET application. Communication
between ECL client and server components is via .NET Remoting. The ECL Server layer communications
with the other Engine layers via WCF – for all folder, forms list, and filter operations – or via COM for all
other operations.Alerts list and filter, authentication, and attachment operations are implemented by
Transaction Protocol (TP) and executed by eWorkTransaction request handlers. TP responses are parsed
into .NET object instances by the ECL Server component for return to the Web client.
1.2
Engine Operating Environment
The Process Engine is implemented with two types of components:
• Pure .NET components for full compatibility with the .NET environment.
•
Highly optimized native components that allow MBPM be highly scalable and reliable with high
performance.
The Process Engine can be seen as a collection of COM in-process components, and .NET types, which
work together as an application. These components need to run in an operating system process
appropriate for both the application and the Engine components; i.e. the:
•
Engine process should run under an account that determines what the Engine can do on the system.
•
Security infrastructure should be easily configurable, so the Engine Administrator can control access to
the Engine’s services.
The system that provides this infrastructure is COM+.
This section describes the operating environment for the Process Engine, and covers:
•
How to start the Process Engine.
Metastorm BPM Version 9.0
December 2009
Page 1
Metastorm BPM Version 9.0
• Additional Configuration Steps for Windows XP
• Troubleshooting: Problems Starting the Engine
• Troubleshooting: Engine Failure
•
How to check and administer the Process Engine registration
•
How to Check and administer the Process Engine's security settings
•
How to re-register the Process Engine
1.2.1
Starting the Engine
The core Engine functionality runs as a COM+ application. The eEngine.exe executable is provided to start
the application – the Engine system service executable. Installation sets this up and allows for a manual or
automated start.
The COM+ application hosts the Engine’s COM+ components and the .NET Common Language Runtime
(CLR), as illustrated in the following diagram:
The .exe file that starts the Engine COM+ application must be running under an account with sufficient
access rights to communicate with the application. This account does not need administrative rights; the
Engine can run under an account with user privileges. This account must have the following access
privileges for the Engine registry key and its sub-keys:
•
Query Value
•
Set Value
To grant these privileges:
1.
Open the Registry Editor by typing regedt32 in to the Windows Run dialog.
2.
Navigate to the registry key HKEY_LOCAL_MACHINE\Software\Metastorm\e-work\Engine.
3.
Right click on Engine and select the menu item Permissions….
4.
Add the user account you intend to use to run the Engine.
5.
With the user highlighted in the Name list, click the Advanced… button. The Access Control
Settings dialog appears.
Metastorm BPM Version 9.0
December 2009
Page 2
Metastorm BPM Version 9.0
6.
Select the relevant user, and click on the View/Edit… button. The Permission Entry dialog
appears.
7.
In the Permissions list, ensure that the Allow checkbox is checked for Query Value and Set Value.
8.
Ensure these permissions are set for each sub-key of the Engine registry key.
1.2.2
Additional configuration steps for Windows XP
When configuring a web client to connect to an Engine, the identity of the ‘IIS Out-Of-Process Pooled
Applications’ or ‘IIS-{Default Web Site//ROOT/escripts}’ COM+ Application must be configured.
The identity of the ‘IIS Out-Of-Process Pooled Applications’ or the ‘IIS-{Default Web
Site//ROOT/escripts}’ COM+ Application account must be configured as a client of the remote Engine
service.
If the protection on the web server’s web extensions virtual folder (by default, escripts) is set to:
•
High (Isolated), update the ‘IIS-{Default Web Site//ROOT/escripts}’ COM+ Application identity.
•
Medium (Pooled), update the ‘IIS Out-Of-Process Pooled Applications’ COM+ Application
identity.
Otherwise, trying to connect to a remote engine may produce the following error:
Invalid data for a node of type 'CDATA'
1.2.3
Troubleshooting: Problems Starting the Engine
COM+ problems starting the Engine are reported in the event log. For full problem reporting, we suggest
you set full auditing of failures.
To set full failure auditing:
1.
Start the Local Security Policy snap-in by selecting the Windows Start | Control Panel |
Administrative Tools | Local Security Policy.
2.
Navigate to Local Policies | Audit Policy in the Tree, as shown below:
3.
Set failure auditing for each of the items in the details pane, by:
• Double-clicking the item in the details pane
• Checking the checkboxes in the Local Security Policy Setting dialog.
Some common problems starting the Engine are discussed in the following sections. They are:
• Inability to start Engine.
• ‘Access is denied’ error when attempting to connect.
Inability to start Engine
This can occur because the Engine application’s identity is ‘Interactive User’ and an attempt is made to
start the Engine (for example, automatically as a service) when nobody is logged on to the machine. To
resolve this, change the identity to something other than ‘Interactive User’.
Access is denied’ error when attempting to connect
When attempting to connect, an ‘Access is denied’ error may occur in the application or system event log.
This occurs when an account, without the necessary role, requests communication with the Engine (usually
a client without the Client role attempting to connect to the Engine).
This is resolved by ensuring the account either:
Metastorm BPM Version 9.0
December 2009
Page 3
Metastorm BPM Version 9.0
•
Has the required role
•
Becomes a member of a Windows user group that holds the role.
For the web client, if a web server is connecting to:
•
An Engine via ECL/TCP, the connecting account will be the launching account as specified in the
COM+ identity for the escripts virtual folder.
•
An Engine via ECL/IIS. The connection account will be the account that the ECL Server web
application is running under. Further security permissions will be required for the Web Client to
connect to the ECL Server application.
Note: When role-based security is enabled on the Engine, the escripts virtual folder should be configured to
Medium or High isolation so that a launching account is available through the respective COM+ package.
Note: Changed COM+ settings do not take effect until the Engine application is restarted.
A related problem can occur when the Engine attempts to communicate with another application via COM,
for example:
•
During a Microsoft Word mail merge
•
Creating a COM object using server-side scripting.
Again, if the Engine’s account does not have sufficient rights to communicate with the required COM
server, access is denied.
This is resolved by accessing the dcomcnfg utility (part of Windows) and changing either the:
•
Application security settings.
•
Default security settings.
1.2.4
Troubleshooting: Engine Failure
If the Engine fails during operation, a message will be written to the event log.
You may see the following log message after an Engine failure:
Unhandled exception thrown from a .NET Script or Workflow: <caught exception message from failed
script>, this has caused the Metastorm Engine to stop. Please restart the Engine.
This can occur when a migrated JScript.NET script spawns one or more additional threads, and one of these
threads throws an exception that it fails to handle.
Scripts created in version 9 processes are protected to prevent errors of this type terminating the Engine
process, however good exception handling practice in scripts is strongly recommended.
1.3
Database Connections
The following database connections are used by the Engine:
•
A single database connection for each Client request. The lifetime of the connection is the lifetime of the
request.
•
A single database connection for each Event Manager request. The lifetime of the connection is the
lifetime of the request.
•
Two database connections, used by the Alert Generator. These connections are held continuously by the
Alert Generator.
Metastorm BPM Version 9.0
December 2009
Page 4
Metastorm BPM Version 9.0
•
Two database connections, used by the Event Manager. However, these are created only on demand
(unlike the Alert Generator’s connections).
Additional database connections may be generated by external database MBO operations or from a
script, where the author has decided to do their own database handling.
Note: If tracking the numbers of database connections held, note that COM+ and ADO.NET
database pooling means that the numbers of connections held over time is 'smoothed out'.
The Engine supports Unicode character formats but it is able to support non-Unicode formats when
using external databases.
1.4
Engine Security Settings
This section enables you to review the security settings
Note: Refer to the previous section for instructions on how to access the Security tab.
COM+ uses roles, which:
•
Define access based on job items.
•
Are bound to Windows users or groups.
Role-based access permissions can be defined for each Engine component. The 4 automatically defined
COM+ roles are:
•
Administrator, which has full access to all Engine services. This role should be highly restricted,
as it can start and stop the Engine.
•
Client, which has access to the transaction protocol, used to fulfill most requests. Typically, this
role is held by any user account or group, which needs to communicate with the Process Engine to
do work. Such user accounts could include:
•
The web server’s anonymous user account.
•
IIS hosted ECL application identity account.
•
Any accounts used to run client software.
•
Flag Raiser, which has the ability to raise a flag externally.
•
MQ Notifier, required for using Metastorm BPM with message queuing systems.
1.4.1
Role Checking
Role checking is performed only if the Engine application is configured for authorization checking.
To ensure role checking is performed:
1.
Start the ‘Component Services’ application.
2.
Navigate to the ‘Process Engine’ application.
3.
Select the Action menu | Properties.
4.
Select the Security tab.
5.
Ensure the Enforce access checks for this application checkbox is checked.
6.
Ensure the Security Level is set to Perform access checks at the process and component level.
1.4.2
Binding Roles to Users or Groups
Binding a user group, rather than specific user accounts, to a role can provide more flexibility.
Metastorm BPM Version 9.0
December 2009
Page 5
Metastorm BPM Version 9.0
For example, when a new user joins a team that uses the Client role, if the new user account is bound to the
Client role, the new user can access the Engine only after it has been restarted. In this case, it may be better
to set up a Windows user group called ‘Metastorm Clients’ and bind this to the Client role. Now, when the
new user joins, the user account is simply made part of the ‘Clients’ group.
To see the users and groups bound to a COM+ role:
1.
Access the Component Services main window.
2.
Navigate to the Roles folder.
3.
Open the relevant role’s folder, then its Users folder.
To add more users or groups to a role:
1.
Access the Users folder for the role, as described above.
2.
Select the Action menu, the New submenu, then the User menu option. The Select Users or
Groups dialog is displayed.
3.
Add users and groups as required, by selecting them then clicking on the Add button.
1.5
Event Manager
The Event Manager is an asynchronous component in the Metastorm engine which processes system events,
invoking system actions (flagged actions, conditional actions and timed actions) as required. System actions are
operations which are scheduled by the engine and are stored in the eWait table.
The Event Manager can be configured to run with multiple threads which is particularly useful on systems where
system actions may take considerable time to complete (such as actions that use scripting to communicate with
external applications).
1.5.1
Configuring the Event Manager
The Event Manager is started during the engine’s startup sequence. The Event Manager creates the number of
threads defined in the registry setting HKEY_LOCAL_MACHINE\SOFTWARE\ Metastorm\ework\Engine\Event manager\Thread count.
The Event Manager can be configured via the registry settings to allow the following modes of operation:
•
On Demand. This is the default configuration. Notifications to perform system action processing occur
when the system deems it necessary. Specifically, if an engine is configured to handle events on demand,
then it relies upon receiving submit requests from clients to activate timer/conditional processing; or else
flags being raised against this engine to do flag processing.
•
Polling. This mode tells the engine to check every n seconds to see if there are system actions which
need processing. This may be useful on an engine dedicated to back-end processing, which may not
perform as many actions as a client-facing engine.
•
Disabled. The Event Manager component is not started on this engine. This configuration allows an
engine to be dedicated to handling client requests.
Note: For an engine with the Event Manager set to Disabled, it is still possible for flags to be raised (queued) and
for system actions to be registered. However, there is no Event Manger running on this engine to process them.
On start-up, the engine’s name and Event Manager configuration are written to the eEngineName and
eEventManagerConfig columns of the eActiveEngine table. Having these settings mirrored in the eActiveEngine
table allow an administrator to check the configuration of an entire Metastorm BPM system through a single
database query.
Metastorm BPM Version 9.0
December 2009
Page 6
Metastorm BPM Version 9.0
When the engine is told to shutdown, the Event manager is notified. All threads are shut down before the engine
exits.
1.5.2
Event Manager Registry Settings
The following registry settings can be configured on each engine:
Poll Interval (secs)
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager
Name: Poll Interval (secs)
Type: DWORD
Value: By default, set to 0. If the value is set to a non-zero value, engine will pro-actively look for any events
(timers, conditionals, flags) which need processing every n seconds.
Thread count
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager
Name: Thread count
Type: DWORD
Value: This can be set values between 1 and 64. Used to specify the number of threads dedicated to the event
manager.
Batch size threshold for thread
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager
Name: Batch size threshold for thread
Type: DWORD
Value: This key controls the number of requests handled by an individual thread. The Event Manager uses the
value to determine how many threads should be used to handle a batch of requests.
For example, if the batch size is set to 5 and there are 22 requests then 5 threads will be used. If the batch size is set
to 10 and there are 22 requests then 3 threads will be used. (The forgoing assumes that the event manager’s thread
count is set to a value of 3 or more).
Note: If the Event manager is using a single thread, this key is set to 0.
Disabled
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager
Name: Disabled
Type:
DWORD
Value: By default, set to 0. Setting this to non-zero value indicates that this particular engine does not perform
system action processing (timed actions, conditional actions, flagged actions). However it will still add events to
the eWait and eRaisedFlag tables in the usual way.
1.6
Alert Generator
The Alert Generator maintains visibility of ToDo and Watch Lists for each user as folders are moved from stage to
stage. When an action is performed, an alert request is made which is added to the eAlertRequest table. The alert
requests are processed asynchronously in the order that they have been submitted.
The Alert Generator is started during the engine’s startup sequence. The number of threads to be used for
processing requests is defined in the registry setting KEY_LOCAL_MACHINE\ SOFTWARE\Metastorm\ework\Engine\Alert Generator\Thread count
On start-up, the engine’s name and Alert Generator configuration are written to the eEngineName and
eAlertGeneratorConfig columns of the eActiveEngine table.
Metastorm BPM Version 9.0
December 2009
Page 7
Metastorm BPM Version 9.0
The Alert Generator can be configured via registry settings to allow the following modes of operation:
•
On Demand. This is the default configuration. The operating system event which causes alert processing
to occur is signaled when an alert request is added to the queue (the eAlertRequest table). This happens
when an action is performed by this engine (usually moving a folder from one stage to another) which
requires the alerts for a particular folder to be re-evaluated.
•
Polling. This tells the system to prod the Alert Generator every n seconds to see if any alert requests need
processing. This may be useful on a system dedicated to back-end processing, which may not perform as
many actions as a client-facing engine.
•
Disabled. The Alert Generator component is not started on this engine, and the Alert Generator is not
invoked. As a consequence no alert processing is ever done by this engine. This may be useful for a
client-facing engine, dedicated to handling client requests.
Note: An engine with a disabled Alert Generator will still queue alerts. However, there is no Alert
Generator running on this engine and therefore the alerts will not be processed on it.
•
1.6.1
N/A. The system is not configured to do alert generation. None of the Alert Generator components on
any of the engines in this system are started, and therefore no alert processing is performed on this
system.
Alert Generator Configuration Columns
The Alert Generator can be configured to change the way the engine works on the whole system by configuring
the following columns in the eServer table:
•
•
eDoAlertGeneration
•
Data type: Numeric.
•
Default value: -1
•
Non-zero value. The Metastorm BPM system supports alert generation.
•
0 Alert generation is not supported and alert requests are not queued.
eDeleteDeletionAlerts
•
Data type: Numeric.
•
Default value: -1
•
0 Deletion alerts are marked in the eAlert table with the eAlertType column containing ~
(tilde).
•
Non-zero value. Deletion Alerts are deleted from eAlert table.
Note: By Default we are not creating deletion alerts; this is a change from v7.6 to v9.0 and it is
intended to reduce the size of the eAlert table. Deletion Alerts are only used by caching clients, they
are not required therefore by the web client. Administrators will need to alter the
eDeleteDeletionAlerts default column value to 0 before the engine will automatically record the
DeletionAlert in the eAlert table.
1.6.2
Alert Generator Registry Settings
The following registry settings can be configured on each engine:
Poll Interval (secs)
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert
Generator
Name: Poll Interval (secs)
Metastorm BPM Version 9.0
December 2009
Page 8
Metastorm BPM Version 9.0
Type:
DWORD
Value: By default, set to 0. If the value is set to a non-zero value, the engine will pro-actively
look for alert requests to handle every n seconds.
