Absent Member.. JasonCantrell Absent Member..
Absent Member..
195 views

[OO Tip] BSM integration appears to need excess rights

Issue:

When running Operations Orchestration (OO) version 9.07.0004 Content Pack (CP) 12 there are issues with the security/permissions configuration. The OO Operators need to have security to launch Flows from Business Service Management(BSM). The integration works if an OO administrator user launces the flow from BSM. The Operators need to have similar permissions. The integration is not working with Headless rights and run reports.

The integration guide states the following are required:

AUTHOR, SCHEDULE, MANAGE_RUNS, RUN_REPORTS, And HEADLESS_FLOWS.

However testing reveals only HEADLESS_FLOWS, RUN_REPORTS and MANAGE_RUNS are required.
Given the user has rights and can run the flow in OO directly with their ID, and LWSSO is used so the same ID is used, this should not require MANAGE_RUNS.

Doing so throws a System Error in BSM. This is an issue from a security and access point.

 

Solution:

The MANAGED_RUNS capability is needed.

 

Here is the logic. Both starting runs as well, as resuming hand-off flows, go through the same Application Programming Interface (API) There is a common entry point in the code represented by loading a run. At this point it is unaware whether the request has come from a new run or a hand-off flow .

 

In case of a hand-off flow, the idea is that anyone who gets access to the link can load it and run it by clicking on it. However, that person who will start the flow from hand-off state, needs to have MANAGED_RUNS capability (otherwise hand-off functionality would not make sense because only the owner will be allowed to resume a flow from the hand-off state).

 

This is design trade-off that cannot be changed.

 

Direct link to the document here:

http://support.openview.hp.com/selfsolve/document/KM00752286

HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
Labels (3)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.