Metastorm BPM Version 9 - evolosoft · • AIX®, AIX 5L™, CICS®, CICSPlex®, DB2®, DB2 Universal Database™, ... Metastorm BPM Version 9.0 • Additional Configuration Steps

Metastorm BPM Version 9.0 Administration Guide December 2009

Metastorm Inc. email: [email protected]

http://www.metastorm.com

Metastorm BPM Version 9.0

Copyright Notice

© 1996–2009 Metastorm Inc. All Rights Reserved.

Trademark Information

• Metastorm®, Metastorm BPM®, Process Pod®, Enterprise Process Advantage®, ProVision®, The Best Process Wins®, Proforma®, Metastorm Knowledge Exchange®, Metastorm DNA®, Metastorm Discovery™, Business to the Power of 3™ and the See.Think.Do image are either registered trademarks or trademarks of Metastorm in the United States and/or other countries.

• Microsoft®, Outlook®, Word®, SQL Server™, Windows®, Vista®, Active Directory®, Visual Basic®, JScript®, SharePoint® and BizTalk® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

• Adobe® is a registered trademark of Adobe Systems, Inc. • AIX®, AIX 5L™, CICS®, CICSPlex®, DB2®, DB2 Universal Database™, HACMP™, Integrated Language

Environment®, i5/OS®, IBM®, ibm.com®, IMS™, IMS/ESA®, iSeries™, Language Environment®, MQSeries®, MVS™, OS/390®, OS/400®, Parallel Sysplex®, pSeries™, RACF®, S/390®, SupportPac™, WebSphere®, z/OS™, zSeries® are either registered trademarks or trademarks of the International Business Machines Corporation in the United States and/or other countries.

• JBoss, Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.

• SuSE® is a registered trademark of SuSE Linux AG. • Sun, Sun Microsystems and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in

the U.S. and other countries. • SPARC® is a registered trademark of SPARC International, Inc. SPARCstation® is licensed exclusively to Sun

Microsystems, Inc. Products bearing SPARC trademarks are based on an architecture developed by Sun Microsystems, Inc. • DataDirect®, DataDirect Connect® for JDBC™, DataDirect Connect® for ODBC are registered trademarks of Progress

Software Corporation or one of its subsidiaries or affiliates in the United States and other countries. • EJB, J2EE, Java, Java runtime environment, JavaScript, JMX, JRE, JSP, JVM and all Java-based trademarks are

trademarks of Sun Microsystems, Inc. in the United States and/or other countries. • Linux is a trademark of Linus Torvalds in the United States and/or other countries. • Intel® and Itanium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States

and other countries. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Eclipse is a trademark of the Eclipse Foundation, in the United States and other countries. • Oracle is a registered trademark of Oracle Corporation and/or its affiliates. • "Apache Tomcat" and "Tomcat" are trademarks of the Apache Software Foundation. • HP, HP-UX and PA-RISC are registered trademarks of the Hewlett-Packard Company. • BusinessObjects™, Crystal Reports® are trademarks or registered trademarks of Business Objects S.A. in the United States

and in other countries. Business Objects is an SAP company. • Other trademarks are the property of their respective owners.

Disclaimer

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Metastorm accepts no responsibility, and offers no warranty whether expressed or implied, for the accuracy of this publication. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the express written permission of Metastorm Inc. The information in this document is subject to change without notice.

Metastorm BPM Version 9.0 December 2009 Page ii


Metastorm BPM Version 9.0 Administration Guide Table of Contents

1 Process Engine.................................................................................................................................... 1 1.1 Overview ........................................................................................................................................................ 1 1.2 Engine Operating Environment .................................................................................................................... 1

1.2.1 Starting the Engine ............................................................................................................................. 2 1.2.2 Additional configuration steps for Windows XP ............................................................................. 3 1.2.3 Troubleshooting: Problems Starting the Engine ............................................................................... 3 1.2.4 Troubleshooting: Engine Failure ....................................................................................................... 4

1.3 Database Connections ................................................................................................................................... 4 1.4 Engine Security Settings ................................................................................................................................ 5

1.4.1 Role Checking .................................................................................................................................... 5 1.4.2 Binding Roles to Users or Groups ..................................................................................................... 5

1.5 Event Manager ............................................................................................................................................... 6 1.5.1 Configuring the Event Manager ........................................................................................................ 6 1.5.2 Event Manager Registry Settings ...................................................................................................... 7

1.6 Alert Generator .............................................................................................................................................. 7 1.6.1 Alert Generator Configuration Columns .......................................................................................... 8 1.6.2 Alert Generator Registry Settings...................................................................................................... 8

1.7 Engine Registration ....................................................................................................................................... 9 1.7.1 Reviewing Engine Registration Settings ........................................................................................... 9

1.8 Error Logging ............................................................................................................................................... 11 1.8.1 Operation and Transaction Protocol Logging ................................................................................. 11

1.9 Engines and Time Zones ............................................................................................................................. 12 1.10 Engine and Invalid XML ............................................................................................................................. 12 1.11 Re-registration of the Engine....................................................................................................................... 12

1.11.1 EngineConfig ................................................................................................................................... 13 1.12 Problems with Re-Registration ................................................................................................................... 14

1.12.1 Problems Running regsvr32 ............................................................................................................ 14 1.12.2 Problems Running EngineConfig ................................................................................................... 15

1.13 Engine .NET Interface Clients .................................................................................................................... 15 1.14 Configuring the Engine Service .................................................................................................................. 16

1.14.1 Configuration .................................................................................................................................... 16 1.14.2 .NET CLR Configuration ................................................................................................................ 17 1.14.3 Engine Parameters ............................................................................................................................ 18 1.14.4 HKEY_LOCAL_MACHINE ......................................................................................................... 19 1.14.5 Engine Registry Settings .................................................................................................................. 23 1.14.6 Non Registry Settings ...................................................................................................................... 26

2 Metastorm Designer.......................................................................................................................... 28 2.1 Designer Settings ......................................................................................................................................... 28

3 Metastorm Deployment .................................................................................................................... 29 3.1 Deployment Service .................................................................................................................................... 29

3.1.1 Overview .......................................................................................................................................... 29 3.1.2 Configuration Files ........................................................................................................................... 30 3.1.3 SSO Configuration ........................................................................................................................... 30 3.1.4 Deployment Debugging ................................................................................................................... 31

3.2 Deployment Client ....................................................................................................................................... 31

Metastorm BPM Version 9.0 December 2009 Page iii


3.2.1 Overview .......................................................................................................................................... 31 3.2.2 Configuration Files ........................................................................................................................... 32 3.2.3 Command Line ................................................................................................................................. 35

4 Managing Authentication ................................................................................................................. 37 4.1 Overview ...................................................................................................................................................... 37 4.2 Open Authentication .................................................................................................................................... 37

4.2.1 Server Authentication Provider (SAP) scripts ................................................................................ 37 4.2.2 Process Definition Document (PDD) .............................................................................................. 38 4.2.3 How Open Authentication works .................................................................................................... 38

4.3 Metastorm Web client Authentication ........................................................................................................ 40 4.3.1 Authentication Architecture ............................................................................................................. 40 4.3.2 Username and Password Configuration .......................................................................................... 41 4.3.3 Single Sign On Configuration ......................................................................................................... 42 4.3.4 Public Access Authentication .......................................................................................................... 48 4.3.5 Web Farm Deployment ................................................................................................................... 52

5 Metastorm Administrative Tools .................................................................................................... 54 5.1 Overview ...................................................................................................................................................... 54

5.1.1 Installing the Administrative Tools ................................................................................................. 54 5.1.2 Launching the Administrative Tools ............................................................................................... 54 5.1.3 Recovery Mode Authentication ...................................................................................................... 55

5.2 Users ............................................................................................................................................................. 55 5.2.1 User & Role Concepts ..................................................................................................................... 55 5.2.2 Managing Users ............................................................................................................................... 55 5.2.3 Create users ...................................................................................................................................... 57 5.2.4 Delete Users...................................................................................................................................... 58 5.2.5 Update User ...................................................................................................................................... 58 5.2.6 Create Attributes .............................................................................................................................. 59 5.2.7 Assign Static Roles to Users ............................................................................................................ 60 5.2.8 Find Users ......................................................................................................................................... 61 5.2.9 Create a Reports To Structure .......................................................................................................... 63