Thread count
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert
Generator
Name: Thread count
Type: DWORD
Value: This can be set values between 1 and 64. Used to specify the number threads dedicated to
the event manager.
Batch size threshold for thread
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert
Generator
Name: Batch size threshold for thread
Type: DWORD
Value: This key controls the number of requests handled by an individual thread. The Alert
Generator uses the value to determine how many threads should be used to handle a batch alert
request.
For example, if the batch size is set to 5 and there are 22 alert requests then 5 threads will be used. If
the batch size is set to 10 and there are 22 alert requests then 3 threads will be used. (The forgoing
assumes that the event manager’s thread count is set to a value of 3 or more).
Note: If the Alert Generator is using a single thread, this key is set to 0.
Disabled
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert
Generator
Name: Disabled
Type:
DWORD
Value: By default, set to 0. Setting this to non-zero value indicates that this particular engine does
not perform alert processing (process alert requests in the eAlert table). However it will still add
alert requests to the eAlertRequest table in the usual way.
1.7
Engine Registration
This section enables you to review the settings applied when registering the Engine COM+ application is
registered. These settings can be reviewed and updated using the Windows administrative tools Component
Services.
1.7.1
Reviewing Engine Registration Settings
To review the results of Engine registration, in the System Administrator:
1.
Start the ‘Component Services’ application.
2.
Navigate to the ‘Metastorm Process Engine’ application.
The ‘Metastorm Process Engine’ application has three components which, between them, expose the:
•
Main functionality of the application.
•
Four COM+ roles available for the application.
Metastorm BPM Version 9.0
December 2009
Page 9
Metastorm BPM Version 9.0
You can now examine the:
•
Application properties.
•
Component roles.
•
COM+ concurrency.
Application Properties
To examine the application properties:
1.
Select the ‘Engine’ application.
2.
Select the Action menu | Properties.
3.
Select the Identity tab:
4.
Ensure a specific user is named, as system services often run without user intervention (for example,
starting when a machine is booted).
Note: Ensure that the account under which the Engine is configured to run has full rights to:
•
The following registry key (and all its sub-keys and values):
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-Work\Engine
•
The Engine installation folder and sub-folders.
5.
Select the Security tab.
6.
Ensure the Enforce access checks for this application checkbox is checked. This indicates whether
Windows should perform security checks for gaining access to the Engine application’s components.
This checkbox is checked by default.
Note: For further information on security- related issues, refer to the sub-section on Security below.
7.
Select the Activation tab.
8.
Ensure that the root folder of the Engine installation (typically c:\Program
Files\Metastorm\BPM\Engine) is set in the Application Root Directory property.
9.
Select the Advanced tab.
10. Ensure the Minutes until idle shutdown radio button is selected.
11. Ensure the number of minutes is ‘0’, since the Engine service, rather than COM+, manages the lifetime
of the Engine itself.
Component Roles
The Process Engine application has three components registered in the COM+ application. Each component has
one or more COM+ roles defined. The following table lists the components, their purpose, and the roles to which
access may be restricted:
Component
Main purpose
Calling account requires
atleast one of these roles
e-Work.EngineManager.1
Controls lifetime of Engine
Administrator
e-Work.EventManager.1
Handles flag and timer
Administrator
Metastorm BPM Version 9.0
December 2009
Page 10
Metastorm BPM Version 9.0
Component
Main purpose
Calling account requires
atleast one of these roles
requests.
Metastorm.EngineEclEndpoint
Deals with ECL client requests
ClientComponents
ListComponents List
If the Engine (COM+) application is:
•
Configured for authorization checking, only accounts holding a relevant role can access its
components.
•
Not configured for authorization checking, no restrictions apply as to which components can be
accessed by which roles.
COM+ Concurrency
When the Engine is installed, it is very important to ensure that each of the Engine components has
Concurrency set so that Synchronization Support is required. Without this, there is the possibility of
producing an internal deadlock in the Engine.
To verify the Engine components’ Concurrency settings:
1.
Drill-down to the Process Engine application’s components.
2.
Select the required component.
3.
Select the Action menu | Properties.
4.
Select the Concurrency tab.
5.
In the Synchronization Support field, ensure the Required radio button is selected.
6.
Click on the OK button.
1.8
Error Logging
When the engine experiences a problem it writes errors to the eLog table in the Metastorm Database.
•
All exceptions raised by executable elements are logged in the eLog table.
•
When an exception is logged, all appropriate fields in the eLog table is populated. (For example,
when exceptions are not related to a particular folder, the folder ID does not need recording.)
•
The engine exposes a public method (exposed as an activity in the Designer) for allowing a userdefined process to write to the error log.
1.8.1
Operation and Transaction Protocol Logging
It is possible to write out a pair of XML documents for every client operation – the request and response –
for diagnostic purposes.
For managed operations – in the version 9 Engine these are action, folder and forms lists and filters – add
the following line to the Engine application.config file, under the appSettings element.
<add key="OperationLogLocation" value="z:\build\logs"/>
Metastorm BPM Version 9.0
December 2009
Page 11
Metastorm BPM Version 9.0
1.9
Engines and Time Zones
The way the Metastorm Process Engine handles Time Zone adjustments has changed from version 7.x. In
version 9.0 Time Zone adjustments is done by the Engine and is calculated as the difference between the
browser client and the Database management System (DBMS) server time.
This means that if the browser machine is in a timezone +2 hours ahead of the DBMS machine and is also
10 minutes fast then, then the extra 10 minutes will also be reflected in the time displayed to the client.
For this reason we recommend the time of a service is not changed while users are offline. Although not
essential, we also recommend that all Engine servers in a service are time-synchronized with the database
server in case user-defined server side scripts make use of .NET date/time or calendar types.
It is essential that Daylight Saving Time is disabled for the DBMS server. However if a service needs to support
only users in a single time zone, or many time zones for which Daylight Saving Time is always applied on the
same date (such as in the European Union), Daylight Saving Time can still be applied on the Engines in that
service.
1.10 Engine and Invalid XML
The Engine operates on data that invokes Unicode format. The Engine cannot handle invalid characters contained
in XML scripts. The following Unicode character values create invalid XML characters:
•
1-8
•
11-12
•
14-31
Although it is difficult for users to type these non-printable characters, they could be pasted into a field. In the
event that the Engine is presented with one of these characters, one of the following Engine errors may be reported
in the Event Log:
•
Invalid non-printable character found in an XML fragment. It is strongly recommended that a suitable
alternative is used, otherwise, the performance will be impacted.
•
Failed to load server data.
•
Failed to load decoded server data delta into a DOM.
•
Unable to load XML into DOM. Error(-1072896760) : An invalid character was found in text content.
1.11 Re-registration of the Engine
You may need to reconfigure the Engine’s COM+ setup, if:
• The installation displayed a COM+ error during Engine installation.
•
You wish to return to the default Engine COM+ settings.
The following files are provided, in the Process Engine folder (folder pathway by default, \Program
Files\Metastorm BPM\Engine), to help with Engine reconfiguration:
•
The EngineConfig utility (EngineConfig.exe)
•
The Metastorm Engine.PAK file, called by EngineConfig.exe.
Metastorm BPM Version 9.0
December 2009
Page 12
Metastorm BPM Version 9.0
Note: For User Account Control (UAC) enabled systems it is recommended to run the EngineConfig from
an elevated privilege command prompt.
1.11.1 EngineConfig
EngineConfig sets up the Engine to run as a COM+ application. For example, you can use EngineConfig to
specify:
•
A COM+ application file to describe how the Engine components should be organized in the
application. This may be useful for troubleshooting.
•
Engine identity and password.
This subsection describes EngineConfig’s command-line arguments.
/Package:<package file | application file>
Specifies the application COM+ package to install. This is normally a file with .PAK/MSI extension. (The
Metastorm Install comes with a .PAK file, however it is possible for customers to create their own MSI file
to facilitate deployment across a large number of machines)
When specifying the application / package, you must:
•
Specify the full path.
•
If the path contains spaces, surround the entire argument in double-quotes, for example:
"/Package:C:\Program Files\Metastorm\BPM\Engine\Metastorm
Engine.PAK"
If you omit the file extension, EngineConfig assumes it is MSI.
If the Process Engine is installed via the Metastorm BPM setup program, avoid using Metastorm
Engine.MSI either in this parameter or directly. Microsoft Windows Installer registers this MSI as part of
the main Metastorm BPM installation and does not permit operations with it by other programs.
If the Engine package already exists, it is removed before the specified package is installed.
/InstallPath:<installation path>
Specifies where COM+ should place component files. We recommend using the Engine directory, for
example:
"/InstallPath:C:\Program Files\Metastorm\BPM\Engine"
This argument is optional. If it is omitted, component files are placed in the system default location.
/Identity:<account>
Specifies the account under which the Engine should run. In addition, it:
•
Adds the user for this account to all available (COM+) roles for the Engine.
•
Sets Authorization checking, so access to the Engine’s components is restricted by role.
Note: For further information on security, refer to the previous section.
Metastorm BPM Version 9.0
December 2009
Page 13
Metastorm BPM Version 9.0
An example of this argument’s use is:
/Identity:MYDOMAIN\ppascal
This argument is optional. If it is omitted:
•
The Interactive User account is assumed.
•
Users are not added to Engine roles.
•
Authorization checking is left unset.
/Password:<password>
Specifies the password for the account specified with the /Identity argument , for example:
/Password:secret
This argument is optional. If it is omitted, the password is empty.
Alternatively, you can use the /PromptForUserDetails argument.
/BindUserToRole:<rolename:<account | group>>
Specifies an additional user account or group that can hold a COM+ Engine role.
For example, you may want the web server's anonymous account to communicate with the Engine. In this
case, you would use the argument as follows:
/BindUserToRole:Client:CORPORATE\IUSR_CORPSERVER
”/BindUserToRole:Flag Raiser:Metastorm Flag Raisers”
This argument is optional.
/PromptForUserDetails
Specifies that, when EngineConfig runs, it displays a dialog for you to enter the identity (account) and
password for the Engine application to use. If the /Identity: argument is also used, its contents are the
default value in the dialog.
This argument is optional.
/?
Displays a message box summarizing EngineConfig’s command-line arguments.
This argument is optional.
1.12 Problems with Re-Registration
Problems with re-registering the Engine could arise from:
•
regsvr32, responsible for informing the system about the Engine’s individual COM components.
•
Using the EngineConfig tool.
1.12.1 Problems Running regsvr32
Metastorm BPM Version 9.0
December 2009
Page 14
Metastorm BPM Version 9.0
LoadLibrary (<dll name>) failed. GetLastError returns 0x0000007e
regsvr32 cannot locate the specified dll, or another dll on which it depends. This implies an incomplete
installation, the best option is usually to uninstall and then reinstall the Engine.
LoadLibrary(<dll name>) failed. GetLastError returns 0x0000045a
A dll initialization routine failed for the specified dll, or another dll on which it depends. This implies an
incomplete installation, the best option is to uninstall and then reinstall the Engine.
1.12.2 Problems Running EngineConfig
Failed to install Package – An error occurred reading the package file (0x80110408)
This can occur because the:
•
Specified application or package file (usually .MSI or .PAK) cannot be found.
•
Command-line does not include the full path to the package file.
•
Path to the package file includes spaces but is not enclosed in quotes.
Note: For further information, refer to the previous section.
Failed to install Package – Package file path is invalid (0x8011040a)
This usually occurs because the path specified for the /InstallPath: argument is wrong.
Note: For further information, refer to the previous section.
Problem while trying to save changes to packages collection – Package identity user ID and/or password are
not valid (0x80110414)
This can occur because the:
•
Account specified does not exist.
•
Password specified is not correct for the account.
You may need to review the /Identity: and/or /Password: command-line options.
Problem while trying to save changes to role’s user collection – User ID for user in role is not valid
(0x8011040f)
This can occur because the account or group specified in the /BindUserToRole: argument is invalid.
1.13 Engine .NET Interface Clients
There are three configuration options for a .NET client:
• Remote High Performance – The .NET Interface server side component is hosted directly in the Engine
process. Firewall restrictions may render this option unusable. This option should only be used for low
volumes of user requests as it won’t scale well to heavy user load. In addition it isn’t possible to enforce
security for .NET Remoting connections hosted in this way.
Note: Under heavy load it will be low performance compared to IIS hosting.
•
Remote Open – The .NET Interface server side component is hosted by IIS and consequently the only
supported protocol is HTTP. Messages are binary formatted (which provides the most efficient data
encoding. The Remote Open configuration may be a better option when large numbers of concurrent
users are expected because IIS is optimized for scalability and provides integration with Windows
security.
Metastorm BPM Version 9.0
December 2009
Page 15
Metastorm BPM Version 9.0
Note: This is the preferred connection method.
The following service list configuration file extracts show the two .NET Interface connection
methods:
Remote High Performance
<Service Name="example" Description="Engine via .NET TCP/binary">
<Engine Name="Engine1">
<Transport Type="Remoting">
<Server>tcp://[ComputerName]:4001/ECL</Server>
</Transport>
</Engine>
</Service>
Remote Open
<Service Name="example" Description="Engine via .NET HTTP/IIS">
<Engine Name="Engine1">
<Transport Type="Remoting">
<Server>http://[ComputerName]/[ECLVirtualFolder]/
ECL.rem</Server>
</Transport>
</Engine>
</Service>
Where [ComputerName] is the name of the machine on which the Process Engine is running.
[ECLVirtualFolder] is the IIS virtual folder name for Process Engine .NET clients
(‘BPMEngine.NET’ by default).
1.14 Configuring the Engine Service
1.14.1 Configuration
This section describes how to run the Process Engine service and covers troubleshooting the Process Engine
service.
In order for the Engine Service to start up successfully, the account under which the Engine service is configured
must be specified in the Administrator role for the Process Engine COM+ application.
Troubleshooting
This section provides solutions to common errors when attempting to start the Process Engine as a system service,
and covers:
•
1069: The service did not start due to a logon failure.
•
2186: The service is not responding to the control function.
Error 1069: The service did not start due to a logon failure
This can occur because the:
•
Specified account does not exist.
•
Password specified for the account is incorrect or has changed.
Metastorm BPM Version 9.0
December 2009
Page 16
Metastorm BPM Version 9.0
•
Account specified does not have the “Log on as a service” right. This is automatically granted when
setting up the account using the Services application.
Error 2186: The service is not responding to the control function
This occurs because of an invalid service installation. We recommend you uninstall, then re-install the Process
Engine.
1.14.2 .NET CLR Configuration
The configuration file application.config, which is installed in the Engine directory, holds information about how
the .NET CLR hosted by the Engine should operate. For the most part administrators should not need to alter this
file. However, there are a number of settings that it may be found necessary to adjust; these settings are described
in this section.
The settings of interest are shown in the following sample application.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration> .
.
.
.
<appSettings>
<add key="ThreadPool_MinWorkerThreads" value="50"/>
<add key="ThreadPool_MaxWorkerThreads" value="1000"/>
</appSettings>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath=".\dotnetbin"/>
</assemblyBinding>
</runtime>
</configuration>
Element
Description
<probing
privatePath=”.\dotnetbin;.\dotnetlib”/>
This is a standard .NET CLR configuration setting, used to
specify subdirectories of the Engine’s directory that might
contain assemblies. Subdirectory names are delimited by
semicolons. This is where you would deploy (via the
Deployment Service) assemblies using in server side scripts
and promoted expressions.
<add
key=”Threadpool_MinWorkerThreads”
value=”50”/>
This setting is used to specify the minimum number of
worker threads to be set up in the .NET CLR thread pool.
This thread pool is used when running Jscript.Net scripts or
executing Microsoft workflows.
On installation, this value is set to25 x (number of CPUs on
machine) x (number of cores per CPU). The value shown in
the example is illustrative only.
