Managing Oracle Business Activity Monitoring 24-3 2. Create Users and Groups Users and groups are defined in the configured security provider for example, in the Oracle WebLogic Server embedded LDAP server. Refer to your specific security provider documentation for details on defining users and groups. See Section 24.3.1, Defining Users and Groups and Section 24.3.2, Using Previously Seeded Group Members for more information. See Section 24.3.5, Configuring Oracle WebLogic Server Embedded LDAP Server for example instructions about using Oracle WebLogic Server Administration Console to create users and groups. 3. Assign Users and Groups to Application Roles In turn, these users, groups, or both, are assigned to Oracle BAM application-level roles that grant those users, groups, or both, specific permissions for using Oracle BAM applications. Users and groups are granted Oracle BAM application permissions based on their Oracle BAM role membership. See Section 24.3.3, Adding Members to Application Roles for a detailed description of the Oracle BAM application roles and their associated Oracle BAM application permissions. Membership in Oracle BAM application roles is administered from the Application Roles page for Oracle BAM provided by Fusion Middleware Control. This page allows users and groups to be added as members to the various Oracle BAM application roles and allows creation of new application roles. See Section 24.3.4, Introduction to Oracle BAM Application Roles for more information. With the exception of the Administrator role, membership in an Oracle BAM application role does not imply any Oracle BAM data access permissions. The Oracle BAM application roles only grant the user access to the associated Oracle BAM user interface as described in Section 24.3.4, Introduction to Oracle BAM Application Roles. Note: You can use Oracle WebLogic Server to configure the Active Directory Authentication provider for authenticating Oracle BAM users instead of using the default embedded LDAP also known as the default authenticator. To use Active Directory, you must also do some additional steps to change the OracleSystemUser default user. See Changing the OracleSystemUser Default User in Oracle Fusion Middleware Security and Administrators Guide for Web Services for more information. Note: Oracle BAM does not support assigning Oracle BAM application permissions directly to users and groups. Oracle BAM application permissions can only be granted to Oracle BAM application roles. The only way to grant Oracle BAM application permissions to users and groups is to make those users and groups members of an Oracle BAM application role associated with the desired Oracle BAM application permissions. 24-4 Oracle Fusion Middleware Administrators Guide for Oracle SOA Suite and Oracle BPM Suite When the user logs on to the Oracle BAM start page, there is a button for each of the Oracle BAM applications. Whether these buttons are enabled or not is based on the users Oracle BAM application role membership. 4. Populate Users In Oracle BAM Applications Users are not visible from Oracle BAM Administrator until they have logged into Oracle BAM for the first time. Oracle BAM also provides a utility that you can run to populate the users in Oracle BAM Administrator. See Section 24.3.6, Populating Users in Oracle BAM Administrator for more information. 5. Set Up Data Access Permissions on Oracle BAM Specific data access permissions can be granted to users and groups using Oracle BAM Architect and Oracle BAM Active Studio. Users and groups can be granted read, update, and delete operation permissions on specific data objects and folders. See Creating Permissions on Data Objects and Using Data Object Folders in Oracle Fusion Middleware Developers Guide for Oracle SOA Suite for more information. Data access permissions can also be granted to users and groups at the row level for data objects. See Creating Security Filters in Oracle Fusion Middleware Developers Guide for Oracle SOA Suite for information about row-level data security. Individual report authors can control which Oracle BAM users have access to reports. See Setting Folder Permissions in Oracle Fusion Middleware Users Guide for Oracle Business Activity Monitoring for more information. 6. Manage Oracle BAM Object Ownership When Oracle BAM users are removed from the security provider, the user accounts still appear in Oracle BAM Administrator because they may own Oracle BAM objects that must be transferred to other users before the user is completely removed from Oracle BAM. Object ownership is managed using Oracle BAM Administrator see Section 24.3.7, Managing Oracle BAM Object Ownership . 7. Remove Users From Oracle BAM The administrator must also remove users from Oracle BAM Administrator after they are deactivated in the security provider see Section 24.3.8, Removing Invalid Users from Oracle BAM Administrator . OracleSystemUser OracleSystemUser is the default owner of all Oracle BAM objects. It is required by Oracle BAM Server and must not be deleted.

24.3.1 Defining Users and Groups

Users are defined in the configured security providers identity store for example, Oracle WebLogic Server embedded LDAP server. Groups, also referred to as enterprise-level roles, are also defined in this identity store. Groups are referred to as enterprise-level roles to distinguish them from application-level roles. Note: Changes to a users group and role membership could take as long as 5 minutes to propagate throughout the system.