5.3 Roles ............................................................................................................................................................. 63 5.3.1 Role-based Work Management ....................................................................................................... 63 5.3.2 Identifying the User & Role Assignments in Your Organization .................................................. 64 5.3.3 Managing Roles ............................................................................................................................... 65 5.3.4 Searching Roles ................................................................................................................................ 65 5.3.5 Checking Roles ................................................................................................................................ 66 5.3.6 Assign Static Roles to Users ............................................................................................................ 67

5.4 Log ................................................................................................................................................................ 67 5.4.1 Managing Error Logs ....................................................................................................................... 67

5.5 Metastorm Repository ................................................................................................................................. 68 5.5.1 Managing Metastorm Repository .................................................................................................... 68 5.5.2 Managing Service Level Settings .................................................................................................... 69 5.5.3 Session Timeout Period ................................................................................................................... 70 5.5.4 Folder Lock Timeout ....................................................................................................................... 71 5.5.5 View Projects and Libraries ............................................................................................................. 72 5.5.6 Deleting a Project ............................................................................................................................. 73 5.5.7 Deleting a Library ............................................................................................................................ 74 5.5.8 Administer Folders ........................................................................................................................... 74 5.5.9 Administer Procedure and Library Elements.................................................................................. 77

5.6 Authentication .............................................................................................................................................. 80 5.6.1 Administering Server Authentication Provider (SAP) Scripts....................................................... 80

5.7 Services ........................................................................................................................................................ 82 5.7.1 Registering Services ......................................................................................................................... 82 5.7.2 Configuring Registered Services ..................................................................................................... 83

5.8 SSO Configuration....................................................................................................................................... 84

Metastorm BPM Version 9.0 December 2009 Page iv


Metastorm BPM Version 9.0 December 2009 Page v

6 Administrative Processes ................................................................................................................ 85 6.1 Browser Settings .......................................................................................................................................... 85


Metastorm BPM Version 9.0 December 2009 Page 1

1 PROCESS ENGINE

1.1 Overview

The Metastorm Process Engine serves the Metastorm web client, it authenticates Metastorm users and processes all Business Process Management (BPM) logic. The Process engine allows access to the Metastorm Database, external databases and allows integration between other systems and services via server-side integration. The Process Engine is implemented as a layered design, the four central layers – ECL Server, Operations Handler, Executable Elements, and Engine Services execute in a single server process, hosted by COM+. The ECL Client component executes within the Web Client ASP.NET application. Communication between ECL client and server components is via .NET Remoting. The ECL Server layer communications with the other Engine layers via WCF – for all folder, forms list, and filter operations – or via COM for all other operations.Alerts list and filter, authentication, and attachment operations are implemented by Transaction Protocol (TP) and executed by eWorkTransaction request handlers. TP responses are parsed into .NET object instances by the ECL Server component for return to the Web client.

1.2 Engine Operating Environment

The Process Engine is implemented with two types of components: • Pure .NET components for full compatibility with the .NET environment.

• Highly optimized native components that allow MBPM be highly scalable and reliable with high performance.

The Process Engine can be seen as a collection of COM in-process components, and .NET types, which work together as an application. These components need to run in an operating system process appropriate for both the application and the Engine components; i.e. the:

• Engine process should run under an account that determines what the Engine can do on the system.

• Security infrastructure should be easily configurable, so the Engine Administrator can control access to the Engine’s services.

The system that provides this infrastructure is COM+. This section describes the operating environment for the Process Engine, and covers:

• How to start the Process Engine.


• Additional Configuration Steps for Windows XP

• Troubleshooting: Problems Starting the Engine

• Troubleshooting: Engine Failure

• How to check and administer the Process Engine registration

• How to Check and administer the Process Engine's security settings

• How to re-register the Process Engine

1.2.1 Starting the Engine The core Engine functionality runs as a COM+ application. The eEngine.exe executable is provided to start the application – the Engine system service executable. Installation sets this up and allows for a manual or automated start. The COM+ application hosts the Engine’s COM+ components and the .NET Common Language Runtime (CLR), as illustrated in the following diagram:

The .exe file that starts the Engine COM+ application must be running under an account with sufficient access rights to communicate with the application. This account does not need administrative rights; the Engine can run under an account with user privileges. This account must have the following access privileges for the Engine registry key and its sub-keys:

• Query Value

• Set Value To grant these privileges:

1. Open the Registry Editor by typing regedt32 in to the Windows Run dialog. 2. Navigate to the registry key HKEY_LOCAL_MACHINE\Software\Metastorm\e-work\Engine. 3. Right click on Engine and select the menu item Permissions…. 4. Add the user account you intend to use to run the Engine. 5. With the user highlighted in the Name list, click the Advanced… button. The Access Control

Settings dialog appears.




6. Select the relevant user, and click on the View/Edit… button. The Permission Entry dialog appears.

7. In the Permissions list, ensure that the Allow checkbox is checked for Query Value and Set Value. 8. Ensure these permissions are set for each sub-key of the Engine registry key.

1.2.2 Additional configuration steps for Windows XP When configuring a web client to connect to an Engine, the identity of the ‘IIS Out-Of-Process Pooled Applications’ or ‘IIS-{Default Web Site//ROOT/escripts}’ COM+ Application must be configured. The identity of the ‘IIS Out-Of-Process Pooled Applications’ or the ‘IIS-{Default Web Site//ROOT/escripts}’ COM+ Application account must be configured as a client of the remote Engine service. If the protection on the web server’s web extensions virtual folder (by default, escripts) is set to:

• High (Isolated), update the ‘IIS-{Default Web Site//ROOT/escripts}’ COM+ Application identity.

• Medium (Pooled), update the ‘IIS Out-Of-Process Pooled Applications’ COM+ Application identity.

Otherwise, trying to connect to a remote engine may produce the following error: Invalid data for a node of type 'CDATA'

1.2.3 Troubleshooting: Problems Starting the Engine COM+ problems starting the Engine are reported in the event log. For full problem reporting, we suggest you set full auditing of failures. To set full failure auditing:

1. Start the Local Security Policy snap-in by selecting the Windows Start | Control Panel | Administrative Tools | Local Security Policy.

2. Navigate to Local Policies | Audit Policy in the Tree, as shown below: 3. Set failure auditing for each of the items in the details pane, by:

• Double-clicking the item in the details pane

• Checking the checkboxes in the Local Security Policy Setting dialog.

Some common problems starting the Engine are discussed in the following sections. They are:

• Inability to start Engine.

• ‘Access is denied’ error when attempting to connect. Inability to start Engine This can occur because the Engine application’s identity is ‘Interactive User’ and an attempt is made to start the Engine (for example, automatically as a service) when nobody is logged on to the machine. To resolve this, change the identity to something other than ‘Interactive User’. Access is denied’ error when attempting to connect When attempting to connect, an ‘Access is denied’ error may occur in the application or system event log. This occurs when an account, without the necessary role, requests communication with the Engine (usually a client without the Client role attempting to connect to the Engine). This is resolved by ensuring the account either:


• Has the required role

• Becomes a member of a Windows user group that holds the role. For the web client, if a web server is connecting to:

• An Engine via ECL/TCP, the connecting account will be the launching account as specified in the COM+ identity for the escripts virtual folder.

• An Engine via ECL/IIS. The connection account will be the account that the ECL Server web application is running under. Further security permissions will be required for the Web Client to connect to the ECL Server application.

Note: When role-based security is enabled on the Engine, the escripts virtual folder should be configured to Medium or High isolation so that a launching account is available through the respective COM+ package. Note: Changed COM+ settings do not take effect until the Engine application is restarted.

A related problem can occur when the Engine attempts to communicate with another application via COM, for example:

• During a Microsoft Word mail merge

• Creating a COM object using server-side scripting.

Again, if the Engine’s account does not have sufficient rights to communicate with the required COM server, access is denied. This is resolved by accessing the dcomcnfg utility (part of Windows) and changing either the:

• Application security settings.

• Default security settings.

1.2.4 Troubleshooting: Engine Failure

If the Engine fails during operation, a message will be written to the event log. You may see the following log message after an Engine failure: Unhandled exception thrown from a .NET Script or Workflow: <caught exception message from failed script>, this has caused the Metastorm Engine to stop. Please restart the Engine. This can occur when a migrated JScript.NET script spawns one or more additional threads, and one of these threads throws an exception that it fails to handle. Scripts created in version 9 processes are protected to prevent errors of this type terminating the Engine process, however good exception handling practice in scripts is strongly recommended.