The higher the setting for this value, the higher the resource
cost to the Engine process.
Metastorm BPM Version 9.0
December 2009
Page 17
Metastorm BPM Version 9.0
Description
Element
Once started, the Engine reports the value it is using in its
startup message in the event log.
<add
key=”Threadpool_MaxWorkerThreads”
value=”1000”/>
This setting is used to specify the minimum number of
worker threads to be set up in the .NET CLR thread pool.
This thread pool is used when running Jscript.Net scripts or
executing Microsoft workflows.
The higher the setting for this value, the higher the potential
resource cost to the Engine process.
Once started, the Engine reports the value it is using in its
startup message in the event log.
<add
key="ExternalAssemblyReferencesPath"
value=""/>
The value here is intended to be a shared network location.
The Deployment Service configuration will also have a
reference to this same location and will be able to copy
assemblies there during deployment.
Note: If you change any of the settings in application.config, you must restart the Engine for these changes
to take effect.
Anything referenced by a process, but not built into the process assembly (in other words, any third party
assemblies) must be locatable at runtime so it can be loaded by the Engine.
The order in which the .NET CLR searches for assemblies is:
1.
The current folder of the calling process (in this case, the Engine root folder)
2.
GAC
3.
Folders in the System Path
4.
Folders in the application.config probing path.
5.
the Engine then searches for the assembly in the eAssembly table (only process assemblies will be
found here, added at deployment time)
6.
Folders in the shared network location in the application.config External Assembly References
path
1.14.3 Engine Parameters
The registry parameters which can be changed are under:
•
HKEY_LOCAL_MACHINE
These settings can be modified, using the Registry Editor. To ensure new settings take effect, we advise that you
restart the machine after making changes.
Note: Values in [square brackets] are variables.
Metastorm BPM Version 9.0
December 2009
Page 18
Metastorm BPM Version 9.0
1.14.4 HKEY_LOCAL_MACHINE
• Database
• SQL DBC
• Oracle DBC
• Engine Mail Connectors
• Engine Name
• Engine Browser Protocol
• WCF
Database
Database parameters define how the process engine connects to the Metastorm database. Two types of connection
are required:
•
ODBC, which uses a DSN that has already been set up using the ODBC Data Source Administrator.
•
OLE DB connection string.
Note: You can change the database using the System Administrator (right-click on Metastorm Engines, select
Register and enter the name of the Computer on which the engine is running). Then, right-click on the machine
name and select Database.
Note that the database user ID and passwords are stored in the registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine
We strongly recommend that you secure access to this registry key, as it stores sensitive information about
database connectivity. However, the Process Engine requires access to these keys. So, when setting
security permissions to these keys, please ensure the users or groups with which the Process Engine's
service and COM+ application are configured have permission to access the keys.
Key
\SOFTWARE\Metastorm\e-work
\Engine\Database Connectors
Name
Current
Values
• SOracle DBCQL
• Server DBC
SQL Server DBC
Key
Name
Values
\SOFTWARE\Metastorm\ework\Engine\Database
Connectors\SQL Server
DBC
Connection
Provider=SQLOLEDB;
Data Source=[DBServerName];
Initial Catalog=[DBName];
User ID=[DBUserName];
Password=[DBUserPassword];
If DB Authentication is set to NT Authentication,
Provider=SQLOLEDB;
Metastorm BPM Version 9.0
December 2009
Page 19
Metastorm BPM Version 9.0
Key
Name
Values
Data Source=[DBServerName];
Initial Catalog=[DBName];
UserID=[DBUserName];
Password=[DBUserPassword];
Trusted_Connection=Yes;
DotNetConnection
Data Source=[DBServerName];
Initial Catalog=[DBName];
User ID=[DBUserName];
Password=[DBUserPassword];
Connection
Timeout=[DBConnectionTimeoutInSeconds];
If DB Authentication is set to NT Authentication,
Source=[DBServerName];
Initial Catalog=[DBName];
User ID=;
Password=;
Trusted_Connection=Yes;
Connection
Timeout=[DBConnectionTimeoutInSeconds];
DotNetProvider
Data Source=[DBServerName];
Initial Catalog=[DBName];
User ID=[DBUserName];
Password=[DBUserPassword];
Connection
Timeout=[DBConnectionTimeoutInSeconds];
If DB Authentication is set to NT Authentication,
Source=[DBServerName];
Initial Catalog=[DBName];
User ID=;
Password=;
Trusted_Connection=Yes;
Connection
Timeout=[DBConnectionTimeoutInSeconds];
\SOFTWARE\Metastorm\ework\Engine\Database
Connection
ODBC;
DSN=Metastorm;
UID=[DBUserName];
PWD=[DBUserPassword];
Metastorm BPM Version 9.0
December 2009
Page 20
Metastorm BPM Version 9.0
Oracle DBC
Key
Name
Values
\SOFTWARE\Metastorm\ework\Engine\Database
Connectors\Oracle DBC
Connection
Provider=OraOLEDB.Oracle.1;
Data Source=[DBOracleServiceName];
User Id=[DBUserName];
Password=[DBUserPassword];
FetchSize=100;
CacheType=Memory;
PLSQLRSet=1
DotNetConnection
Data Source=[DBOracleServiceName];
User Id=[DBUserName];
Password=[DBUserPassword];
FetchSize=100;
Cache Type=Memory;
PLSQLRSet=1;
Connection
Timeout=[DBConnectionTimeoutInSeconds];
\SOFTWARE\Metastorm\ework\Engine\Database
DotNetProvider
Oracle.DataAccess
Connection
ODBC;
DSN=[DBOracleODBC_DSN];
UID=[DBUserName];
PWD=[DBUserPassword];
Note: For details of the QueryTimeout and Force Case-insensitive Authentication parameters, refer to the
‘Engine Registry Settings’ section.
Engine Mail Connectors
Mail Connector registry parameters are used to set up the Process Engine to work with email.
Key
Name
Values
\SOFTWARE\Metastorm\ework\Engine\MailConnector
Connector
For SMTP:
ProgID=ework.
MailConnector.[MailConnectorType
(SMTP)] ;
Metastorm BPM Version 9.0
December 2009
Page 21
Metastorm BPM Version 9.0
Key
Name
Values
DefaultAddress=[E-mailAddress];
LocaleID=[LocaleID, e.g., 1251];
BodyFormat=[BodyFormat (Text or
HTML)] ;
EncodingFormat=[EncodingFormat (TEXT
or MIME)] ;
AttachmentEncoding=[AttachmentEncoding
(UUencoded or MIME)]
The Engine examines this string for the first
ProgID tag. It attempts to create an instance
of this connector. If it is successful, this
connector is used for all %EMail calls.
If, during the initialization of the Engine, it
is unable to find a Connector string, an
appropriate entry is added to the event log.
Until this issue is resolved, the Engine is
unable to send emails and all %SendMail
calls are ignored.
%Email defines the Unicode format to be
used for all email content. Setting Locale id
=1252 represents the western European
character set. For other character sets refer
to Unicode definitions, e.g. 1251 is used for
eastern European languages and 65001
(UTF-8) is suitable for the Russian and
Kanji character sets.
Engine Name
To avoid clashes in a multi-engine environment, every Engine must have a unique name.
Key
Name
Values
\SOFTWARE\Metastorm\e-work\Engine
Name
[Name (Domain$MachineName)]
Engine Browser Protocol
This setting allows the Engine to construct links to folders when sending alerts via email.
Key
Name
Values
\SOFTWARE\Metastorm\
e-work\Engine
Browserprotoc
ol
http://[WebServerName]/[IISVirtualScriptsFolder]/eweb.
dll/
Note: For further details, refer to the Installation Guide.
WCF
Metastorm BPM Version 9.0
December 2009
Page 22
Metastorm BPM Version 9.0
This allows an administrator to restrain client connections and so the load placed on the engine’s services.
Key
Name
Values
\SOFTWARE\Metastorm\ework\Engine
Max Concurrent Calls
default value is 32. Max
Concurrent Calls setting is
set to 64
Max Concurrent Instances
2147483647
MaxReceivedMessageSize
104857600
OperationTimeout (secs)
60
1.14.5 Engine Registry Settings
Script Timeout
In order to prevent database locking, server-side scripts time out after a definable period, which is set to 120
seconds by default. This period is specified in the following registry key:
Key: HKLM\SOFTWARE\Metastorm\e-work\Engine
Name: ScriptTimeout (secs)
Type: DWORD
If the value is set to 0, no timeout is set.
Note: If the script times out a user will see the default error message "An error has occurred. Please report the
problem to your administrator. " in the Browser. In addition, the Designer log will have procedure error which
states that the script has timed out. This problem can be solved by increasing the script timeout.
JScript Query Timeout
The number of seconds the Metastorm Process Engine waits for a JScript.NET method to be invoked can be
configured by changing the following registry setting:
Key: HKLM\SOFTWARE\Metastorm\e-work\Engine
Name: JscriptQueryTimeout(secs)
Type: DWORD
If the value is set to 0, no timeout is set.
Activate CallerID
Key:
HKLM\SOFTWARE\Metastorm\e-work\Engine
Name: ActivateCallerID (0 or 1)
Type: DWORD
This determines whether the engine uses the identity of the DCOM caller to check the validity of session IDs. If
this is set to:
Metastorm BPM Version 9.0
December 2009
Page 23
Metastorm BPM Version 9.0
•
0, the engine does not use the DCOM caller ID as part of a session validation. This enables more than
one caller to use the same session ID.
•
1, a session ID is rejected if it is used by a DCOM client that did not originally create the session.
A side effect of setting ActivateCallerID to 1 is that Web Forms no longer work.
Note: Changing the ActivateCallerID setting, then restarting the engine, invalidates any sessions already in the
session table.
The default value is 0.
Query Timeout
Key:
HKLM\SOFTWARE\Metastorm\e-work\Engine\Database
Name: QueryTimeout (secs)
Type: DWORD
The amount of time the database spends on a query before rejecting it.
Note: Note that not all OLEDB drivers support QueryTimeout.
Login Timeout
Key:
HKLM\SOFTWARE\Metastorm\e-work\Engine\Database
Name: LoginTimeout (secs)
Type: DWORD
The amount of time the Engine waits for a database connection to be established.
Note: Note that not all OLEDB drivers support LoginTimeout.
Force Case-insensitive Authentication
Key:
HKLM\SOFTWARE\Metastorm\e-work\Engine\Database
Name: Force Case-insensitive Authentication
Type: DWORD
Enables a case-sensitive database to allow case insensitive logins.
If this is set to:
•
•
0 (default), the Engine does not perform case-insensitive authentication.
1, the Engine performs case-insensitive authentication.
Force Case Sensitive Role Evaluation
Key:
HKLM\Software\Metastorm\e-work\Engine\
Name: Force Case sensitive role evaluation
Type: DWORD
If this is set to:
•
0 (default), the Engine does not perform case-sensitive role evaluations.
•
1, the Engine performs case-sensitive role evaluations.
Metastorm BPM Version 9.0
December 2009
Page 24
Metastorm BPM Version 9.0
The value defaults to 0.
Disable Static Role Resolution
Key:
HKLM\Software\Metastorm\e-work\Engine\
Name: DisableStaticRoleResolution
Type: DWORD
If this is set to:
• 0 (default), static roles are assumed in the eAssignment table.
•
1, static roles are not assumed in the eAssignment table, and all roles have to evaluate to a list of user
names.
Max Simultaneous Async Jobs
Asynchronous tasks can be run simultaneously. This setting specifies the maximum number of tasks that can be
run simultaneously. The default is 5. The maximum is 64.
Note: This only controls legacy evaluation operations from the Metastorm Script Language, invoked by the
Evaluate activity.
Note: It is important to be aware of the memory footprint required to run an asynchronous script. If multiple
instances of an asynchronous script are run in parallel, the amount of memory required will be the footprint
multiplied by the number of instances. The memory footprint of a script could be quite large if other components
are created and used by the script.
Key:
HKLM\Software\Metastorm\e-work\Engine\
Name: Max Simultaneous Async Jobs
Type: DWORD
Install Info
This registry key contains a record of information specified by the user and the installation, when Metastorm BPM
is installed.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\InstallInfo
Name: InstallInfo
Type: DWORD
After the installation, if you change any of the parameters which have been recorded under the InstallInfo registry
key, you should amend the relevant values under the key. Subsequent Metastorm BPM upgrades or hotfixes
expect the current Metastorm BPM settings to be recorded under this key.
JScript Precompile Level
As a JScript .NET script can take a long time to compile, this registry key enables you to avoid performance issues
by setting up the Engine to compile all currently available scripts on start-up.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine\JScriptPrecompileLevel
Name: JScriptPrecompileLevel
Type: DWORD
Metastorm BPM Version 9.0
December 2009
Page 25
Metastorm BPM Version 9.0
Set the value to:
•
•
•
•
0, for no compilation on start-up
1, to compile map assemblies on start-up
2, to compile procedure assemblies on start-up
4, to compile map and procedure assemblies on start-up.
You can combine values (by adding them together) to set the registry setting to more than one of the above. For
example, if the value is set to 7 (1 + 2 + 4), map assemblies, procedure assemblies and map and procedure
assemblies are compiled on start up.
Allow Guest User To Raise Flag
In order to raise a flag, an external application must provide either a valid Metastorm user id and password, or
alternatively, a valid session id.
For backwards compatibility, the engine may be configured to relax this restriction and accept Raise Flag requests
without any credentials. This requires that the Guest User is set up.
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine
Name: AllowGuestUserToRaiseFlag
Type: DWORD
Set the value to:
•
0, to force flag raisers to provide credentials.
•
1, to allow flags to be raised without providing credentials.
Microsoft Workflow Timeout
Key:
HKLM\Software\Metastorm\e-work\Engine\
Name: MicrosoftWorkflowTimeout (secs)
Type: DWORD
This defines the maximum length of time for which a Microsoft Workflow instance is allowed to execute before it
is aborted. The default timeout value is 60 seconds.
1.14.6 Non Registry Settings
This topic outlines the non registry settings that can be altered by the Metastorm Administrator:
•
Engine Service
•
Metastorm User Groups
Engine Service
To configure the Process Engine service, you can change the:
•
Service start-up mode.
•
Service account (or the account under which the Engine runs).
These settings are configurable through the Windows Services tool.
Metastorm BPM Version 9.0
December 2009
Page 26
Metastorm BPM Version 9.0
Note: For further details, refer to your Windows documentation.
Metastorm User Groups
To set up the specific user groups for use with Metastorm BPM, you should use specifically created (local or
domain) groups.
These settings are configurable through:
•
The Computer Management tool
•
COM+ Metastorm Engine Roles
Metastorm BPM Version 9.0
December 2009
Page 27
Metastorm BPM Version 9.0
2
METASTORM DESIGNER
2.1
Designer Settings
The version 9.0 Designer has a number of places where it stores temporary information such as layout, recently
used lists, library cache etc. The file locations below are based on Vista/ Windows Server 2008 operating systems.
Resetting Designer layout
Delete the ‘Url.2dglpttbw5sj1j3i2vedoiybh5fbn4em’ folder from:
%userprofile%\AppData\Local\IsolatedStorage
Offline Library Cache
Deleting the files in the location below will clear the library cache:
%userprofile%\AppData\Local\Metastorm\BPM\Designer\LibraryCache
Other Temporary Files
Files in the location below also store Designer information and can be safely deleted:
%userprofile%\AppData\Local\Temp\Metastorm\BPM
Metastorm BPM Version 9.0
December 2009
Page 28
Metastorm BPM Version 9.0
3
METASTORM DEPLOYMENT
3.1
Deployment Service
3.1.1
Overview
The Windows Communication Foundation (WCF) Deployment Service replaces the functionality referred
to in the v7.6 Designer Publishing; it takes the v9.0 Metastorm BPM process definitions (solutions,
projects, and libraries) and transform them into the requisite runtime Metadata required by the v9.0
Metastorm BPM Process Engine to render the defined process application at runtime.
