[OO Tip] BSM integration appears to need excess rights
When running Operations Orchestration (OO) version 9.07.0004 Content Pack (CP) 12 there are issues with the security/permissions configuration. The OO Operators need to have security to launch Flows from Business Service Management(BSM). The integration works if an OO administrator user launces the flow from BSM. The Operators need to have similar permissions. The integration is not working with Headless rights and run reports.
The integration guide states the following are required:
AUTHOR, SCHEDULE, MANAGE_RUNS, RUN_REPORTS, And HEADLESS_FLOWS.
However testing reveals only HEADLESS_FLOWS, RUN_REPORTS and MANAGE_RUNS are required.
Given the user has rights and can run the flow in OO directly with their ID, and LWSSO is used so the same ID is used, this should not require MANAGE_RUNS.
Doing so throws a System Error in BSM. This is an issue from a security and access point.
The MANAGED_RUNS capability is needed.
Here is the logic. Both starting runs as well, as resuming hand-off flows, go through the same Application Programming Interface (API) There is a common entry point in the code represented by loading a run. At this point it is unaware whether the request has come from a new run or a hand-off flow .
In case of a hand-off flow, the idea is that anyone who gets access to the link can load it and run it by clicking on it. However, that person who will start the flow from hand-off state, needs to have MANAGED_RUNS capability (otherwise hand-off functionality would not make sense because only the owner will be allowed to resume a flow from the hand-off state).
This is design trade-off that cannot be changed.
Direct link to the document here:
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.