1.3 Database Connections The following database connections are used by the Engine:

• A single database connection for each Client request. The lifetime of the connection is the lifetime of the request.

• A single database connection for each Event Manager request. The lifetime of the connection is the lifetime of the request.

• Two database connections, used by the Alert Generator. These connections are held continuously by the Alert Generator.




• Two database connections, used by the Event Manager. However, these are created only on demand (unlike the Alert Generator’s connections). Additional database connections may be generated by external database MBO operations or from a script, where the author has decided to do their own database handling. Note: If tracking the numbers of database connections held, note that COM+ and ADO.NET database pooling means that the numbers of connections held over time is 'smoothed out'. The Engine supports Unicode character formats but it is able to support non-Unicode formats when

using external databases.

1.4 Engine Security Settings This section enables you to review the security settings Note: Refer to the previous section for instructions on how to access the Security tab. COM+ uses roles, which:

• Define access based on job items.

• Are bound to Windows users or groups. Role-based access permissions can be defined for each Engine component. The 4 automatically defined COM+ roles are:

• Administrator, which has full access to all Engine services. This role should be highly restricted, as it can start and stop the Engine.

• Client, which has access to the transaction protocol, used to fulfill most requests. Typically, this role is held by any user account or group, which needs to communicate with the Process Engine to do work. Such user accounts could include:

• The web server’s anonymous user account.

• IIS hosted ECL application identity account.

• Any accounts used to run client software.

• Flag Raiser, which has the ability to raise a flag externally.

• MQ Notifier, required for using Metastorm BPM with message queuing systems.

1.4.1 Role Checking Role checking is performed only if the Engine application is configured for authorization checking. To ensure role checking is performed:

1. Start the ‘Component Services’ application. 2. Navigate to the ‘Process Engine’ application. 3. Select the Action menu | Properties. 4. Select the Security tab. 5. Ensure the Enforce access checks for this application checkbox is checked. 6. Ensure the Security Level is set to Perform access checks at the process and component level.

1.4.2 Binding Roles to Users or Groups Binding a user group, rather than specific user accounts, to a role can provide more flexibility.


For example, when a new user joins a team that uses the Client role, if the new user account is bound to the Client role, the new user can access the Engine only after it has been restarted. In this case, it may be better to set up a Windows user group called ‘Metastorm Clients’ and bind this to the Client role. Now, when the new user joins, the user account is simply made part of the ‘Clients’ group. To see the users and groups bound to a COM+ role:

1. Access the Component Services main window. 2. Navigate to the Roles folder. 3. Open the relevant role’s folder, then its Users folder.

To add more users or groups to a role: 1. Access the Users folder for the role, as described above. 2. Select the Action menu, the New submenu, then the User menu option. The Select Users or

Groups dialog is displayed. 3. Add users and groups as required, by selecting them then clicking on the Add button.

1.5 Event Manager

The Event Manager is an asynchronous component in the Metastorm engine which processes system events, invoking system actions (flagged actions, conditional actions and timed actions) as required. System actions are operations which are scheduled by the engine and are stored in the eWait table. The Event Manager can be configured to run with multiple threads which is particularly useful on systems where system actions may take considerable time to complete (such as actions that use scripting to communicate with external applications).

1.5.1 Configuring the Event Manager The Event Manager is started during the engine’s startup sequence. The Event Manager creates the number of threads defined in the registry setting HKEY_LOCAL_MACHINE\SOFTWARE\ Metastorm\e-work\Engine\Event manager\Thread count. The Event Manager can be configured via the registry settings to allow the following modes of operation:

• On Demand. This is the default configuration. Notifications to perform system action processing occur when the system deems it necessary. Specifically, if an engine is configured to handle events on demand, then it relies upon receiving submit requests from clients to activate timer/conditional processing; or else flags being raised against this engine to do flag processing.

• Polling. This mode tells the engine to check every n seconds to see if there are system actions which need processing. This may be useful on an engine dedicated to back-end processing, which may not perform as many actions as a client-facing engine.

• Disabled. The Event Manager component is not started on this engine. This configuration allows an engine to be dedicated to handling client requests.

Note: For an engine with the Event Manager set to Disabled, it is still possible for flags to be raised (queued) and for system actions to be registered. However, there is no Event Manger running on this engine to process them.

On start-up, the engine’s name and Event Manager configuration are written to the eEngineName and eEventManagerConfig columns of the eActiveEngine table. Having these settings mirrored in the eActiveEngine table allow an administrator to check the configuration of an entire Metastorm BPM system through a single database query.




When the engine is told to shutdown, the Event manager is notified. All threads are shut down before the engine exits.

1.5.2 Event Manager Registry Settings

The following registry settings can be configured on each engine: Poll Interval (secs) Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager Name: Poll Interval (secs) Type: DWORD Value: By default, set to 0. If the value is set to a non-zero value, engine will pro-actively look for any events (timers, conditionals, flags) which need processing every n seconds. Thread count Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager Name: Thread count Type: DWORD Value: This can be set values between 1 and 64. Used to specify the number of threads dedicated to the event manager. Batch size threshold for thread Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager Name: Batch size threshold for thread Type: DWORD Value: This key controls the number of requests handled by an individual thread. The Event Manager uses the value to determine how many threads should be used to handle a batch of requests. For example, if the batch size is set to 5 and there are 22 requests then 5 threads will be used. If the batch size is set to 10 and there are 22 requests then 3 threads will be used. (The forgoing assumes that the event manager’s thread count is set to a value of 3 or more). Note: If the Event manager is using a single thread, this key is set to 0. Disabled Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Event manager Name: Disabled Type: DWORD Value: By default, set to 0. Setting this to non-zero value indicates that this particular engine does not perform system action processing (timed actions, conditional actions, flagged actions). However it will still add events to the eWait and eRaisedFlag tables in the usual way.

1.6 Alert Generator

The Alert Generator maintains visibility of ToDo and Watch Lists for each user as folders are moved from stage to stage. When an action is performed, an alert request is made which is added to the eAlertRequest table. The alert requests are processed asynchronously in the order that they have been submitted.

The Alert Generator is started during the engine’s startup sequence. The number of threads to be used for processing requests is defined in the registry setting KEY_LOCAL_MACHINE\ SOFTWARE\Metastorm\e-work\Engine\Alert Generator\Thread count

On start-up, the engine’s name and Alert Generator configuration are written to the eEngineName and eAlertGeneratorConfig columns of the eActiveEngine table.


The Alert Generator can be configured via registry settings to allow the following modes of operation:

• On Demand. This is the default configuration. The operating system event which causes alert processing to occur is signaled when an alert request is added to the queue (the eAlertRequest table). This happens when an action is performed by this engine (usually moving a folder from one stage to another) which requires the alerts for a particular folder to be re-evaluated.

• Polling. This tells the system to prod the Alert Generator every n seconds to see if any alert requests need processing. This may be useful on a system dedicated to back-end processing, which may not perform as many actions as a client-facing engine.

• Disabled. The Alert Generator component is not started on this engine, and the Alert Generator is not invoked. As a consequence no alert processing is ever done by this engine. This may be useful for a client-facing engine, dedicated to handling client requests. Note: An engine with a disabled Alert Generator will still queue alerts. However, there is no Alert Generator running on this engine and therefore the alerts will not be processed on it.

• N/A. The system is not configured to do alert generation. None of the Alert Generator components on any of the engines in this system are started, and therefore no alert processing is performed on this system.

1.6.1 Alert Generator Configuration Columns The Alert Generator can be configured to change the way the engine works on the whole system by configuring the following columns in the eServer table:

• eDoAlertGeneration

• Data type: Numeric.

• Default value: -1

• Non-zero value. The Metastorm BPM system supports alert generation.

• 0 Alert generation is not supported and alert requests are not queued.

• eDeleteDeletionAlerts

• Data type: Numeric.

• Default value: -1

• 0 Deletion alerts are marked in the eAlert table with the eAlertType column containing ~ (tilde).

• Non-zero value. Deletion Alerts are deleted from eAlert table. Note: By Default we are not creating deletion alerts; this is a change from v7.6 to v9.0 and it is intended to reduce the size of the eAlert table. Deletion Alerts are only used by caching clients, they are not required therefore by the web client. Administrators will need to alter the eDeleteDeletionAlerts default column value to 0 before the engine will automatically record the DeletionAlert in the eAlert table.