The Deployment Service can work against all the versions of SQL Server and Oracle supported by the
Metastorm Process Engine. The Designer uses a service list called DeploymentServiceConfig.xml to
identify how it connects to the Deployment Service, this can be configured to allow the BPM Process
Developer to chose between which BPM Service they wish to Deploy to. This file is located at the
following path C:\Program Files\Metastorm\BPM\IIS
The Deployment Service uses the DeploymentService.exe.config to know how to connect to the database
via ADO.NET. The Service also uses the Process engine to allow user authentication to be undertaken. Due
to this the Process Engine needs to be running in order for the Deployment Service to execute and it should
be installed onto the same server as the engine.
When deploying a process, you need to log in as a Metastorm user who holds either a
‘MetastormAdministrator’ or a ‘ProcessDesigner’ role. These roles are automatically created on running
the Metastorm database creation scripts along with a default BPM user.
The default user name and password is as follows:
Username: SysAdmin
Password: metastorm
The Deployment Service can be configured to use Windows Single Sign-On authentication, if the
Metastorm Service has been configured to use it, thereby preventing the need to provide a user name and
password, click here to view the steps needed.
Metastorm BPM Version 9.0
December 2009
Page 29
Metastorm BPM Version 9.0
Note: The Deployment Service uses the TCP-based network protocol (net.tcp://) and therefore has
dependencies on the Net.Tcp Port Sharing Service.
3.1.2
Configuration Files
DeploymentServiceConfig.xml
The BPM Designer uses the DeploymentServiceConfig.xml to know how to connect to the WCF
Deployment Service (see example below). If you had multiple Metastorm BPM Services, such as a three
tire system involving a development environment, a QA environment and a Production environment for
example the additional connection paths could also be included in this document allowing the Process
Developer to be able to select where to Deploy to.
This file is located at this path C:\Program Files\Metastorm\BPM\IIS extensions\
<?xml version="1.0" encoding="UTF-8"?>
<ServiceDirectorConfig Name="Metastorm Deployment Service List">
<ServiceList Type="Deployment">
<Service Name="Metastorm BPM Deployment Service" Description="Deployment Service">
<Transport Type="WCF">
<Server>net.tcp://<Engine Computer Name>/Deployment</Server>
</Transport>
</Service>
<!-- <Service Name="Local Deployment Service" Description="Deployment Service on local machine">
<Transport Type="WCF">
<Server>net.tcp://<web server name>/Deployment</Server>
</Transport>
</Service> -->
</ServiceList>
</ServiceDirectorConfig>
DeploymentService.exe.config
This is the file that the Deployment Service uses to know how to connect to the Process Engine and the
Metastorm Repository. This file is located at this path C:\Program Files\Metastorm\BPM\Deployment\
3.1.3
SSO Configuration
The Deployment Service can be configured to use Windows® Single Sign-On (SSO) authentication, if the
Metastorm Service has already been configured to do so. This prevents the user from needing to enter any
credential during the deployment.
Follow these steps:
Open the V9.0 Metastorm BPM Designer, click on the Metastorm button
Metastorm BPM Version 9.0
December 2009
Page 30
Metastorm BPM Version 9.0
1.
Click the Options button
2.
Open up the Deployment section and select the Authentication Check box, please see picture below.
3.1.4
Deployment Debugging
Aside from checking in the Windows Application Event log for details of Deployment Service errors, it is possible
to run the service in a debug mode to return C# errors by undertaking the following steps:
1.
Stop Deployment Service
2.
Run Deployment Service by running it from command line:
DeploymentService.exe /debug /ModelAssembly:C:\Temp
3.
Stop it when you don't need it anymore by opening Windows Task Manager and killing the
DeploymentService.exe process.
3.2
3.2.1
Deployment Client
Overview
The V9.0 BPM Designer users the Deployment Service to validated and stored workflow processes in the
Metastorm repository where they form the metadata that is used at runtime by the Web client to allow users to
interact with the workflow processes. The Deployment Client also offers the ability to store workflow processes in
the Metastorm repository but without the need to open up the BPM Designer.
The Deployment Client is a console application designed to provide the ability to allow authorized users to run and
schedule deployment of Projects and Libraries through a command line, batch file or script. The Deployment
Client consists of two files:
Metastorm BPM Version 9.0
December 2009
Page 31
Metastorm BPM Version 9.0
1.
Deploy.exe found the following location:
C:\Program Files\Metastorm\BPM\Designer\Deploy.exe
2.
Deploy.config.xml found the following location:
C:\Program Files\Metastorm\BPM\Designer\Deploy.config.xml
This section details how to use and configure the Deployment Client.
3.2.2
Configuration Files
Deploy.config.xml
This is the configuration file for Deploy.exe. It allows you to configure default settings that may be used
when the application is run from the command line. If the same argument is configured in the configuration
file and used in the command line code then the Deployment Client will use both values executing the
command line value first.
Important sections of the configuration file are displayed below:
Authentication
<ServicesList>
<Service Name="Local Deployment Service" Description="Deployment Service on local machine">
<Server Login="SysAdmin" Password="metastorm">
<Path>net.tcp://<machine name>/Deployment</Path>
</Server>
</ServicesList>
Deploying Libraries with passwords
<Libraries>
<Library Name="Libraryform" Password="bpmlib" Version="2" />
<Library Name="Libraryformseg" Password="bpmlib" Version="1" />
</Libraries>
Deploying from a specified directory
Solution Packages can be deployed straight from a specified directory and its sub-directories. The type of
file can also be selected allowing the choice of Solutions, Projects or both to be deployed.
<Directories>
<Dir TargetType="solution">
<Path>C:\temp\t\</Path>
</Dir>
<Dir TargetType="bpmproj">
<Path>C:\temp\Solution\Projec2</Path>
</Dir>
Metastorm BPM Version 9.0
December 2009
Page 32
Metastorm BPM Version 9.0
</Directories>
Deployed a specify single contents (project or solution)
<ContentUris>
<Path>C:\temp\Solution\Projec2\Projec2.BPMProj</Path>
</ContentUris>
Deploy a specific group
It is possible to create several groups inside the <Groups> node and switching between them using /group
parameter.
For example the following command line code would deploy only the solutions and projects in group G1.
Command Line code: Deploy.exe /group;G1
<Groups>
<Group Name="G1" Validate="false" Deploy="true">
<Libraries>
<Library Name="lpc1" Password="1" />
<Library Name="lst2" Password="1" />
<Library Name="l2" Password="1" />
</Libraries>
<Directories>
<Dir TargetType="solution">
<Path>E:\Work\bugs\200908\CallErr\cErr</Path>
<Path>E:\Work\ConsoleSolutions\</Path>
<Path>E:\Work\reqs\200907\CL2\cl2\</Path>
</Dir>
<Dir TargetType="bpmproj">
<Path>E:\Work\ConsoleSolutions\</Path>
</Dir>
</Directories>
....
</Group>
</Groups>
Command Window validation errors and warnings
Validation errors and warning are displayed in the command window, the output can be suppressed and the
verboseness altered.
Metastorm BPM Version 9.0
December 2009
Page 33
Metastorm BPM Version 9.0
<Logger Name="Console" Level="DEBUG"
type="Metastorm.Deployment.DeploymentClient.Logging.ConsoleLogger, DeploymentClient">
</Logger>
DEBUG – all messages will be displayed
WARN – warnings and errors
Error – errors only
Info – only information message will be displayed
OFF – logger is not logging any info
Text file validation errors and warnings
Validation errors and warning can be written a text file, the output can be suppressed and the verboseness
altered.
DEBUG – all messages will be displayed
WARN – warnings and errors
Error – errors only
Info – only information message will be displayed
OFF – logger is not logging any info
<Logger Name="TextLogger" Level="Warn"
type="Metastorm.Deployment.DeploymentClient.Logging.TextFileLogger, DeploymentClient">
<Parameter Name="source">
<Value>e:\temp\log.txt</Value>
</Parameter>
Validation errors and warnings can be written out to the Event Manager
writes logging info into the standard Windows EventLog. Parameter ‘Source’ points the name of EventLog
node, if not specified all logging info will be written into the Application node.
<Logger Name="EventLogger" Level="Warn"
type="Metastorm.Deployment.DeploymentClient.Logging.EventLogger, DeploymentClient">
<Parameter Name="source">
<Value>DeploymentClient</Value>
</Parameter>
</Logger>
DEBUG – all messages will be displayed
WARN – warnings and errors
Error – errors only
Info – only information message will be displayed
OFF – logger is not logging any info
Metastorm BPM Version 9.0
December 2009
Page 34
Metastorm BPM Version 9.0
3.2.3
Command Line
The Deployment Client accepts the arguments shown below. Many of these arguments can also be
configured in the Deploy.config.xml configuration file but note that any command line arguments are
executed first.
/?
Access the Deployment Client help output.
/service
Specify which deployment service definition to use.
sample: deploy.exe /service;service name;net.tcp://deploymentServer/deployment;login;pass
/config
Use a custom configuration file
sample: deploy.exe /config;c:\temp\configuration\myconfig.xml
/dir
Deploys all projects in the specified directory
samples: deploy.exe /dir;c:\work\ConsoleSolutions /dir;e:\work1;pbmproj
deploy.exe /dir;c:\work\ConsoleSolutions;solution
deploy.exe /dir;c:\work\ConsoleSolutions /dir;e:\work1;pbmproj /dir;e:\work\allSolutions
/lib
Deploys password protected libraries.
sample: deploy.exe /lib;libname;bpmlib /dir;c:\LibrariesSolutions
/group
Selects non-default group in config file, and deploy the files specified in it.
sample: deploy.exe /group;groupname
/c
Deploys specified single component (project or solution)
Sample: deploy.exe /c;e:\work\c1.solution /c;e:\work\projects\project.bpmproj
%ERRORLEVEL%
Error code can be used to identify the success or failure of a deployment by automation scripts.
sample:
@if %errorlevel% GEQ 0 @if %errorlevel% LEQ 9 echo 'success'
@if %errorlevel% GEQ 10 @if %errorlevel% LEQ 99 echo 'warning'
@if %errorlevel% GEQ 100 echo 'error'
@if %errorlevel% LEQ -1 echo 'exception'
Metastorm BPM Version 9.0
December 2009
Page 35
Metastorm BPM Version 9.0
It can also be used in the command line for example: Echo %ERRORLEVEL%
Metastorm BPM Version 9.0
December 2009
Page 36
Metastorm BPM Version 9.0
4
4.1
MANAGING AUTHENTICATION
Overview
Before the Metastorm BPM Engine will process any user requests the user must be authenticated with the
Metastorm BPM Service. Once authenticated the client may make further requests of the engine to list
folders and process actions. Those requests are processed and recorded by the Metastorm BPM Engine
creating an Audit Trail in the Metastorm BPM Database.
The Metastorm web client in version 6.x and version 7.x of Metastorm BPM employs a custom mechanism
to authorize and authenticate user access. In Metastorm BPM version 9.0, the web client authentication
mechanism is entirely based on the Microsoft .NET security guidelines.
This section reviews the following:
• Username and Password Authentication
• Single Sign On Configuration
• Web Farm Deployment Configuration
• Public Access
4.2
Open Authentication
Authentication is the process of acceptance of a user by a Metastorm BPM service.
Metastorm Client applications have Open Authentication meaning they have no pre-defined knowledge of any
specific authentication mechanism unless specified by the System Administrator in the form of Server
Authentication Provider (SAP) scripts.
4.2.1
Server Authentication Provider (SAP) scripts
SAP scripts provide the logic necessary for the Process Engine to obtain the user's credentials, validate them and
allow a valid session to be generated. SAP scripts can be chained so that the Process Engine will try multiple
Metastorm BPM Version 9.0
December 2009
Page 37
Metastorm BPM Version 9.0
scripts in order to see if it can validate a user and log them in, if the first fails the engine will try the second and so
on.
Metastorm Ships with a variety of SAP scripts but third party developers can define their own authentication
mechanism by writing their own SAP scripts.
Out of the box SAP scripts:
•
eUser
•
eRemPwd
•
eRemDetails
•
eRemPwdDetails
•
eGuest
•
eError
•
Mqauthentication
For Microsoft SQL Server installations, Open Authentication can be automatically configured by the installation
script the eUser.js SAP script being used as the default method of login, requiring the user to enter a Username and
Password. However For Oracle installations, Open Authentication cannot be automatically configured by the
installation script and must be set up manually instead.
4.2.2
Process Definition Document (PDD)
The Process Definition Document (PDD) is a single configurable XML document stored in the Metastorm
database as an attachment (called ‘Authproc.XML’) that defines all authentication processes that an Engine
supports. Each authentication process in turn comprises of a chain of Server Authentication Provider (SAP)
scripts - the order of execution.
For example, a PDA client could request an authentication process that was specifically designed for PDAs.
This authentication process might attempt authentication using certificates (the first SAP in the list for this
process). If this failed, then the client would try the second SAP in the list which might offer a login form
(suitable for PDA clients) allowing the user to enter user ID password credentials. If the credentials are
correct the User will be logged in to the Metastorm Client.
4.2.3
How Open Authentication works
Clients normal send two login requests to the Process Engine. Firstly to obtain a login form. Secondly to
pass the user credentials to the Process Engine.
Metastorm BPM Version 9.0
December 2009
Page 38
Metastorm BPM Version 9.0
When multiple authentication SAP scripts have been set up the Process Engine retrieves the PDD; it reads
the list of SAP scripts and notes the order of execution.
The Process Engine executes a SAP by calling its eLogin method. SAP returns a response and any content
to be included, by modifying the ework object.
Depending on the ework object’s ResponseType property (set by the SAP), the Engine sends a Transaction
Protocol response to the Client.
•
eLoginFormResponse
•
eLoginResponse
•
eErrorResponse
The ework object’s ResponseType properties are:
•
sapLogin (0), the Engine attempts to log the user in using the ework object’s UserName property.
•
sapForm (1), the Engine generates an eLoginFormResponse, using the ework object’s properties
to return information to the Client about the form to be displayed.
Metastorm BPM Version 9.0
December 2009
Page 39
Metastorm BPM Version 9.0
•
sapFailed (2), if there are no more available SAPs, the Engine returns eErrorResponse (which fails
the authentication process). Otherwise, the Engine ensures the authentication process continues by
incrementing the current SAP by 1, and calling the next SAP. This is useful for a SAP that is
designed to work for only a particular client type. For example, a web client, which uses the
Remember Password SAP provided with Metastorm BPM, passes on to the next SAP.
•
sapError (3), the Engine returns eErrorResponse (which fails the authentication process).
4.3
Metastorm Web client Authentication
4.3.1
Authentication Architecture
The Metastorm BPM 9.0 web client’s authentication mechanism is built on top of ASP.NET
Windows and Forms authentication, as shown in the diagram below.
The web client can be configured to authenticate users by the following authentication modes:
•
Form based Username and Password authentication using forms authentication
•
Single Sign On (SSO) using windows authentication
Metastorm BPM Authentication Module
The Metastorm BPM authentication module sits behind the standard ASP.NET Windows Authentication
Module and Forms Authentication Module, to provide single sign on (SSO) access or login access to the
Metastorm web client. As such, the Metastorm web client authentication mechanism is a two stage
authentication process:
•
Firstly, a user is authenticated through the standard ASP.NET Windows or Forms authentication
process. If the first stage authentication is successful then the Metastorm BPM Authentication
Module will use the user’s credentials to logon to the Metastorm Engine using the Metastorm
BPM Membership Provider.
Metastorm BPM Version 9.0
December 2009
Page 40
Metastorm BPM Version 9.0
•
Secondly, if the logon is successful then a Metastorm BPM Identity object will be created for
the Metastorm web client to talk to the Metastorm Engine.