1.6.2 Alert Generator Registry Settings The following registry settings can be configured on each engine: Poll Interval (secs) Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert Generator Name: Poll Interval (secs)




Type: DWORD Value: By default, set to 0. If the value is set to a non-zero value, the engine will pro-actively look for alert requests to handle every n seconds.

Thread count Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert Generator Name: Thread count Type: DWORD Value: This can be set values between 1 and 64. Used to specify the number threads dedicated to the event manager.

Batch size threshold for thread Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert Generator Name: Batch size threshold for thread Type: DWORD Value: This key controls the number of requests handled by an individual thread. The Alert Generator uses the value to determine how many threads should be used to handle a batch alert request. For example, if the batch size is set to 5 and there are 22 alert requests then 5 threads will be used. If the batch size is set to 10 and there are 22 alert requests then 3 threads will be used. (The forgoing assumes that the event manager’s thread count is set to a value of 3 or more). Note: If the Alert Generator is using a single thread, this key is set to 0.

Disabled Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\ e-work\Engine\Alert Generator Name: Disabled Type: DWORD Value: By default, set to 0. Setting this to non-zero value indicates that this particular engine does not perform alert processing (process alert requests in the eAlert table). However it will still add alert requests to the eAlertRequest table in the usual way.

1.7 Engine Registration

This section enables you to review the settings applied when registering the Engine COM+ application is registered. These settings can be reviewed and updated using the Windows administrative tools Component Services.

1.7.1 Reviewing Engine Registration Settings To review the results of Engine registration, in the System Administrator:

1. Start the ‘Component Services’ application. 2. Navigate to the ‘Metastorm Process Engine’ application.

The ‘Metastorm Process Engine’ application has three components which, between them, expose the:

• Main functionality of the application.

• Four COM+ roles available for the application.


You can now examine the:

• Application properties.

• Component roles.

• COM+ concurrency.

Application Properties

To examine the application properties:

1. Select the ‘Engine’ application. 2. Select the Action menu | Properties. 3. Select the Identity tab: 4. Ensure a specific user is named, as system services often run without user intervention (for example,

starting when a machine is booted). Note: Ensure that the account under which the Engine is configured to run has full rights to:

• The following registry key (and all its sub-keys and values): HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-Work\Engine

• The Engine installation folder and sub-folders. 5. Select the Security tab. 6. Ensure the Enforce access checks for this application checkbox is checked. This indicates whether

Windows should perform security checks for gaining access to the Engine application’s components. This checkbox is checked by default.

Note: For further information on security- related issues, refer to the sub-section on Security below.

7. Select the Activation tab. 8. Ensure that the root folder of the Engine installation (typically c:\Program

Files\Metastorm\BPM\Engine) is set in the Application Root Directory property. 9. Select the Advanced tab. 10. Ensure the Minutes until idle shutdown radio button is selected. 11. Ensure the number of minutes is ‘0’, since the Engine service, rather than COM+, manages the lifetime

of the Engine itself.

Component Roles

The Process Engine application has three components registered in the COM+ application. Each component has one or more COM+ roles defined. The following table lists the components, their purpose, and the roles to which access may be restricted:

Component Main purpose Calling account requires atleast one of these roles

e-Work.EngineManager.1 Controls lifetime of Engine Administrator

e-Work.EventManager.1 Handles flag and timer Administrator




Component Main purpose Calling account requires atleast one of these roles

requests.

Metastorm.EngineEclEndpoint Deals with ECL client requests ClientComponents ListComponents List

If the Engine (COM+) application is:

• Configured for authorization checking, only accounts holding a relevant role can access its components.

• Not configured for authorization checking, no restrictions apply as to which components can be accessed by which roles.

COM+ Concurrency

When the Engine is installed, it is very important to ensure that each of the Engine components has Concurrency set so that Synchronization Support is required. Without this, there is the possibility of producing an internal deadlock in the Engine. To verify the Engine components’ Concurrency settings:

1. Drill-down to the Process Engine application’s components. 2. Select the required component. 3. Select the Action menu | Properties. 4. Select the Concurrency tab. 5. In the Synchronization Support field, ensure the Required radio button is selected. 6. Click on the OK button.

1.8 Error Logging

When the engine experiences a problem it writes errors to the eLog table in the Metastorm Database.

• All exceptions raised by executable elements are logged in the eLog table.

• When an exception is logged, all appropriate fields in the eLog table is populated. (For example, when exceptions are not related to a particular folder, the folder ID does not need recording.)

• The engine exposes a public method (exposed as an activity in the Designer) for allowing a user-defined process to write to the error log.

1.8.1 Operation and Transaction Protocol Logging It is possible to write out a pair of XML documents for every client operation – the request and response – for diagnostic purposes. For managed operations – in the version 9 Engine these are action, folder and forms lists and filters – add the following line to the Engine application.config file, under the appSettings element.

<add key="OperationLogLocation" value="z:\build\logs"/>


1.9 Engines and Time Zones The way the Metastorm Process Engine handles Time Zone adjustments has changed from version 7.x. In version 9.0 Time Zone adjustments is done by the Engine and is calculated as the difference between the browser client and the Database management System (DBMS) server time. This means that if the browser machine is in a timezone +2 hours ahead of the DBMS machine and is also 10 minutes fast then, then the extra 10 minutes will also be reflected in the time displayed to the client. For this reason we recommend the time of a service is not changed while users are offline. Although not essential, we also recommend that all Engine servers in a service are time-synchronized with the database server in case user-defined server side scripts make use of .NET date/time or calendar types.

It is essential that Daylight Saving Time is disabled for the DBMS server. However if a service needs to support only users in a single time zone, or many time zones for which Daylight Saving Time is always applied on the same date (such as in the European Union), Daylight Saving Time can still be applied on the Engines in that service.

1.10 Engine and Invalid XML

The Engine operates on data that invokes Unicode format. The Engine cannot handle invalid characters contained in XML scripts. The following Unicode character values create invalid XML characters:

• 1-8

• 11-12

• 14-31

Although it is difficult for users to type these non-printable characters, they could be pasted into a field. In the event that the Engine is presented with one of these characters, one of the following Engine errors may be reported in the Event Log:

• Invalid non-printable character found in an XML fragment. It is strongly recommended that a suitable alternative is used, otherwise, the performance will be impacted.

• Failed to load server data.

• Failed to load decoded server data delta into a DOM.

• Unable to load XML into DOM. Error(-1072896760) : An invalid character was found in text content.

1.11 Re-registration of the Engine

You may need to reconfigure the Engine’s COM+ setup, if: • The installation displayed a COM+ error during Engine installation.

• You wish to return to the default Engine COM+ settings.

The following files are provided, in the Process Engine folder (folder pathway by default, \Program Files\Metastorm BPM\Engine), to help with Engine reconfiguration:

• The EngineConfig utility (EngineConfig.exe)

• The Metastorm Engine.PAK file, called by EngineConfig.exe.




Note: For User Account Control (UAC) enabled systems it is recommended to run the EngineConfig from an elevated privilege command prompt.

1.11.1 EngineConfig EngineConfig sets up the Engine to run as a COM+ application. For example, you can use EngineConfig to specify:

• A COM+ application file to describe how the Engine components should be organized in the application. This may be useful for troubleshooting.

• Engine identity and password.

This subsection describes EngineConfig’s command-line arguments. /Package:<package file | application file>

Specifies the application COM+ package to install. This is normally a file with .PAK/MSI extension. (The Metastorm Install comes with a .PAK file, however it is possible for customers to create their own MSI file to facilitate deployment across a large number of machines) When specifying the application / package, you must:

• Specify the full path.

• If the path contains spaces, surround the entire argument in double-quotes, for example: "/Package:C:\Program Files\Metastorm\BPM\Engine\Metastorm Engine.PAK"

If you omit the file extension, EngineConfig assumes it is MSI.

If the Process Engine is installed via the Metastorm BPM setup program, avoid using Metastorm Engine.MSI either in this parameter or directly. Microsoft Windows Installer registers this MSI as part of the main Metastorm BPM installation and does not permit operations with it by other programs.

If the Engine package already exists, it is removed before the specified package is installed.

/InstallPath:<installation path>

Specifies where COM+ should place component files. We recommend using the Engine directory, for example:

"/InstallPath:C:\Program Files\Metastorm\BPM\Engine"

This argument is optional. If it is omitted, component files are placed in the system default location.

/Identity:<account>

Specifies the account under which the Engine should run. In addition, it:

• Adds the user for this account to all available (COM+) roles for the Engine.

• Sets Authorization checking, so access to the Engine’s components is restricted by role. Note: For further information on security, refer to the previous section.


An example of this argument’s use is:

/Identity:MYDOMAIN\ppascal

This argument is optional. If it is omitted:

• The Interactive User account is assumed.

• Users are not added to Engine roles.

• Authorization checking is left unset.

/Password:<password>

Specifies the password for the account specified with the /Identity argument , for example:

/Password:secret

This argument is optional. If it is omitted, the password is empty. Alternatively, you can use the /PromptForUserDetails argument.

/BindUserToRole:<rolename:<account | group>>

Specifies an additional user account or group that can hold a COM+ Engine role. For example, you may want the web server's anonymous account to communicate with the Engine. In this case, you would use the argument as follows:

/BindUserToRole:Client:CORPORATE\IUSR_CORPSERVER

”/BindUserToRole:Flag Raiser:Metastorm Flag Raisers”

This argument is optional.

/PromptForUserDetails

Specifies that, when EngineConfig runs, it displays a dialog for you to enter the identity (account) and password for the Engine application to use. If the /Identity: argument is also used, its contents are the default value in the dialog. This argument is optional.

/?

Displays a message box summarizing EngineConfig’s command-line arguments. This argument is optional.

1.12 Problems with Re-Registration

Problems with re-registering the Engine could arise from:

• regsvr32, responsible for informing the system about the Engine’s individual COM components.

• Using the EngineConfig tool.

1.12.1 Problems Running regsvr32




LoadLibrary (<dll name>) failed. GetLastError returns 0x0000007e regsvr32 cannot locate the specified dll, or another dll on which it depends. This implies an incomplete installation, the best option is usually to uninstall and then reinstall the Engine. LoadLibrary(<dll name>) failed. GetLastError returns 0x0000045a A dll initialization routine failed for the specified dll, or another dll on which it depends. This implies an incomplete installation, the best option is to uninstall and then reinstall the Engine.

1.12.2 Problems Running EngineConfig

Failed to install Package – An error occurred reading the package file (0x80110408) This can occur because the:

• Specified application or package file (usually .MSI or .PAK) cannot be found.

• Command-line does not include the full path to the package file.

• Path to the package file includes spaces but is not enclosed in quotes.

Note: For further information, refer to the previous section. Failed to install Package – Package file path is invalid (0x8011040a) This usually occurs because the path specified for the /InstallPath: argument is wrong. Note: For further information, refer to the previous section. Problem while trying to save changes to packages collection – Package identity user ID and/or password are not valid (0x80110414) This can occur because the:

• Account specified does not exist.

• Password specified is not correct for the account. You may need to review the /Identity: and/or /Password: command-line options. Problem while trying to save changes to role’s user collection – User ID for user in role is not valid (0x8011040f) This can occur because the account or group specified in the /BindUserToRole: argument is invalid.

1.13 Engine .NET Interface Clients There are three configuration options for a .NET client:

• Remote High Performance – The .NET Interface server side component is hosted directly in the Engine process. Firewall restrictions may render this option unusable. This option should only be used for low volumes of user requests as it won’t scale well to heavy user load. In addition it isn’t possible to enforce security for .NET Remoting connections hosted in this way. Note: Under heavy load it will be low performance compared to IIS hosting.

• Remote Open – The .NET Interface server side component is hosted by IIS and consequently the only supported protocol is HTTP. Messages are binary formatted (which provides the most efficient data encoding. The Remote Open configuration may be a better option when large numbers of concurrent users are expected because IIS is optimized for scalability and provides integration with Windows security.


Note: This is the preferred connection method.

The following service list configuration file extracts show the two .NET Interface connection methods: Remote High Performance <Service Name="example" Description="Engine via .NET TCP/binary"> <Engine Name="Engine1"> <Transport Type="Remoting"> <Server>tcp://[ComputerName]:4001/ECL</Server> </Transport> </Engine> </Service> Remote Open <Service Name="example" Description="Engine via .NET HTTP/IIS"> <Engine Name="Engine1"> <Transport Type="Remoting"> <Server>http://[ComputerName]/[ECLVirtualFolder]/ ECL.rem</Server> </Transport> </Engine> </Service> Where [ComputerName] is the name of the machine on which the Process Engine is running. [ECLVirtualFolder] is the IIS virtual folder name for Process Engine .NET clients (‘BPMEngine.NET’ by default).

1.14 Configuring the Engine Service

1.14.1 Configuration

This section describes how to run the Process Engine service and covers troubleshooting the Process Engine service. In order for the Engine Service to start up successfully, the account under which the Engine service is configured must be specified in the Administrator role for the Process Engine COM+ application.

Troubleshooting

This section provides solutions to common errors when attempting to start the Process Engine as a system service, and covers:

• 1069: The service did not start due to a logon failure.

• 2186: The service is not responding to the control function.

Error 1069: The service did not start due to a logon failure

This can occur because the:

• Specified account does not exist.

• Password specified for the account is incorrect or has changed.




• Account specified does not have the “Log on as a service” right. This is automatically granted when setting up the account using the Services application.

Error 2186: The service is not responding to the control function

This occurs because of an invalid service installation. We recommend you uninstall, then re-install the Process Engine.

1.14.2 .NET CLR Configuration The configuration file application.config, which is installed in the Engine directory, holds information about how the .NET CLR hosted by the Engine should operate. For the most part administrators should not need to alter this file. However, there are a number of settings that it may be found necessary to adjust; these settings are described in this section. The settings of interest are shown in the following sample application.config file:

<?xml version="1.0" encoding="utf-8" ?> <configuration> . . . . <appSettings> <add key="ThreadPool_MinWorkerThreads" value="50"/> <add key="ThreadPool_MaxWorkerThreads" value="1000"/> </appSettings> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <probing privatePath=".\dotnetbin"/> </assemblyBinding> </runtime> </configuration>

Element Description

<probing privatePath=”.\dotnetbin;.\dotnetlib”/>

This is a standard .NET CLR configuration setting, used to specify subdirectories of the Engine’s directory that might contain assemblies. Subdirectory names are delimited by semicolons. This is where you would deploy (via the Deployment Service) assemblies using in server side scripts and promoted expressions.

<add key=”Threadpool_MinWorkerThreads” value=”50”/>

This setting is used to specify the minimum number of worker threads to be set up in the .NET CLR thread pool. This thread pool is used when running Jscript.Net scripts or executing Microsoft workflows.

On installation, this value is set to25 x (number of CPUs on machine) x (number of cores per CPU). The value shown in the example is illustrative only.

The higher the setting for this value, the higher the resource cost to the Engine process.



Element Description

Once started, the Engine reports the value it is using in its startup message in the event log.

<add key=”Threadpool_MaxWorkerThreads” value=”1000”/>

This setting is used to specify the minimum number of worker threads to be set up in the .NET CLR thread pool. This thread pool is used when running Jscript.Net scripts or executing Microsoft workflows.

The higher the setting for this value, the higher the potential resource cost to the Engine process.

Once started, the Engine reports the value it is using in its startup message in the event log.

<add key="ExternalAssemblyReferencesPath" value=""/>

The value here is intended to be a shared network location. The Deployment Service configuration will also have a reference to this same location and will be able to copy assemblies there during deployment.

Note: If you change any of the settings in application.config, you must restart the Engine for these changes to take effect. Anything referenced by a process, but not built into the process assembly (in other words, any third party assemblies) must be locatable at runtime so it can be loaded by the Engine. The order in which the .NET CLR searches for assemblies is:

1. The current folder of the calling process (in this case, the Engine root folder) 2. GAC 3. Folders in the System Path 4. Folders in the application.config probing path. 5. the Engine then searches for the assembly in the eAssembly table (only process assemblies will be

found here, added at deployment time) 6. Folders in the shared network location in the application.config External Assembly References

path

1.14.3 Engine Parameters The registry parameters which can be changed are under:

• HKEY_LOCAL_MACHINE

These settings can be modified, using the Registry Editor. To ensure new settings take effect, we advise that you restart the machine after making changes.