Metastorm Membership Provider
The Metastorm Membership Provider must be configured in the web client’s web.config file, this is normally
configured as part of the installation of Metastorm BPM 9.0.
1.
Open the web client’s web.config file in a text editor such as Notepad.
This file is located C:\Program Files\Metastorm\BPM\Web
2.
Find the <membership defaultProvider = "BpmMembership Provider"> tag, as displayed in
the code section below.
3. The "Service List" is the URL or UNC path to the Service List Configuration file
(EngineServiceConfig.xml). The default install location for this file is C:\Program
Files\Metastorm\BPM\IIS extensions\EngineServiceConfig.xml.
4. The "Default Engine Service" specifies the default engine service to use, as specified in the
EngineServiceConfig.xml file. For SSO, the Default Engine Service value must be specified.
5. The "Provider Description" is an optional description for the Metastorm Membership Provider.
Note: The PublicAuthenticationProcess attribute must be set to a value of "Public" to enable the Metastorm
Process Engine to authenticate public access.
4.3.2
Username and Password Configuration
The user name and password combination is the default authentication mode for the Metastorm BPM 9.0
web client. This requires ASP.NET Forms authentication to be set in the web client and for the Metastorm
BPM Engine to be configured to use the eUser.js authentication script which is the default Metastorm
Authentication Process.
1.
Open the web client’s web.config file in a text editor such as Notepad.
This file is located C:\Program Files\Metastorm\BPM\Web
2.
Find the <authentication mode="Forms"> tag, as displayed in the code section below.
<configuration>
Metastorm BPM Version 9.0
December 2009
Page 41
Metastorm BPM Version 9.0
...
<system.web>
...
<authentication mode="Forms">
<forms name="MetastormBPMAuth"
loginUrl="Login.aspx"
protection="All"
timeout="525600" path="/"></forms>
</authentication>
<authorization>
<deny users="?"></deny>
</authorization>
...
</system.web>
...
</configuration>
Note: Please refer to the following link for more information on configuring Forms authentication:
http://msdn.microsoft.com/en-us/library/1d3t3c61(VS.71).aspx
1.
4.3.3
Use the Metastorm Administration Tools to set the eUser.js authentication script to be the first
Server Authentication Provider (SAP)scripts in the list of Metastorm Authentication Processes to
be used by the Metastorm Engine.
Single Sign On Configuration
Windows® Single Sign-On (SSO) allows a user who is already logged into a Windows domain or
Microsoft Active Directory to be automatically logged-in to Metastorm BPM, without re-entering their user
name and password. This section details how to configure SSO for the Metastorm Web Client.
When the user is logged into Metastorm BPM using his Windows credentials, their user name for the
session will be the same as their Windows user name, and in the format domain\username. If static roles are
to be used in Metastorm procedures, the roles must be assigned to these user names using the Metastorm
Users and Roles tool. It is possible to customize SSO so that user names are returned in an alternative
format, such as Active Directory’s Personal Name.
Following are the steps involved:
•
Alter the web client's web.config file
•
Update Metastorm virtual directory
•
Add the “Trusted Account” to the IIS_WPG group
•
Set the Metastorm web application's application pool identity to the “Trusted Account”
•
Update BPMEngine.NET virtual directory
•
Enable the ActiveCallerID registry attribute
•
Edit the SSO Authentication Script, eSSO_Web.js
•
Setup Metastorm Authentication Process
•
Update the Metastorm Authentication Process List
•
Update Engine Application Settings, application.config
Metastorm BPM Version 9.0
December 2009
Page 42
Metastorm BPM Version 9.0
Alter the web client's web.config file
The Metastorm BPM web client's web.config file needs to be configured to allow the users to be authenticated first
by Windows authentication.
1. Open the web client’s web.config file in a text editor such as Notepad.
This file is located C:\Program Files\Metastorm\BPM\Web
2. locate the following section of code:
<!-- Uncomment the following authentication element configuration to enable SSO -->
<!--<authentication mode="Windows" />-->
<!-- Comment out the following authentication element configuration to enable SSO -->
<authentication mode="Forms">
<forms name="MetastormBPMAuth"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
path="/"></forms>
</authentication>
3. Uncomment <authentication mode="Windows" /> tag and comment out <authentication
mode="Forms"> tag, you should be left with a section of code similar to the one shown below:
<!-- Uncomment the following authentication element configuration to enable SSO -->
<authentication mode="Windows" />
<!-- Comment out the following authentication element configuration to enable SSO
<authentication mode="Forms">
<forms name="MetastormBPMAuth"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
path="/"></forms>
</authentication> -->
4. Locate the following section of code:
<!--Uncomment the following identity element configuration to enable SSO -->
<!-- <identity impersonate="true" /> -->
5. Uncomment the <identity impersonate="true" /> tag, you should be left with a section of code
similar to the one shown below:
<!-- Uncomment the following identity element configuration to enable SSO -->
<identity impersonate="true" />
6. Save the edited file and restart IIS
Metastorm BPM Version 9.0
December 2009
Page 43
Metastorm BPM Version 9.0
Update Metastorm virtual directory
The Metastorm web application under Internet Information Services (IIS) must be configured as follows:
For Windows Server 2003 (IIS 6.0)
1.
Start IIS.
2.
Right-click Metastorm virtual directory, and then click Properties.
3.
Click the Directory Security tab.
4.
Under Anonymous Access and authentication control, click Edit.
5.
Make sure the Anonymous access check box is not selected and that Integrated Windows
authentication is the only selected check box.
For Windows Vista and Windows Server 2008 (IIS 7.0)
1.
Start IIS.
2.
In the Connections pane, click the Metastorm application.
3.
In Feature View, double-click Authentication.
4.
On the Authentication page, select Anonymous Authentication.
5.
In the Action pane, click Disable to change the status to Disabled.
6.
On the Authentication page, select ASP.NET Impersonation.
7.
In the Action pane, click Disable to change the status to Disabled.
8.
On the Authentication page, make sure that only the status of Windows Authentication is set to
enabled.
Add the “Trusted Account” to the IIS_WPG group
For SSO, the concept of the “Trusted Account” has been retained in Metastorm BPM 9.0. However the
trusted account now only needs to have full control on the C:\Windows\Temp folder and a Client of the
Metastorm Process Engine COM+ application. This “Trusted Account” is used by the Metastorm Process
Engine to authenticate the client making the request in an SSO scenario. The concept of the trusted account
requires additional configuration in both IIS and the Metastorm Process Engine.
First, for Windows Server 2003, the “Trusted Account” must be added to the IIS_WPG group as followed:
1.
On the desktop, right-click My Computer, and then click Manage.
2.
In the Computer Management screen, under System Tools, expand Local Users and Groups,
and then click Groups.
3.
Right-click the IIS_WPG group, and then click Add to Group.
4.
In the IIS_WPG Properties dialog box, click Add.
5.
In the Select User dialog box, in the Enter the object names to select box, type the name of the
“Trusted Account”, and then click OK.
6.
In the IIS_WPG Properties dialog box, click OK.
7.
Close the Computer Management screen.
Note: The IIS_WPG group do not exist in Windows Vista and Windows Server 2008. As such, the above
configuration is not needed.
Metastorm BPM Version 9.0
December 2009
Page 44
Metastorm BPM Version 9.0
Set the Metastorm web application's application pool identity to the “Trusted
Account”
The application pool identity of the Metastorm web application must be configured to that of the “Trusted
Account” as followed:
For Windows Server 2003 (IIS 6.0)
1.
Start IIS.
2.
Right-click Metastorm virtual directory, and then click Properties.
3.
Click the Home Directory tab.
4.
Under Application settings, make a note of the application pool that appears in the Application
pool box, and then click Cancel.
5.
Expand Application Pools.
6.
Right-click the application pool that identified in step 4, and then click Properties.
7.
Click the Identity tab.
8.
Under Configuration, specify the “Trusted Account” name (in Domain\UserName format) and
password in the User name and Password boxes, and then click OK.
For Windows Vista and Windows Server 2008 (IIS 7.0)
1.
Start IIS.
2.
In the Connections pane , click the Metastorm application.
3.
In the Action pane, click Basic Settings... to open the Edit Application dialog.
4.
Make a note of the application pool that appears in the Application pool box, and then click
Cancel.
5.
In the Connections pane, click Application Pools.
6.
On the Application Pools page, select the application pool identified in step 4.
7.
In the Action pane, select Advanced Settings... to open the Advanced Settings dialog.
8.
Select Identity under the Process Model group.
9.
Click the ... button to bring up the Application Pool Identity dialog.
10. Select Custom account.
11. Click the Set... button to open the Set Credentials dialog.
12. Specify the “Trusted Account” name (in Domain\UserName format) and password in the User
name, Password and Confirm password boxes, and then click OK.
Update BPMEngine.NET virtual directory
The Metastorm BPM 9.0 web client talks to the Metastorm Engine using the .NET interface provided by
the Metastorm Enterprise Class Library (ECL) for .NET.
Note: For SSO, the Engine Service in the EngineServiceConfig.xml file that ECL component uses must be
configured to use the Hypertext Transfer Protocol (HTTP) protocol, see the Service List Configuration
File.
Currently, the only supported remote open protocol is HTTP. So, make sure the <server> element of the
EngineServiceConfig.xml file is setup as follows:
<Server>http://<ComputerName>/BPMEngine.NET/ECL.rem</Server>
Metastorm BPM Version 9.0
December 2009
Page 45
Metastorm BPM Version 9.0
Where <ComputerName> is the name of the machine on which the Metastorm Process Engine is running.
The Engine .NET Interface server side component hosted under IIS must be configured as followed:
For Windows Server 2003 (IIS 6.0)
1.
Start IIS.
2.
Right-click the BPMEngine.NET virtual directory, and then click Properties.
3.
Click the Directory Security tab.
4.
Under Anonymous Access and authentication control, click Edit.
5.
Make sure the Anonymous access check box is not selected and that Integrated Windows
authentication is the only selected check box.
6.
Click the Home Directory tab.
7.
Under Application settings, make a note of the application pool that appears in the Application
pool box, and then click Cancel.
8.
Expand Application Pools.
9.
Right-click the application pool identified in step 7, and then click Properties.
10. Click the Identity tab.
11. Under Configurable, specify the “Trusted Account” name (in Domain\UserName format) and
password in the User name and Password boxes, and then click OK.
Note: SSO implementation for split deployment setups where the BPMEngine.NET web application is
hosted under IIS 6.0 on a Windows Server 2003 machine will require further configuration to work
correctly. This is because, under IIS 6.0, Kerberos is used by default. A full summary of the problem and
resolution is available in the following Microsoft knowledge base article.
http://support.microsoft.com/kb/871179
For Windows Vista and Windows Server 2008 (IIS7.0)
1.
Start IIS.
2.
In the Connections pane, click the BPMEngine.NET application.
3.
In Feature View, double-click Authentication.
4.
On the Authentication page, select Anonymous Authentication.
5.
In the Action pane, click Disable to change the status to Disabled.
6.
On the Authentication page, select ASP.NET Impersonation.
7.
In the Action pane, click Disable to change the status to Disabled.
8.
On the Authentication page, make sure that only the status of Windows Authentication is set to
enabled.
9.
In the Connections pane, click the BPMEngine.NET application to go back to the application home
page.
10. In the Action pane, click Basic Settings... to open the Edit Application dialog.
11. Make a note of the application pool that appears in the Application pool box, and then click Cancel.
12. In the Connections pane, click Application Pools.
13. On the Application Pools page, select the application pool identified in step 4.
14. In the Action pane, select Advanced Settings... to open the Advanced Settings dialog.
15. Select Identity under the Process Model group.
16. Click the ... button to bring up the Application Pool Identity dialog.
Metastorm BPM Version 9.0
December 2009
Page 46
Metastorm BPM Version 9.0
17. Select Custom account.
18. Click the Set... button to open the Set Credentials dialog.
19. Specify the “Trusted Account” name (in Domain\UserName format) and password in the User
name, Password and Confirm password boxes, and then click OK.
Enable the ActiveCallerID registry attribute
On the machine hosting the Metastorm Process Engine, change the ActiveCallerID registry attribute
from 0 to 1. The ActiveCallerID key is located in the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine
Edit the SSO Authentication Script, eSSO_Web.js
In Metastorm Enterprise 9.0, the SSO authentication script file, eSSO_Web.js, is located in the following
path by default:
C:\Program Files\Metastorm\BPM\Engine\Authentication
To enable SSO, the eSSO_Web.js file must be edited as followed:
1. Locate the trustedAccount variable declaration in the eSSO_Web.js file.
2. Change the value of trustedAccount value to the “Trusted Account” name, in “domain\\username”
format.
Note: domain\\username must be typed in lowercase.
Setup Metastorm Authentication Process
The default Metastorm Authentication Process must be setup to use the eSSO_Web.js authentication script,
this can be done using the Metastorm Administrative Tools - view topic. The eSSO_Web.js needs to be
placed first in the list so that its index is 0, this will cause the Process Engine to try and use this script first.
Update the Metastorm Authentication Process List
The default Metastorm Authentication Process must be setup to use the eSSO_Web.js authentication script. This
can be done using the Metastorm Administration Tools.
Update Engine Application Settings, application.config
The application configuration file, application.config, of the Metastorm Process Engine COM+
application is located in the following path by default:
C:\Program Files\Metastorm\BPM\Engine
The SSOFieldName application setting needs to be added to the application.config file, it show look like
the code section below.
<configuration>
...
<appSettings>
Metastorm BPM Version 9.0
December 2009
Page 47
Metastorm BPM Version 9.0
...
<add key="ThreadPool_MinWorkerThreads" value="25"/>
<add key="ThreadPool_MaxWorkerThreads" value="1000"/>
<add key="UseStaticRoleResolution" value="true"/>
<add key="ExternalAssemblyReferencesPath" value=""/>
<add key="SSOFieldName" value="nt4user"/>
...
</appSettings>
...
</configuration>
Note: The SSOFieldName application setting shows the “nt4user” value, as used in previous versions of
Metastorm BPM, but the value can be set to any other value.
4.3.4
Public Access Authentication
Public access involves opening up some of the Metastorm BPM URLs to consumer internet users. Users accessing
via public access will be logged on as a guest user, and will only hold the role of “MetastormGuest”. Therefore,
to enable public access users to open a particular form or report, the “MetastormGuest” role must be selected in
the restrict viewing to... and Available to roles properties of the form and action.
In previous version of Metastorm BPM, only the following URLs have been opened up to public access:
•
eForm.aspx
•
eList.ashx?Type=Blank
However, in the Metastorm BPM 9.0 web client, a much more flexible approach has been adopted. Public
access is now completely under the control of the system administrator and all configurations are done
using standard ASP.NET web application configurations.
Note: Public access is only supported in combination with Forms authentication.
Configuring Web Client for Public Access
Public access is only supported in combination with Forms authentication. To enable public access, on a web
server configured to use Forms authentication, the system administrator must first decide what Metastorm BPM
functionality needs to be opened up to anonymous access, through the use of Metastorm BPM URLs.
Following are the steps involved:
•
Enabling Public Access
•
Enabling Form Opening in Public Access
•
Enabling Blank Form List in Public Access
•
Enable Reading Attachments
Enabling Public Access
Public access is not enabled by default. System administrators must enable this feature by setting the
publicAuthenticationProcess attribute value to “Public” in the Metastorm Membership Provider.
Metastorm BPM Version 9.0
December 2009
Page 48
Metastorm BPM Version 9.0
Enabling Form Opening in Public Access
The web client’s eForm.aspx request processes all form requests in Metastorm BPM 9. This includes blank
forms, administration forms and native reports. The web.config file of the Metastorm web client must be
configured as followed:
<!-- Uncomment the following location element configuration to enable public web access -->
<!--<location path="eForm.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="eActionFormContents.ashx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Forms">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>-->
The above configuration will enable public access users to attempt opening of blank forms, administration
forms or native reports. One of the following errors will return if public access users attempt to start an
action or open a form that does not have the MetastormGuest role selected in the Metastorm BPM 9
Designer:
Metastorm form access error.