Note: Values in [square brackets] are variables.



1.14.4 HKEY_LOCAL_MACHINE

• Database

• SQL DBC

• Oracle DBC

• Engine Mail Connectors

• Engine Name

• Engine Browser Protocol

• WCF

Database

Database parameters define how the process engine connects to the Metastorm database. Two types of connection are required:

• ODBC, which uses a DSN that has already been set up using the ODBC Data Source Administrator.

• OLE DB connection string.

Note: You can change the database using the System Administrator (right-click on Metastorm Engines, select Register and enter the name of the Computer on which the engine is running). Then, right-click on the machine name and select Database.

Note that the database user ID and passwords are stored in the registry keys under: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine

We strongly recommend that you secure access to this registry key, as it stores sensitive information about database connectivity. However, the Process Engine requires access to these keys. So, when setting security permissions to these keys, please ensure the users or groups with which the Process Engine's service and COM+ application are configured have permission to access the keys.

Key Name Values \SOFTWARE\Metastorm\e-work \Engine\Database Connectors

Current • SOracle DBCQL

• Server DBC

SQL Server DBC

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine\Database Connectors\SQL Server DBC

Connection Provider=SQLOLEDB;

Data Source=[DBServerName];

Initial Catalog=[DBName];

User ID=[DBUserName];

Password=[DBUserPassword];

If DB Authentication is set to NT Authentication, Provider=SQLOLEDB;



Key Name Values

Data Source=[DBServerName];


UserID=[DBUserName];


Trusted_Connection=Yes;

DotNetConnection Data Source=[DBServerName];




Connection Timeout=[DBConnectionTimeoutInSeconds];

If DB Authentication is set to NT Authentication,

Source=[DBServerName];


User ID=;

Password=;



DotNetProvider Data Source=[DBServerName];





If DB Authentication is set to NT Authentication,

Source=[DBServerName];


User ID=;

Password=;



\SOFTWARE\Metastorm\e-work\Engine\Database

Connection ODBC;

DSN=Metastorm;

UID=[DBUserName];

PWD=[DBUserPassword];



Oracle DBC

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine\Database Connectors\Oracle DBC

Connection Provider=OraOLEDB.Oracle.1;

Data Source=[DBOracleServiceName];

User Id=[DBUserName];


FetchSize=100;

CacheType=Memory;

PLSQLRSet=1

DotNetConnection Data Source=[DBOracleServiceName];

User Id=[DBUserName];


FetchSize=100;

Cache Type=Memory;

PLSQLRSet=1;


DotNetProvider Oracle.DataAccess

\SOFTWARE\Metastorm\e-work\Engine\Database

Connection ODBC;

DSN=[DBOracleODBC_DSN];

UID=[DBUserName];

PWD=[DBUserPassword];

Note: For details of the QueryTimeout and Force Case-insensitive Authentication parameters, refer to the ‘Engine Registry Settings’ section.

Engine Mail Connectors

Mail Connector registry parameters are used to set up the Process Engine to work with email.

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine\MailConnector

Connector For SMTP:

ProgID=ework.

MailConnector.[MailConnectorType (SMTP)] ;



Key Name Values

DefaultAddress=[E-mailAddress];

LocaleID=[LocaleID, e.g., 1251];

BodyFormat=[BodyFormat (Text or HTML)] ;

EncodingFormat=[EncodingFormat (TEXT or MIME)] ;

AttachmentEncoding=[AttachmentEncoding (UUencoded or MIME)]

The Engine examines this string for the first ProgID tag. It attempts to create an instance of this connector. If it is successful, this connector is used for all %EMail calls.

If, during the initialization of the Engine, it is unable to find a Connector string, an appropriate entry is added to the event log. Until this issue is resolved, the Engine is unable to send emails and all %SendMail calls are ignored.

%Email defines the Unicode format to be used for all email content. Setting Locale id =1252 represents the western European character set. For other character sets refer to Unicode definitions, e.g. 1251 is used for eastern European languages and 65001 (UTF-8) is suitable for the Russian and Kanji character sets.

Engine Name

To avoid clashes in a multi-engine environment, every Engine must have a unique name.

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine Name [Name (Domain$MachineName)]

Engine Browser Protocol

This setting allows the Engine to construct links to folders when sending alerts via email.

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine

Browserprotocol

http://[WebServerName]/[IISVirtualScriptsFolder]/eweb.dll/

Note: For further details, refer to the Installation Guide.

WCF



This allows an administrator to restrain client connections and so the load placed on the engine’s services.

Key Name Values

\SOFTWARE\Metastorm\e-work\Engine

Max Concurrent Calls default value is 32. Max Concurrent Calls setting is set to 64

Max Concurrent Instances 2147483647

MaxReceivedMessageSize 104857600

OperationTimeout (secs) 60

1.14.5 Engine Registry Settings

Script Timeout

In order to prevent database locking, server-side scripts time out after a definable period, which is set to 120 seconds by default. This period is specified in the following registry key:

Key: HKLM\SOFTWARE\Metastorm\e-work\Engine Name: ScriptTimeout (secs) Type: DWORD If the value is set to 0, no timeout is set. Note: If the script times out a user will see the default error message "An error has occurred. Please report the problem to your administrator. " in the Browser. In addition, the Designer log will have procedure error which states that the script has timed out. This problem can be solved by increasing the script timeout.

JScript Query Timeout

The number of seconds the Metastorm Process Engine waits for a JScript.NET method to be invoked can be configured by changing the following registry setting: Key: HKLM\SOFTWARE\Metastorm\e-work\Engine Name: JscriptQueryTimeout(secs) Type: DWORD If the value is set to 0, no timeout is set.

Activate CallerID

Key: HKLM\SOFTWARE\Metastorm\e-work\Engine Name: ActivateCallerID (0 or 1) Type: DWORD This determines whether the engine uses the identity of the DCOM caller to check the validity of session IDs. If this is set to:


• 0, the engine does not use the DCOM caller ID as part of a session validation. This enables more than one caller to use the same session ID.

• 1, a session ID is rejected if it is used by a DCOM client that did not originally create the session.

A side effect of setting ActivateCallerID to 1 is that Web Forms no longer work. Note: Changing the ActivateCallerID setting, then restarting the engine, invalidates any sessions already in the session table. The default value is 0.

Query Timeout

Key: HKLM\SOFTWARE\Metastorm\e-work\Engine\Database Name: QueryTimeout (secs) Type: DWORD The amount of time the database spends on a query before rejecting it. Note: Note that not all OLEDB drivers support QueryTimeout.

Login Timeout

Key: HKLM\SOFTWARE\Metastorm\e-work\Engine\Database Name: LoginTimeout (secs) Type: DWORD The amount of time the Engine waits for a database connection to be established. Note: Note that not all OLEDB drivers support LoginTimeout.

Force Case-insensitive Authentication

Key: HKLM\SOFTWARE\Metastorm\e-work\Engine\Database Name: Force Case-insensitive Authentication Type: DWORD Enables a case-sensitive database to allow case insensitive logins. If this is set to:

• 0 (default), the Engine does not perform case-insensitive authentication. • 1, the Engine performs case-insensitive authentication.

Force Case Sensitive Role Evaluation

Key: HKLM\Software\Metastorm\e-work\Engine\ Name: Force Case sensitive role evaluation Type: DWORD If this is set to:

• 0 (default), the Engine does not perform case-sensitive role evaluations.

• 1, the Engine performs case-sensitive role evaluations.




The value defaults to 0.

Disable Static Role Resolution

Key: HKLM\Software\Metastorm\e-work\Engine\ Name: DisableStaticRoleResolution Type: DWORD If this is set to:

• 0 (default), static roles are assumed in the eAssignment table.

• 1, static roles are not assumed in the eAssignment table, and all roles have to evaluate to a list of user names.

Max Simultaneous Async Jobs

Asynchronous tasks can be run simultaneously. This setting specifies the maximum number of tasks that can be run simultaneously. The default is 5. The maximum is 64. Note: This only controls legacy evaluation operations from the Metastorm Script Language, invoked by the Evaluate activity. Note: It is important to be aware of the memory footprint required to run an asynchronous script. If multiple instances of an asynchronous script are run in parallel, the amount of memory required will be the footprint multiplied by the number of instances. The memory footprint of a script could be quite large if other components are created and used by the script. Key: HKLM\Software\Metastorm\e-work\Engine\ Name: Max Simultaneous Async Jobs Type: DWORD

Install Info

This registry key contains a record of information specified by the user and the installation, when Metastorm BPM is installed.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\InstallInfo Name: InstallInfo Type: DWORD

After the installation, if you change any of the parameters which have been recorded under the InstallInfo registry key, you should amend the relevant values under the key. Subsequent Metastorm BPM upgrades or hotfixes expect the current Metastorm BPM settings to be recorded under this key.

JScript Precompile Level

As a JScript .NET script can take a long time to compile, this registry key enables you to avoid performance issues by setting up the Engine to compile all currently available scripts on start-up.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine\JScriptPrecompileLevel Name: JScriptPrecompileLevel Type: DWORD


Set the value to: • 0, for no compilation on start-up • 1, to compile map assemblies on start-up • 2, to compile procedure assemblies on start-up • 4, to compile map and procedure assemblies on start-up.

You can combine values (by adding them together) to set the registry setting to more than one of the above. For example, if the value is set to 7 (1 + 2 + 4), map assemblies, procedure assemblies and map and procedure assemblies are compiled on start up.

Allow Guest User To Raise Flag

In order to raise a flag, an external application must provide either a valid Metastorm user id and password, or alternatively, a valid session id. For backwards compatibility, the engine may be configured to relax this restriction and accept Raise Flag requests without any credentials. This requires that the Guest User is set up. Key: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine Name: AllowGuestUserToRaiseFlag Type: DWORD Set the value to:

• 0, to force flag raisers to provide credentials.

• 1, to allow flags to be raised without providing credentials.

Microsoft Workflow Timeout

Key: HKLM\Software\Metastorm\e-work\Engine\ Name: MicrosoftWorkflowTimeout (secs) Type: DWORD This defines the maximum length of time for which a Microsoft Workflow instance is allowed to execute before it is aborted. The default timeout value is 60 seconds.

1.14.6 Non Registry Settings This topic outlines the non registry settings that can be altered by the Metastorm Administrator:

• Engine Service

• Metastorm User Groups

Engine Service

To configure the Process Engine service, you can change the:

• Service start-up mode.

• Service account (or the account under which the Engine runs). These settings are configurable through the Windows Services tool.




Note: For further details, refer to your Windows documentation.

Metastorm User Groups

To set up the specific user groups for use with Metastorm BPM, you should use specifically created (local or domain) groups.

These settings are configurable through:

• The Computer Management tool

• COM+ Metastorm Engine Roles


2 METASTORM DESIGNER

2.1 Designer Settings

The version 9.0 Designer has a number of places where it stores temporary information such as layout, recently used lists, library cache etc. The file locations below are based on Vista/ Windows Server 2008 operating systems.

Resetting Designer layout Delete the ‘Url.2dglpttbw5sj1j3i2vedoiybh5fbn4em’ folder from: %userprofile%\AppData\Local\IsolatedStorage Offline Library Cache Deleting the files in the location below will clear the library cache: %userprofile%\AppData\Local\Metastorm\BPM\Designer\LibraryCache Other Temporary Files Files in the location below also store Designer information and can be safely deleted: %userprofile%\AppData\Local\Temp\Metastorm\BPM




3 METASTORM DEPLOYMENT

3.1 Deployment Service

3.1.1 Overview The Windows Communication Foundation (WCF) Deployment Service replaces the functionality referred to in the v7.6 Designer Publishing; it takes the v9.0 Metastorm BPM process definitions (solutions, projects, and libraries) and transform them into the requisite runtime Metadata required by the v9.0 Metastorm BPM Process Engine to render the defined process application at runtime. The Deployment Service can work against all the versions of SQL Server and Oracle supported by the Metastorm Process Engine. The Designer uses a service list called DeploymentServiceConfig.xml to identify how it connects to the Deployment Service, this can be configured to allow the BPM Process Developer to chose between which BPM Service they wish to Deploy to. This file is located at the following path C:\Program Files\Metastorm\BPM\IIS The Deployment Service uses the DeploymentService.exe.config to know how to connect to the database via ADO.NET. The Service also uses the Process engine to allow user authentication to be undertaken. Due to this the Process Engine needs to be running in order for the Deployment Service to execute and it should be installed onto the same server as the engine. When deploying a process, you need to log in as a Metastorm user who holds either a ‘MetastormAdministrator’ or a ‘ProcessDesigner’ role. These roles are automatically created on running the Metastorm database creation scripts along with a default BPM user. The default user name and password is as follows: Username: SysAdmin Password: metastorm

The Deployment Service can be configured to use Windows Single Sign-On authentication, if the Metastorm Service has been configured to use it, thereby preventing the need to provide a user name and password, click here to view the steps needed.


Note: The Deployment Service uses the TCP-based network protocol (net.tcp://) and therefore has dependencies on the Net.Tcp Port Sharing Service.

3.1.2 Configuration Files

DeploymentServiceConfig.xml

The BPM Designer uses the DeploymentServiceConfig.xml to know how to connect to the WCF Deployment Service (see example below). If you had multiple Metastorm BPM Services, such as a three tire system involving a development environment, a QA environment and a Production environment for example the additional connection paths could also be included in this document allowing the Process Developer to be able to select where to Deploy to. This file is located at this path C:\Program Files\Metastorm\BPM\IIS extensions\

<?xml version="1.0" encoding="UTF-8"?>

<ServiceDirectorConfig Name="Metastorm Deployment Service List"> <ServiceList Type="Deployment"> <Service Name="Metastorm BPM Deployment Service" Description="Deployment Service">

<Transport Type="WCF"> <Server>net.tcp://<Engine Computer Name>/Deployment</Server> </Transport>

</Service> 

</ServiceList> </ServiceDirectorConfig>

DeploymentService.exe.config

This is the file that the Deployment Service uses to know how to connect to the Process Engine and the Metastorm Repository. This file is located at this path C:\Program Files\Metastorm\BPM\Deployment\

3.1.3 SSO Configuration The Deployment Service can be configured to use Windows® Single Sign-On (SSO) authentication, if the Metastorm Service has already been configured to do so. This prevents the user from needing to enter any credential during the deployment. Follow these steps:

Open the V9.0 Metastorm BPM Designer, click on the Metastorm button




1. Click the Options button 2. Open up the Deployment section and select the Authentication Check box, please see picture below.

3.1.4 Deployment Debugging

Aside from checking in the Windows Application Event log for details of Deployment Service errors, it is possible to run the service in a debug mode to return C# errors by undertaking the following steps:

1. Stop Deployment Service 2. Run Deployment Service by running it from command line:

DeploymentService.exe /debug /ModelAssembly:C:\Temp

3. Stop it when you don't need it anymore by opening Windows Task Manager and killing the DeploymentService.exe process.

3.2 Deployment Client

3.2.1 Overview The V9.0 BPM Designer users the Deployment Service to validated and stored workflow processes in the Metastorm repository where they form the metadata that is used at runtime by the Web client to allow users to interact with the workflow processes. The Deployment Client also offers the ability to store workflow processes in the Metastorm repository but without the need to open up the BPM Designer.

The Deployment Client is a console application designed to provide the ability to allow authorized users to run and schedule deployment of Projects and Libraries through a command line, batch file or script. The Deployment Client consists of two files:


1. Deploy.exe found the following location: C:\Program Files\Metastorm\BPM\Designer\Deploy.exe

2. Deploy.config.xml found the following location: C:\Program Files\Metastorm\BPM\Designer\Deploy.config.xml

This section details how to use and configure the Deployment Client.