Metastorm BPM Version 9.0
December 2009
Page 49
Metastorm BPM Version 9.0
Metastorm action access error.
As stated previously, a new virtual path provider is introduced in Metastorm Enterprise 9.0 to allow the
web client to serve Metastorm forms deployed to the Metastorm Process Engine Repository in ASP.NET
format. This new virtual provider brings with it the following URL to enable system administrator to
restrict the processes or forms that is exposed to public access:
[Forms|Folders|Reports]/{Map Name}/{Locale ID}/{Form Name}.aspx
Where the first part indicates whether the URL accessing a Metastorm form, Metastorm folder or
Metastorm native report. The other parts of the above URL is described in the table below:
Part
Description
Map Name
Specifies the name of the Metastorm process.
Locale ID
Specifies the locale ID of the deployed form. The Locale ID must be exactly as
specified in the eLocaleID column of the eDeployedLanguage table.
Form Name
Specify the name of the blank form, administration form or native report.
For example, the configuration below restricts public access to forms in the MempTest process:
<configuration>
...
<!-- Enable anonymous access to virtual path form requests -->
<location path=”Forms/MempTest”>
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
...
</configuration>
Likewise, the configuration below restricts public access to the English – United Kingdom Form1 blank
form in the MempTest process:
<configuration>
...
<!-- Enable anonymous access to virtual path form requests -->
<location path=”Forms/MempTest/en-GB/Form1.aspx”>
<system.web>
<authorization>
<allow users="?" />
</authorization>
Metastorm BPM Version 9.0
December 2009
Page 50
Metastorm BPM Version 9.0
</system.web>
...
</configuration>
Enabling Blank Form List in Public Access
In the Metastorm BPM 9 web client, the eList.aspx request serves to render form, alert and report lists in an
external URL. Selection of a particular list type is done using the Type query field parameter. This gives us
a problem. That is, if the eList.aspx request is opened up, in the web.config file, to public access then
anonymous users will be able to view all the Metastorm Enterprise list types. The reason for that is
because, in the web.config file’s <location> element, we only have the option to specify a path. There is no
way we can authorize only a path with certain query field parameter using the <location> element.
However, we can use URL mapping to get around the <location> element limitation.
The sample configuration below illustrates how to open up only the Metastorm blank form list to public
access:
=
Please refer to the following link for more information on configuring URL mapping:
http://msdn.microsoft.com/en-us/library/ms228302.aspx
The technique above can be used to open up other Metastorm Enterprise list type to public access.
Enable Reading Attachments
At runtime, the Metastorm web client uses the eReadAttachment.ashx request to retrieve information
from the Metastorm Process Engine Repository’s eAttachment table. In a Metastorm Enterprise form, the
eReadAttachment.ashx request is being used to perform the following tasks:
•
Image field – retrieve the picture selected in the Metastorm Enterprise Designer.
•
Attachment Clip and Attachment Grid – retrieve the currently selected attachment to open.
•
Status field – retrieve the threshold images.
Metastorm BPM Version 9.0
December 2009
Page 51
Metastorm BPM Version 9.0
The eReadAttachment.ashx request can be opened up to public access by configuring the web client’s
web.config file as followed:
Note: Customers should consider the security implication when opening up the eReadAttachment request
to public access, as the eAttachment table could contain sensitive data.
4.3.5
Web Farm Deployment
The Metastorm BPM 9.0 web client and the ASP.NET Forms authentication module depends on the
machineKey web configuration settings to encrypt sensitive user data. In a web farm, the web.config file of
each server must be configured as followed:
1. Open the web client’s web.config file in a text editor such as Notepad.
This file is located C:\Program Files\Metastorm\BPM\Web
2. Uncomment and edit the following machineKey element to enable "Forms" authentication to work
in a web farm.
3. Enter a manually generated key for decryptionKey to encrypt and decrypt data. This value must be
the same on each server in the web farm.
4. Enter a manually generated key for validationKey to validate encrypted data. This value must be
the same on each server in the web farm.
5. Final code should look similar to the example below:
<configuration>
…
<system.web>
…
<machineKey validationKey=“ ”
decryptionKey=“ ”
validation=“SHA1”
decryption=“AES”/>
…
</system.web>
…
</configuration>
Metastorm BPM Version 9.0
December 2009
Page 52
Metastorm BPM Version 9.0
Note: Please refer to the following link for more information on machineKey configuration and web
farm deployment: http://msdn.microsoft.com/en-us/library/ms998288.aspx
Metastorm BPM Version 9.0
December 2009
Page 53
Metastorm BPM Version 9.0
5
METASTORM ADMINISTRATIVE
TOOLS
5.1
Overview
This section details how to use the Metastorm BPM Administrative Tools to perform standard
administration and configuration tasks such as:
•
Create users, define their attributes, and make static role assignments
•
Perform administrative tasks such as registering Process Engines.
•
Configure Public Access to make business processes available to users outside your organization,
by enabling external users to create folders
•
Configure Authentication scripts
5.1.1
Installing the Administrative Tools
The Administrative Tool can be installed from the main Designer Installation disk, where you select it as an
installation component. The installation creates two virtual directories in IIS, MetastormAdministration and
MetastormAdministrationSvc. These virtual directories run under the MetastormAdminAppPool
application pool. The MetastormAdministration Virtual Directory needs to have anonymous access
disabled.
5.1.2
Launching the Administrative Tools
The Administrative Tools is a web based application, it can be accessed by using Internet Explore with the
following URL
http://<server name>/MetastormAdministration/
The Metastorm Administrative Tools require the user to login. The Metastorm user needs to hold the
‘MetastormAdministrator’ role. This role is automatically created on running the Metastorm database
creation scripts along with a default BPM user.
The default User Name and Password are as follows:
Username: SysAdmin
Password: metastorm
Metastorm BPM Version 9.0
December 2009
Page 54
Metastorm BPM Version 9.0
5.1.3
Recovery Mode Authentication
If the Metastorm Process Engine is down or the Metastorm SAP scripts or roles were accidentally deleted,
there is a “recovery mode” that allows the Administrative Tools to use the Metastorm BPM Services
database credentials to authenticate the administrator (if database credentials are configured for Windows
Authentication a blank login/password may be used).
In the Web.config file there is a setting called “RecoveryMode” if this is set to true the "recovery mode" is
activated. By default this is set to “false” as we only support the database mode as a recovery and not as a
normal authentication mechanism. An example of the setting is show below.
<appSettings>
<add key="EncryptConnectionString" value="false"></add>
<add key="RecoveryMode" value="false"></add>
</appSettings>
5.2
Users
5.2.1
User & Role Concepts
Metastorm BPM uses the concepts of users and roles to control access to the various parts of the application and
business processes.
A User is defined as an individual in an organization who uses a Metastorm BPM service. In many cases, this
includes everyone on the staff roster, and can be expanded to include contract or temporary workers, suppliers,
customers, or business partners, as required.
Roles are a method of grouping people within an organization. Individual Users can be grouped by skill, function,
geographical location, or any other criteria relevant to the organization. A user can have any number of roles and a
role can be assigned to one or many users. Static and Dynamic Roles are created during the process design and
added to the database when a project is deployed.
In this section, we introduce you to the Users and Roles tool and cover the following topics:
•
Role-based work management.
•
Identifying users and role assignments in your organization.
•
Managing users.
•
Managing roles.
5.2.2
Managing Users
The Metastorm BPM Administrative Tools allows Administrators to undertake a number of User
Management tasks. This tool has a tabbed interface. The first tab is "Users" and it is in this area where the
user can undertake the following tasks:
•
Create users
•
Delete user
•
Update user (including change password)
•
Create custom attributes
Metastorm BPM Version 9.0
December 2009
Page 55
Metastorm BPM Version 9.0
•
Assign static roles to users
•
Find User/Search.
•
Create a "Reports To" company hierarchy structure
Steps needed to access the User Tab
1.
Using Internet Explorer, access the Metastorm Administrative Tools via the following URL
http://<server name>/MetastormAdministration/
2.
When the login page displays enter the User Name and Password for the default Administration
account.
Username: SysAdmin
Password: metastorm
Note: The default Administration account is created when the Metastorm database creation scripts
are run.
3.
Select the User Tab, once the page has loaded you should see a screen similar to the image below.
Here the "All" option has been selected at the top causing all the users to be displayed below. Selecting a
letter of the alphabet will display the users accounts of the corresponding User Names beginning with this
letter.
The default display order is based on the "Last Update" column, this is when the user account was created
or last updated.
This is a paged interface and can be viewed from various pages either via the greater and lesser than
brackets or by typing in the page number and hitting the Go Button. You can also alter the number of rows
returned per page by typing the number you wish into the "Page Size" field and clicking the Change button.
The Administrative Tool allows Administrators to undertake User account searches and also display user
accounts grouped by their Management structure. More information on searching is available in the "Find
User/Search" topic.
Metastorm BPM Version 9.0
December 2009
Page 56
Metastorm BPM Version 9.0
5.2.3
Create users
A user is defined as anyone in an organization who uses a Metastorm BPM service. Their credentials must be
added through the Administrative Tools > User tab before the Metastorm Process Engine will be able to
authenticate them as a valid user.
Note: Metastorm BPM has a Public Access option which is discussed further in the Authentication section
of this guide. This allows unknown or anonymous users to interact with the Metastorm Process Engine.
Steps needed to create a user
1.
Browse to the Administrative Tool using Internet Explorer and login.
2.
Select the User Tab. Click on the New User button (see image below) to open up the New User Section;
this will appear in the bottom half of the screen above the list of existing users.
3.
Data entered in the New User section will be added to the Metastorm database, once the Create button is
clicked (see image below).
Explanation of User Properties:
•
User Name - This is the name by which users will be known by the Metastorm Process Engine.
This is the only required field. It will need to be typed into the Web Client's login window if
Single Sign On (SSO) has not been configured.
•
Reports To - Represents a company employee structure; you can select the users relevant Line
Manager / Team Lead for example from this field. The drop down field displays all the
Metastorm BPM users presently set up in this Metastorm database. To speed up the search you
can type into the field itself, it will refresh and present only the relevant user names.
•
Directory Tree - This field is used when users are created from a company's user directory (e.g.
Active Directory service). However this information can also be manually added.
•
Distinguished Name - This field is used when users are created from a company's user
directory (e.g. Active Directory service). However this information can also be manually
added.
Note: Full Directory Integration services are not available in the present version of Metastorm
BPM 9 but will be available in later releases.
•
Deliver Alerts by E-Mail - This is a Boolean field, select "Y" to send e-mail and select "N" to
not send e-mail. If you chose "Y" every time the user receives an alert that they have a new
folder on their To Do List or Watch List an e-mail will be sent to the address specified in the EMail Address property.
Metastorm BPM Version 9.0
December 2009
Page 57
Metastorm BPM Version 9.0
Note: This message is an automated Metastorm Process Engine response and as such cannot be
customized. If a customized email is required this can be programmatically created in the BPM
Designer.
•
E-Mail Address - This is the user's email address
Select the Change Password button to access the Password fields (see image below). This
is the password that the user must type into the web client's login window if SSO has not been
configured. The value entered is MD5 encrypted and stored in the Metastorm Database.
This is not a required field and for testing purposes user accounts can be created with a blank
password the value of "blank" is encrypted and stored in the Metastorm Database. This is not a
recommended practice for production systems.
The data entered will be added to the Metastorm database, once you click on the Create
button.
The time at which the user account was created also gets recorded, this will be displayed in the
Administrative Tools user interface in the "Last Update" column.
5.2.4
Delete Users
Deleting a user removes the user from the eUser table, effectively removing their access permissions to the
Metastorm Process Engine and therefore the Web Client.
Steps needed to delete a user
1.
Browse to the Administrative Tools using Internet Explorer and login.
2.
Select the User Tab. Search for the User that you want to delete. View the Find User/Search topic
for more information on doing this.
3.
Select the delete icon next to the user account you want to remove. You will be prompted by a
dialog box asking you to confirm your intention to delete the user account. Selecting 'Yes' will
permanently remove the user account from the eUser table. Selecting 'No' will cancel the deletion
request.
Note: Deleting user accounts should be done with caution, an assessment needs to be made of the
implications of removing the user account.
5.2.5
Update User
Steps needed to update a user
Metastorm BPM Version 9.0
December 2009
Page 58
Metastorm BPM Version 9.0
1.
Browse to the Administrative Tool using Internet Explorer and login.
2.
Select the Users tab. Use the search functionality available within the Administrative Tools to find
the user account that needs to be updated.
3.
Select the Pencil icon
4.
Make any necessary changes and click the Update button to save the changes.
5.2.6
to open up the User Account in Edit mode, (see image below).
Create Attributes
Tables of attributes can be created and added to user accounts in dynamic roles in BPM projects.
Steps needed to add attributes to a user:
1.
Browse to the Administrative Tool using Internet Explorer and login.
2.
Select the Users tab, expanding the user account to view the full user details; this is achieved by
clicking on the arrow
next to the relevant account.
3.
Below the user account entry the Attributes tab can be selected to display the attributes assigned to
the user and stored in the eAttribute table.
4.
Select the New Attribute link, this exposes editable fields to enter data into, selecting the green tick
insert the values into the eAttribute table. Selecting the red cross cancels the entry (See image below).
Metastorm BPM Version 9.0
December 2009
Page 59
Metastorm BPM Version 9.0
5.2.7
Assign Static Roles to Users
Sometimes you will need to update user accounts by amending the roles assigned. This can be configured
in the Roles tab of the Administrative Tools or in the User tab by directly editing expanded user accounts
(See figure below). Note that Static and Dynamic Roles are defined within BPM Projects and the
Administrative Tools only displays Static Roles.
Steps needed to assign a static role to a user
1.
Browse to the Administrative Tools using Internet Explorer and login.
2.
Select the Users tab. Expand the user account to view the full user details by clicking on the arrow
next to the relevant account.
3.
Below the user account entry you can view the roles held by the user and the roles available to be
assigned (see image below).
Metastorm BPM Version 9.0
December 2009
Page 60
Metastorm BPM Version 9.0
4.
Select the role you wish to assign in the Available Roles list on the right hand side and use the arrows
to move that role over to the left hand side Roles Held By User list. As soon as the role appears on the
left hand side the user holds the role.
Note: Multiple roles can be assigned in one go, by holding down the Shift key whilst selecting
multiple roles.
5.2.8
Find Users
The Metastorm BPM Administrative Tools offer several methods to allow administrators to find existing user
accounts.
Alphabetical Search
This is the simplest search facility which will bring back all the user accounts that have a user name that starts with
the letter chosen (in alphabetical order). In the figure below the letter S has been selected and the screen has
refreshed to display only the user accounts that have a User Name starting with the letter S. Note that the search is
case sensitive, so in this example users with names beginning with 's' will not be found.
Grouping and Search/Filter Options
On the left hand side of the Users tab interface there is a panel which offers two more refined searching methods,
Grouping Options and Search/Filter Options.
Grouping Options
Administrators can group user accounts by the configured company hierarchical structure established by the
Reports To field content with the Group By Manager options, or to clear this level of search refinement by
selecting the No Grouping option.
The figure below shows users accounts displayed in their Reports To structure following the selection of the
Group By Manager option. The interface allows the administration to expand and contract each Mangers reports to
section to view the user accounts of the people they manage.
Metastorm BPM Version 9.0
December 2009
Page 61
Metastorm BPM Version 9.0
Each of the user accounts has an arrow next to it which allows access to the roles and attributes associated with
that user. From this area roles and attributes can be added or removed.
Search/Filter Options
Administrators can search user accounts by putting values into the search fields: User Name, EMail
Address, Reports To, Last Update. There are two search options: Simple Search and Complex Filter.
Simple Search
This search method allows administrators to simply enter a value in any of the search fields and pressing
the "Enter" key or click on the "Refresh" button. In the figure below the letter "s" has been entered in the
User Name field causing all user accounts to be returned where "s" is included in the user name.
Complex Search
This search method allows administrators to undertake more complicated searches. Once the Complex
Search option has been selected from the panel on the left hand side Filter arrows will appear to the right of
the search fields in the User Tab interface. When the Filter arrow is selected the drop down list of search
criteria is displayed for your selection.
Using the complex search facility you can find user accounts that have user names that begin with the letter
"s" by entering "s" into the User Name field and then selecting the StartsWith option from the search
criteria drop down (see figure below).
Metastorm BPM Version 9.0
December 2009
Page 62
Metastorm BPM Version 9.0
Note: User search is case sensitive in Oracle by default, however in SQL Server it is case insensitive by
default.
5.2.9
Create a Reports To Structure
A company hierarchical structure can be represented by using the Reports To drop down field in the User account
information. This can be set up at the same time as the initial creation of the User account or at a later stage by
updating the User account.
Once set up administrators can use the Group By Manager search, more information can be found in the find
user topic. Additionally the Metastorm BPM Designer has a User's staff and User's manager formula that can be
used during process development. User's manager returns the manager, who has a specific role with respect to the
specified user and User's staff return a list of the staff who have a specific role and report to the specified user.
Steps needed to configure the Reports To feature
1.
Browse to the Administrative Tool using Internet Explorer and login.
2.
Select the User Tab.
3.
Open up an existing user account or create a new user account and add information to the Reports
To field.
4.
Select the drop down fields arrow, the field will expand containing a list of all the user names in
the Metastorm Database. To speed up the search you can start to type the user name if know into
the drop down field and the list of user names will begin to be filtered.
5.
Select the correct user name and click the Update button to save the change, or complete the rest
of the fields and click on the Create button.
5.3
Roles
5.3.1
Role-based Work Management
Metastorm BPM Version 9.0
December 2009
Page 63
Metastorm BPM Version 9.0
Metastorm BPM is patterned on the concept of role-based work management, which involves assigning tasks and
routing information to a role (such as System Engineer), rather than to a person (such as John, who is a System
Engineer). For the designer, role-based work management eliminates the need for knowledge of the names of
specific individuals in an organization and the positions they occupy. For the recipients, role-based work
management eliminates the need for a response from a specific person, but instead places the responsibility on the
role, regardless of whether it is held by an individual or a group of individuals.
Metastorm BPM offers the following options for user and role management via the Administrative Tools:
•
Users & Roles Management - Allows the creation and maintenance of User accounts. Static Role
assignment and attribute management.
•
Open Authentication - Allows Process Designers to create and deploy custom authentication solutions.
Note: Directory Extraction Service - A set of modules used to extract user-related attribute data from Directory
Services and store this data in the Metastorm BPM database. A full implementation will be included in later
versions of Metastorm BPM 9.
5.3.2
Identifying the User & Role Assignments in Your Organization
To identify the roles in your organization, and assign the proper users to these roles, you must answer the
following two questions:
1.
What individuals will use the system (in any capacity)?
2.
What roles do these individuals occupy in my organization?
Identifying Users
You can create an initial user list based on your organization’s employee list. Depending on your
organization’s needs and organization, the employee list may:
•
Contain individuals who are not participants in workflow procedures (such as a pool of workers
without access to the system, but who answer directly to a supervisor who logs their production).
These employees should be deleted from your preliminary list.
•
Not include any non-employees (such as contract workers or temporary employees) who may
become process participants. These non-employee users should be added to your list.
Note: If you discover that you need to add or delete a user for any reason, you can return to the Users
tabs and make the necessary modifications to the user list. These changes become effective immediately.
As you refine your user list, it is a good idea to organize it by workgroups, teams, departments, etc. This
method not only helps ensure that all individuals are accounted for, but it is useful when you move to the
next step, identifying role assignments.
Identifying Role Assignments
Role-based work management is based on the concept that responsibilities are assigned based on an
individual’s job function or role within the organization. The simplest way to make the proper role
assignments is to link users with their job title. This is where having organized your user list according to
your organization divisions becomes helpful.
The list you develop may not reflect all possible role assignments in your organization. You can define
new roles (static or dynamic) as procedures require them. Similarly, you can modify role assignments as
changes in your organization require.
Metastorm BPM Version 9.0
December 2009
Page 64
Metastorm BPM Version 9.0
Defining Roles
Roles are defined in the Project containing the process. For detailed information on how to define roles, see
the Designer User Guide.
5.3.3
Managing Roles
The Metastorm BPM Administrative Tools allows Administrators to undertake a number of Role
Management tasks. This tool has a tabbed interface. The second tab is "Role" which is where the
administrator can carry out the following tasks:
•
Searching Role Assignments
•
Checking Roles
•
Adding and Removing Users to/from Roles
Steps needed to access the Roles Tab
1.
Using Internet Explorer, access the Metastorm Administrative Tools via the following URL
http://<server name>/MetastormAdministration/
2.
You will be taken to a login page. Enter the User Name and Password for the default
Administration account.
Username: SysAdmin
Password: metastorm
Note: The default Administration account is created when the Metastorm database creation scripts
are run.
3.
5.3.4
Select the Roles Tab, once the page has loaded you should see a screen similar to the image below.
Searching Roles
The Metastorm Administrative Tools allow administrators to find existing static roles via two main search
methods, Simple Search and Complex Filter Search.
Simple Search
Metastorm BPM Version 9.0
December 2009
Page 65
Metastorm BPM Version 9.0
This search method allows administrators to simply enter a value in any of the search fields and pressing
the "Enter" key or click on the "Refresh" button.
Complex Filter
This search method allows administrators to undertake more complicated searches. Once the Complex
Search option has been selected from the panel on the left hand side filter arrows will appear to the right of
the search fields in the Role Tab interface. When the Filter arrow is selected the drop down list of search
criteria is displayed for your selection.
5.3.5
Checking Roles
The Metastorm Administrative Tools offer two methods to allow administrators to check existing Static
Roles, Roles Without Users and Undefined Roles.
Roles Without Users
This method generates a message box response detailing which Static roles in the Metastorm BPM
Database presently have no users assigned to them. See image below. This method it initiated by selecting
the "Roles Without Users" option in the left pane.
Undefined Roles
This is initiated by selecting the "Undefined Roles" option in the left pane. This checks to make sure that all
static roles are used in deployed projects. This method also opens a message box, see image below.
Metastorm BPM Version 9.0
December 2009
Page 66
Metastorm BPM Version 9.0
5.3.6
Assign Static Roles to Users
Sometimes you will need to update user accounts by amending the roles assigned. This can be configured
in the Roles tab of the Administrative Tools or in the User tab by directly editing expanded user accounts
(See figure below). Note that Static and Dynamic Roles are defined within BPM Projects and the
Administrative Tools only displays Static Roles.
Steps needed to assign a static role to a user
1.
Browse to the Administrative Tools using Internet Explorer and login.
2.
Select the Users tab. Expand the user account to view the full user details by clicking on the arrow
next to the relevant account.
3.
Below the user account entry you can view the roles held by the user and the roles available to be
assigned (see image below).
4.
Select the role you wish to assign in the Available Roles list on the right hand side and use the arrows
to move that role over to the left hand side Roles Held By User list. As soon as the role appears on the
left hand side the user holds the role.
Note: Multiple roles can be assigned in one go, by holding down the Shift key whilst selecting
multiple roles.
5.4
Log
5.4.1
Managing Error Logs
When the Engine encounters a problem in a BPM Process an error is generated and stored in the eLog table of the
Metastorm database, these errors can be viewed via the Log Tab of the Administration Tool Interface.
The following Designer Log categories are available:
•
Authentication Errors —failed login attempts to the Metastorm Engine.
•
Process Errors –procedure warnings and errors.
Metastorm BPM Version 9.0
December 2009
Page 67
Metastorm BPM Version 9.0
On the left hand side of the interface you will view the navigation panel displayed below, that allows you to
drill down into the errors that have been logged.
•
Log Type -You can choose to view either Authentication Errors or Process Errors.
•
Grouping Options - You can choose to group the errors by Process or not.
•
Search/Filter Options - Configures the interface to allow Simple and Complex Filter searches to
be undertaken.
•
Simple Search - Allows the user to search the errors by column heading.
•
Complex Filter - Allows the user to set up a filtered search involving several columns
Steps needed to View the Log Tab
1.
Browse to the Administration Tool using Internet Explorer and login.
2.
Select the Log Tab (see image below).
3.
Choose to review Process Errors or Authentication Errors.
4.
Use either the Grouping Options or the Search/Filter options to allow you to find the error you
wish to review
5.
Drag and drop the grid columns until they are in an order that allows you to view the information
you are interested in.
6.
Expand the error to view full details.
5.5
Metastorm Repository
5.5.1
Managing Metastorm Repository
The Metastorm Database tab allows the Administrator to undertake a number of important Database and System
functions, as listed below:
• Managing Service Level Settings
• View deployed Projects and Libraries and their Version History
• Delete a specific version of a Project
• Delete a Project
• Delete a specific version of a Library
• Delete a Library
• View and edit the following elements of Projects and Libraries:
• Connections
• Start Groups
• Processes
• Report Groups
• Administration Groups
• View and Administer folders
• Searching for folders
• View folder attachments, history, parent/child folders, alert lists
• Update folder (subject, category, priority)
Metastorm BPM Version 9.0
December 2009
Page 68
Metastorm BPM Version 9.0
• Unlock All Folders
• Unlock a Folder
Note: Alerts are handled differently in version 9 preventing the need for Administrators to purge
deletion alerts.
Accessing the Metastorm Database Tab
1.
Using Internet Explorer, access the Metastorm Administration Tools via the following URL
http://<server name>/MetastormAdministration/
2.
You will be taken to a login page. Enter the Username and Password for the default
Administration account:
Username: SysAdmin
Password: metastorm
3.
Select the Database tab and the explore tree has been expanded only as far as to display the Projects and
Libraries nodes (see image below).
5.5.2
Managing Service Level Settings
It is possible to configure system settings through the Administrative Tools Metastorm Repository tab. Select the
top node of the Metastorm Repository explore to open a form to the right that contains two sections a Basic
settings section and an Advanced Settings section. These settings are detailed below and should only be changed
with caution and consideration, especially the Advanced settings.
Basic Settings
Metastorm BPM Version 9.0
December 2009
Page 69
Metastorm BPM Version 9.0
•
Session time out period - Sets the number of minutes of no interaction with a Metastorm service
that is required to elapse before the session times out. Default 60. Click here for more information.
•
Folder lock time out period - Sets the number of minutes after which a locked folder is automatically
released for action by a user other than the user who locked it. Default 60. Click here for mire
information.
•
Guest user name - Sets the name of the user account used for Public Access Authentication.
Default eGuest. Click here for more information.
Advanced Settings
•
Alive Interval - Sets a time period (in minutes) for each engine to update the repository to show
that engine is still running. Default value is 2
•
Alert Generation - Configures the whole system to either generate alerts or not. The Default value
is -1 causing alerts to be generated. Click here for more information.
•
Deletion Alerts - Causes deletion alerts to either be generated or not. The default value is -1 which
prevents deletion alerts from being generated. Click here for more information.
•
Multi-Lingual List Support - Determines if your system will support Multiple Languages. Default
value is 0 indicating that the Metastorm BPM system does not supports Multi Lingual Processing.
This setting should only be changed once and requires further configuration steps. Click here for
more information.
Note: The format of the FolderID has changed. By default it is now prefixed with 0900 followed by 27
digits. This prefix value is stored in the eFolderIDPrefix column of the eServer table and can be altered if
needed. It should be noted however that the FolderID is the systems unique reference to folders and should
therefore only be altered with care and consideration.
5.5.3
Session Timeout Period
If a user attempts to access a service after a set period of inactivity, Metastorm BPM displays a message
telling them that their session has timed out and that they must log out and log back in again.
If the user is accessing Metastorm BPM with Outlook any open forms will be closed when they log out,
and any data that has not been submitted will be lost.
If the user is accessing Metastorm BPM with Internet Explorer using the Web Client, they may leave a
form open while logging out and logging back in, and then continue working with the form.
Users of the Web Parts must close any open forms when the session times out, as any open forms
will be using an out-of-date session id.
The session times out if the user does not interact with a service for a set period. The following are
examples of interacting with a service:
•
Refreshing a list
•
Opening a folder
•
Submitting a folder
•
Entering data and moving to another field when there are dependencies
Metastorm BPM Version 9.0
December 2009
Page 70
Metastorm BPM Version 9.0
However, carrying out the following actions are not counted as interacting with a service:
•
Spending a long time entering data into a field
•
Adding or retrieving an attachment
Note: The session will not time out when Metastorm BPM is taken offline.
Note: For users of the Outlook client, the session will only ever time out if the refresh interval is set to 0 or
set to a length of time longer than the time-out period.
The session time-out setting for an Engine is held in the database. To update this setting, open the ‘Update
Time-out’ Administration Form, enter the time period in the Session time-out field and submit the form.
The default value for this setting is 60 minutes. If the value is set to 0, the session will not time out. The
change only takes effect for sessions started after the update is made.
We recommend that for security reasons you do not set the session time-out value to 0. In addition, if the
session time-out value is set to 0, the eSession table will fill up with unexpired sessions and should be
cleared manually at regular intervals.
The setting corresponds to the length of a time-out period. The first time-out period begins when the user first
interacts with Metastorm BPM. If the user stops interacting with Metastorm BPM during the first half of the timeout period, the session ends when this time-out period ends.
For example, if the session time-out is set to 60 minutes, and the user interacts with Metastorm BPM for just 20
minutes, the session will time out 60 minutes after it began (i.e. 40 minutes since the user’s last interaction with
Metastorm BPM). If the user attempts to interact with Metastorm BPM after this, he will be asked to log out.
A new time-out period automatically begins the first time the user interacts with Metastorm BPM during the
second half of a time-out period. This new time-out period is treated in the same way as the first one. If the user
carries out their last interaction with in the second half of a time-out period, the session will continue to be
available until the end of the next time-out period.
For example, if the time-out period is set to 60 minutes, and the user interacts with Metastorm BPM for 45
minutes, the interaction that happens in the 31st minute sparks a new time-out period. The session will time out at
the end of the new time-out period, 1 hour and 31 minutes since the first interaction. However, if the user starts to
interact during the second half of the second time-out period, a further time-out period will begin.
5.5.4
Folder Lock Timeout
This dialog enables you to specify the number of minutes after which a locked folder is automatically released for
action by a user other than the user who locked it (it is always available to the user who locked it). A folder is
locked when a user is modifying it or performing an action upon it, such as filling out a form. This prevents
multiple users from editing or modifying a folder at the same time. If a user attempts to open a folder for an action
(by selecting the action button) and this folder is already locked by another user, the following error message is
displayed:
Folder already locked for <action name> by <username>
Metastorm BPM Version 9.0
December 2009
Page 71
Metastorm BPM Version 9.0
If two users, logged in using the same user id, lock the same folder to perform an action then the second user to
submit the folder will get the error message:
Folder not locked.
The Folder Lock Timeout can be used to:
•
Prevent a user from leaving a folder open too long and denying access to others.
•
Prevent a folder from being permanently inaccessible when a network or workstation fails.
•
Prevent a folder remaining inaccessible, when a user’s browser has been closed in the middle of taking
an action without committing the action or canceling it.
5.5.5
View Projects and Libraries
Metastorm Administrators can use the explorer tree on the left hand side of the Repository tab to view all
the Projects and Libraries that have been deployed to the Metastorm Repository along with all their
subsequent parts. The image below, shows that one project and two libraries have been deployed to this
example Metastorm Repository.
By selecting the Project or Library name the version history is displayed and the element expands to show
the processes, connections and start groups that are contain within it, as shown in the image below.
If you select the Start Groups (see image below) you will see an entry for each different Process,
Administration form, and Report that has already been created and deployed; you can then change their
"Group Name" which will effect how they are grouped in the Web Client's Blank Forms, Administration
Metastorm BPM Version 9.0
December 2009
Page 72
Metastorm BPM Version 9.0
Forms and Reports Lists.
.
Note: Please note that connections in Libraries do not show under the Library nodes. Library connections
will appear under the Project nodes of those projects that reference the library.
5.5.6
Deleting a Project
As part of cleaning up the Metastorm Repository it is good practice to delete Projects they are no longer
needed and their folder information is not required to be archived and stored. This can be done by
performing the following steps:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm DB explore tree node
3.
Expand the Projects node
4.
Select the name of the Project you wish to delete from the Metastorm Repository and right click
5.
Select the option "Delete" from the sub menu.
Note: Deleting a Project will remove all references to this project from the repository including all
the information related to its folders.
Note: Tables relating to Sub-Process will not be deleted from the Metastorm Repository when the
Project's they are associated with are deleted, if there is no reference to them being used by the
Project.
Deleting a Version History
Metastorm BPM Version 9.0
December 2009
Page 73
Metastorm BPM Version 9.0
As part of cleaning up the Metastorm Repository you can remove old copies of Projects that are no longer
used and will not be needed to be recovered. This can be done by performing the following steps:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Project you wish to delete.
5.
View the Version History in the right hand panel and select the trash can icon next to the version
you intend to remove.
5.5.7
Deleting a Library
As part of cleaning up the Metastorm Repository it is good practice to delete Libraries if they are no longer
needed and their folder information is not required to be archived and stored. This can be done by
undertaking the following steps:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Libraries node
4.
Select the name of the Library you wish to delete from the Metastorm Repository and right click
5.
Select the option "Delete" from the sub menu.
Note: Deleting a Library will remove all references to this Library from the repository; this may
cause problems if it is being used by processes.
Deleting a Library Version History
As part of cleaning up the Metastorm Repository you can remove old copies of Libraries that are no longer
used and will not be needed to be recovered. This can be done by undertaking the following steps:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Library node
4.
Select the name of the Library you wish to delete .
5.
View the Version History in the right hand panel and select the trash can icon next to the version
you intend to remove.
5.5.8
Administer Folders
The Administrative Tools can be used to administer Metastorm BPM Folders in the following ways:
• Searching for a Folder
• Unlock Folders
• Unlock All Folders
• Unlock individual Folders
• Updating Information
Metastorm BPM Version 9.0
December 2009
Page 74
Metastorm BPM Version 9.0
• Update Folder (subject, category, priority)
• View and Update Folder Attachments, History, Parent/Child Folders, alert lists
• Update Folder Alerts
• Delete Folders
Searching for Folders
To view a list of all folders associated with a specific process:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to view
relates
5.
Select the Process and view all the folders contained within it on the right hand side
This area displays the following information about each folder (each heading can be a filter):
•
Folder name
•
Stage at which the folder is currently located
•
Folder ID
•
Subject of the folder
•
Priority of the folder
•
If it is locked
Unlock Folder
Folders are automatically locked to everyone but their present user by the Engine. It may become necessary
to unlock the folders to:
•
Prevent a user from leaving a folder open too long and denying access to others.
•
Prevent a folder from being permanently inaccessible when a network or workstation fails.
•
Prevent a folder remaining inaccessible, when a user’s browser has been closed in the middle of
taking an action without committing the action or canceling it.
Using the Administrative Tools the Metastorm administrator can choose to Unlock all the folders in one go
or on an individual basis.
Unlock all folders in one go
1.
Select the "Metastorm Repository" tab of the Administrative Tools interface.
2.
Right click on the top node of the explore tree "Metastorm Repository" and select the "Unlock
Folders" sub menu that appears, as in the diagram below.
Metastorm BPM Version 9.0
December 2009
Page 75
Metastorm BPM Version 9.0
3.
A dialog will appear stating how many folders will be unlocked, and an "OK" button to initiate
this process.
Unlock individual folders
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to edit relates
5.
Select the Process and view all the folders contained within it on the right hand side
6.
Select the unlock folder option next to the folder.
Updating Information
Update Folder (subject, category, priority)
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explorer tree node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to edit relates
5.
Select the Process and view all the folders contained within it on the right hand side
6.
Select the pencil icon next to the folder you wish to edit and Edit the information, selecting the
green tick when complete
View Folder Attachments, History, Parent/Child Folders, alert lists
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explorer tree node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to edit relates
5.
Select the Process and view all the folders contained within it on the right hand side
6.
Select the white triangle next to the folder you wish to view the information for. This will expand
the row and display a tab interface (see image below). You can use this interface to find out the
relevant folder information.
Update Folders Alert List
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
Metastorm BPM Version 9.0
December 2009
Page 76
Metastorm BPM Version 9.0
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to edit relates
5.
Select the Process and view all the folders contained within it on the right hand side
6.
Select the white triangle next to the folder you wish to view the information for. This will expand
the row and display a tab interface (see image below).
7.
Select the Alert List Tab to view and edit the alerts for this folder. This means that you can add or
remove the folder to and from peoples ToDo List and Watch List.
Delete a Folder
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Process to which the folder you wish to delete
relates
5.
Select the Process and view all the folders contained within it on the right hand side and use the
column filtering to allow you to find the folder
6.
Select the trash can icon next to the relevant folder to delete it from the Metastorm Repository.
5.5.9
Administer Procedure and Library Elements
The Administrative Tools can be used to administer the subsections that belong to Projects and Libraries,
such as those listed here:
• Editing Connections
• Editing Start Groups
• Deleting Processes
• Deleting Report Groups
• Deleting Administration From Groups
Administering Connections
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Connection you wish to edit, you will see a list of
associated Connections appear on the right hand side.
5.
Select the pencil icon next to the Connection you wish to edit, you will then be able to edit the
Connection and save your changes (please see image below).
Note: Selecting the Overridden checkbox property means that the connection was overridden by
external tool and will not be modified by further deployment of the project containing the
connection.
Metastorm BPM Version 9.0
December 2009
Page 77
Metastorm BPM Version 9.0
Start Groups
Processes, Administration Forms and Reports can be grouped together to enable a more organized user
experience when viewing the items in the Web Client. This grouping can be achieved by editing the Start
Groups section of a Project, as follows:
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository node
3.
Expand the Projects node
4.
Select the name of the Project that contains the Start Group you wish to edit, you will see a list of
associated items appear on the right hand side.
5.
Select the pencil icon next to the item you wish to edit, edit and save your changes (please see
image below).
Metastorm BPM Version 9.0
December 2009
Page 78
Metastorm BPM Version 9.0
Deleting Processes
As part of cleaning up the Metastorm Repository it is good practice to delete Projects if they are no longer
needed.
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Process you wish to delete, right click and select delete.
Deleting Report Groups
As part of cleaning up the Metastorm Repository it is good practice to delete Report Groups if they are no
longer needed.
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Report Groups you wish to delete, right click and select delete.
Deleting Administration Form Groups
As part of cleaning up the Metastorm Repository it is good practice to delete Administration Form Group if
they are no longer needed.
1.
Go to the "Metastorm Repository" tab in the Administrative Tools
2.
Expand the Metastorm Repository explore tree node
3.
Expand the Projects node
4.
Select the name of the Administration From Group you wish to delete, right click and select
delete.
Metastorm BPM Version 9.0
December 2009
Page 79
Metastorm BPM Version 9.0
5.6
Authentication
5.6.1
Administering Server Authentication Provider (SAP) Scripts
The Metastorm BPM authentication architecture is designed to support multiple mechanisms of
authentication, this enables the User to experience a seamless log in process every time even when they are
connecting to the Metastorm service though different devices, and via different connection methods.
The Administrative Tools can help you administer this via the "Authentication" tab. The following tasks
can be undertaken:
•
View Present Authentication Configuration
•
Add a SAP Script
•
Remove a SAP Script
•
Change the order of SAP Script execution
•
Download the SAP Script file
•
Set up Public Access
•
Remove Public Access
•
Enable a Signature
•
Remove a Signature
View Present Authentication Configuration
1.
Go to the "Authentication" tab in the Administrative Tools
2.
On the right hand side you will see the list of SAP scripts and there order of execution. By default
initially you will only see the euser.js scripts (see image below).
Add a SAP Script
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
Select the Add SAP Script button on the left had side
3.
You will be prompted to browse for your SAP Script file and click the Add Script button.
At this point you can select a customized SAP script or choose from the ones shipped with the
Metastorm BPM product. Following a default install the file path would be: C:\Program
Files\Metastorm\BPM\Engine\Authentication.
Metastorm Ships with the following SAP script examples:
• eerror.js
• eguest.js
• eremdetails.js
• erempwd.js
• erempwddetails.js
• eSSO_Web.js = this is the SAP script required for Windows Single Sign On
• euser.js = this is the default SAP script
Metastorm BPM Version 9.0
December 2009
Page 80
Metastorm BPM Version 9.0
• installOA.js
• mqauthentication.js
4.
The screen will refresh and you will see your SAP script added to the list on the right
hand side.
Remove a SAP Script
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
On the right hand side you will see the list of SAP scripts and there order of execution, find the
one you wish to remove.
3.
If you wish you can choose to download a copy of it and save it locally by selecting the Download
button. Or you can jump to step 4.
4.
Click on the Trash can icon next to the SAP script you wish to remove.
5.
Then select the OK button when prompted to confirm you request.
Change the order of SAP Script execution
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
On the right hand side you will see the list of SAP scripts and there order of execution indicated in
the index column.
3.
Click on the SAP script you wish to re-order and drag it up and down until you are happy with the
order of execution, you will notice that the line goes green to indicate your selection.
Note: The SAP order starts at 0, as being the first SAP script that the Metastorm Process Engine
will try and execute, and increments up.
To download the SAP Script file:
1.
Go to the "Authentication" Tab in the Administration Tool
2.
On the right hand side you will see the list of SAP scripts and there order of execution.
3.
Find the one you wish to download a copy of and click its Download button.
4.
You will be prompted to confirm your intention, select the Download button.
5.
Chose to open the file, by selecting the Open button, or save the file locally by selecting the Save
button.
6.
Follow the options to save the file in a location of your choosing.
Set up Public Access
A Public Access license can been purchased and installed, this provides anonymous access to Metastorm
Blank Forms and Administration form.
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
On the left hand side select the Public Access button
3.
You will be prompted to browse for your eguest.js SAP Script file and you will be allowed to
amend the Guest Username (by default this is set to eGuest). Click the Add Script button.
Note: When a guest user logs in, the Process Engine will give them the Guest Username.
Metastorm BPM Version 9.0
December 2009
Page 81
Metastorm BPM Version 9.0
Note: Following a default install the file path the eguest.js file would be: C:\Program
Files\Metastorm\BPM\Engine\Authentication.
4.
On the left hand side view the Status panel (see image below) to check that Public Access is now
showing as being Enabled. Note that the eguest.js SAP script will not be displayed in the list of
active SAP scripts on the right hand side.
Remove Public Access
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
On the left hand side select the Remove Public Access button
3.
Select the OK button when notified that Public Access has been removed.
4.
On the left hand side view the Status panel (see image below) to check that Public Access is now
showing as being Disabled.
Enable Signature
A digital signature is an electronic tag which guarantees that data has been supplied by a particular
system user and has not been changed by a third party. The Metastorm signature control which a process
designer can deploy on a Metastorm form comes with a script which populates the signature with the
process participant’s user ID and a time stamp. This script can be amended to suit the needs of your
organization.
1.
Go to the "Authentication" Tab in the Administrative Tools
2.
On the left hand side select the Enable Signature button
3.
You will be prompted to browse for your eClientSignature.js
4.
On the left hand side view the Status panel (see image below) to check that Signature is now
showing as being Enabled.
Note: Following a default install the file path the eClientSignature.js file would be:C:\Program
Files\Metastorm\BPM\Engine
Remove Signature
1.
Go to the "Authentication" Tab in the Administration Tool
2.
On the left hand side select the Remove Signature button
3.
Select the OK button when notified that Signature has been removed.
4.
On the left hand side view the Status panel (see image below) to check that Signature is now
showing as being Disabled.
5.7
Services
5.7.1
Registering Services
This area allows you to register additional Metastorm Engine Services and Metastorm Deployment
Services. Because you are doing this through the Administrative Tools you do not have to hold any further
Metastorm BPM Version 9.0
December 2009
Page 82
Metastorm BPM Version 9.0
system permissions beyond holding the "MetastormAdmintrator" role. Once configured you will be able to
check the status of these services and start and stop them from one location.
How to Register a Service:
1.
Go to the "Services" Tab in the Administration Tools
2.
Enter the machine name on which the Services are connected and hit the Register button
3.
You should see your services appear as registered on the right hand side (see the image below)
Note: The browser needs to be started using the ‘Run as administrator’ option on Vista and Server 2008 for
this to work.
5.7.2
Configuring Registered Services
This area allows you to configure both the Engines Service and the Deployment Service, because the user
is doing this through the Administration Tools he/she does not need to have rights to the machines on
which the services are running, only hold the "MetastormAdministrator" role.
1.
Go to the "Services" Tab in the Administration Tools
2.
Then right click on the service you wish to configure (see image below).
The sub menu enables the user to perform the following actions:
•
Start – Starts the selected service.
•
Stop – Stops the selected service.
•
Restart – Restarts the selected service.
•
Update Status – Refresh the service status.
Metastorm BPM Version 9.0
December 2009
Page 83
Metastorm BPM Version 9.0
5.8
SSO Configuration
The Administrative Tools can be configured to use Windows® Single Sign-On (SSO) authentication, if the
Metastorm Service has already been configured to do so - Learn how to configure SSO. This prevents the user
from needing to enter any credential when they launch the Tools.
Follow these steps:
1.
Open up the Administrative Tools web.config file in an editor such as Notepad or Visual Studio
2008. If default options were selected during the Metastorm install the location should be
C:\Program Files\Metastorm\BPM\Administrative Tools\Web.
2.
Edit the web.config file so it looks like the example below. Uncomment the <authentication
mode ="Windows" /> and add the line <identity impersonate="true" />. Finally comment the
<authentication mode="Forms"> section.
<authentication mode="Windows" />
<identity impersonate="true" />
<!--<authentication mode="Forms">
<forms name="MetastormBPMAuth"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
path="/"></forms>
</authentication> -->
3. Open up the browser and go to the following URL, you should be logged in to the Administrative
Tools with out having to login.
http://<server name>/MetastormAdministration/
Metastorm BPM Version 9.0
December 2009
Page 84
Metastorm BPM Version 9.0
6
ADMINISTRATIVE PROCESSES
6.1
Browser Settings
We have provided an administrative form process called "Browser Settings"; this process can be used ‘out
of the box’, or modified to suit your own organizational requirements. It provides an Administration Form
that allows any process user to alter their default locale settings (date, time and number formats). When
deployed, the administrative form will automatically be available in French, Spanish and German.
Screen shot of the Administration Form – Browser Settings
Metastorm BPM Version 9.0
December 2009
Page 85
Metastorm BPM Version 9.0
Follow the instructions below to deploy The Browser Settings process:
1.
the necessary files can be found following a default installation at the following path.
C:\Program Files\Metastorm\BPM\Administrative Tools\Administrative Processes\Browser
Settings
2.
Open and deploy the Browser_Settings.Solution in the Metastorm BPM Designer.
3.
Open the Metastorm web client and launch the Browser settings form from the Administration
Forms List.
Changing any settings and then submitting the form will save the changed settings as a persistent cookie on
the user’s machine. Cancelling the form will leave the previous settings unchanged.
Metastorm BPM Version 9.0
December 2009
Page 86