3.2.2 Configuration Files

Deploy.config.xml

This is the configuration file for Deploy.exe. It allows you to configure default settings that may be used when the application is run from the command line. If the same argument is configured in the configuration file and used in the command line code then the Deployment Client will use both values executing the command line value first. Important sections of the configuration file are displayed below: Authentication <ServicesList> <Service Name="Local Deployment Service" Description="Deployment Service on local machine"> <Server Login="SysAdmin" Password="metastorm"> <Path>net.tcp://<machine name>/Deployment</Path> </Server> </ServicesList> Deploying Libraries with passwords

<Libraries> <Library Name="Libraryform" Password="bpmlib" Version="2" /> <Library Name="Libraryformseg" Password="bpmlib" Version="1" /> </Libraries>

Deploying from a specified directory Solution Packages can be deployed straight from a specified directory and its sub-directories. The type of file can also be selected allowing the choice of Solutions, Projects or both to be deployed. <Directories> <Dir TargetType="solution"> <Path>C:\temp\t\</Path> </Dir>

<Dir TargetType="bpmproj"> <Path>C:\temp\Solution\Projec2</Path> </Dir>




</Directories>

Deployed a specify single contents (project or solution)

<ContentUris> <Path>C:\temp\Solution\Projec2\Projec2.BPMProj</Path> </ContentUris>

Deploy a specific group It is possible to create several groups inside the <Groups> node and switching between them using /group parameter. For example the following command line code would deploy only the solutions and projects in group G1. Command Line code: Deploy.exe /group;G1

<Groups> <Group Name="G1" Validate="false" Deploy="true"> <Libraries> <Library Name="lpc1" Password="1" /> <Library Name="lst2" Password="1" /> <Library Name="l2" Password="1" /> </Libraries> <Directories> <Dir TargetType="solution"> <Path>E:\Work\bugs\200908\CallErr\cErr</Path> <Path>E:\Work\ConsoleSolutions\</Path> <Path>E:\Work\reqs\200907\CL2\cl2\</Path> </Dir> <Dir TargetType="bpmproj"> <Path>E:\Work\ConsoleSolutions\</Path> </Dir> </Directories> .... </Group> </Groups>

Command Window validation errors and warnings Validation errors and warning are displayed in the command window, the output can be suppressed and the verboseness altered.


<Logger Name="Console" Level="DEBUG" type="Metastorm.Deployment.DeploymentClient.Logging.ConsoleLogger, DeploymentClient"> </Logger>

DEBUG – all messages will be displayed WARN – warnings and errors Error – errors only Info – only information message will be displayed OFF – logger is not logging any info

Text file validation errors and warnings Validation errors and warning can be written a text file, the output can be suppressed and the verboseness altered. DEBUG – all messages will be displayed WARN – warnings and errors Error – errors only Info – only information message will be displayed OFF – logger is not logging any info

<Logger Name="TextLogger" Level="Warn" type="Metastorm.Deployment.DeploymentClient.Logging.TextFileLogger, DeploymentClient"> <Parameter Name="source"> <Value>e:\temp\log.txt</Value> </Parameter>

Validation errors and warnings can be written out to the Event Manager writes logging info into the standard Windows EventLog. Parameter ‘Source’ points the name of EventLog node, if not specified all logging info will be written into the Application node.

<Logger Name="EventLogger" Level="Warn" type="Metastorm.Deployment.DeploymentClient.Logging.EventLogger, DeploymentClient"> <Parameter Name="source"> <Value>DeploymentClient</Value> </Parameter> </Logger>

DEBUG – all messages will be displayed WARN – warnings and errors Error – errors only Info – only information message will be displayed OFF – logger is not logging any info




3.2.3 Command Line The Deployment Client accepts the arguments shown below. Many of these arguments can also be configured in the Deploy.config.xml configuration file but note that any command line arguments are executed first. /? Access the Deployment Client help output.

/service Specify which deployment service definition to use. sample: deploy.exe /service;service name;net.tcp://deploymentServer/deployment;login;pass

/config Use a custom configuration file sample: deploy.exe /config;c:\temp\configuration\myconfig.xml

/dir Deploys all projects in the specified directory samples: deploy.exe /dir;c:\work\ConsoleSolutions /dir;e:\work1;pbmproj

deploy.exe /dir;c:\work\ConsoleSolutions;solution deploy.exe /dir;c:\work\ConsoleSolutions /dir;e:\work1;pbmproj /dir;e:\work\allSolutions

/lib Deploys password protected libraries. sample: deploy.exe /lib;libname;bpmlib /dir;c:\LibrariesSolutions

/group Selects non-default group in config file, and deploy the files specified in it. sample: deploy.exe /group;groupname /c Deploys specified single component (project or solution) Sample: deploy.exe /c;e:\work\c1.solution /c;e:\work\projects\project.bpmproj

%ERRORLEVEL% Error code can be used to identify the success or failure of a deployment by automation scripts. sample: @if %errorlevel% GEQ 0 @if %errorlevel% LEQ 9 echo 'success' @if %errorlevel% GEQ 10 @if %errorlevel% LEQ 99 echo 'warning' @if %errorlevel% GEQ 100 echo 'error' @if %errorlevel% LEQ -1 echo 'exception'


It can also be used in the command line for example: Echo %ERRORLEVEL%




4 MANAGING AUTHENTICATION

4.1 Overview

Before the Metastorm BPM Engine will process any user requests the user must be authenticated with the Metastorm BPM Service. Once authenticated the client may make further requests of the engine to list folders and process actions. Those requests are processed and recorded by the Metastorm BPM Engine creating an Audit Trail in the Metastorm BPM Database.

The Metastorm web client in version 6.x and version 7.x of Metastorm BPM employs a custom mechanism to authorize and authenticate user access. In Metastorm BPM version 9.0, the web client authentication mechanism is entirely based on the Microsoft .NET security guidelines.

This section reviews the following:

• Username and Password Authentication

• Single Sign On Configuration

• Web Farm Deployment Configuration

• Public Access

4.2 Open Authentication

Authentication is the process of acceptance of a user by a Metastorm BPM service. Metastorm Client applications have Open Authentication meaning they have no pre-defined knowledge of any specific authentication mechanism unless specified by the System Administrator in the form of Server Authentication Provider (SAP) scripts.

4.2.1 Server Authentication Provider (SAP) scripts SAP scripts provide the logic necessary for the Process Engine to obtain the user's credentials, validate them and allow a valid session to be generated. SAP scripts can be chained so that the Process Engine will try multiple


scripts in order to see if it can validate a user and log them in, if the first fails the engine will try the second and so on.

Metastorm Ships with a variety of SAP scripts but third party developers can define their own authentication mechanism by writing their own SAP scripts. Out of the box SAP scripts:

• eUser

• eRemPwd

• eRemDetails

• eRemPwdDetails

• eGuest

• eError

• Mqauthentication For Microsoft SQL Server installations, Open Authentication can be automatically configured by the installation script the eUser.js SAP script being used as the default method of login, requiring the user to enter a Username and Password. However For Oracle installations, Open Authentication cannot be automatically configured by the installation script and must be set up manually instead.

4.2.2 Process Definition Document (PDD) The Process Definition Document (PDD) is a single configurable XML document stored in the Metastorm database as an attachment (called ‘Authproc.XML’) that defines all authentication processes that an Engine supports. Each authentication process in turn comprises of a chain of Server Authentication Provider (SAP) scripts - the order of execution. For example, a PDA client could request an authentication process that was specifically designed for PDAs. This authentication process might attempt authentication using certificates (the first SAP in the list for this process). If this failed, then the client would try the second SAP in the list which might offer a login form (suitable for PDA clients) allowing the user to enter user ID password credentials. If the credentials are correct the User will be logged in to the Metastorm Client.

4.2.3 How Open Authentication works Clients normal send two login requests to the Process Engine. Firstly to obtain a login form. Secondly to pass the user credentials to the Process Engine.




When multiple authentication SAP scripts have been set up the Process Engine retrieves the PDD; it reads the list of SAP scripts and notes the order of execution.

The Process Engine executes a SAP by calling its eLogin method. SAP returns a response and any content to be included, by modifying the ework object.

Depending on the ework object’s ResponseType property (set by the SAP), the Engine sends a Transaction Protocol response to the Client.

• eLoginFormResponse

• eLoginResponse

• eErrorResponse

The ework object’s ResponseType properties are:

• sapLogin (0), the Engine attempts to log the user in using the ework object’s UserName property.

• sapForm (1), the Engine generates an eLoginFormResponse, using the ework object’s properties to return information to the Client about the form to be displayed.


• sapFailed (2), if there are no more available SAPs, the Engine returns eErrorResponse (which fails the authentication process). Otherwise, the Engine ensures the authentication process continues by incrementing the current SAP by 1, and calling the next SAP. This is useful for a SAP that is designed to work for only a particular client type. For example, a web client, which uses the Remember Password SAP provided with Metastorm BPM, passes on to the next SAP.

• sapError (3), the Engine returns eErrorResponse (which fails the authentication process).

4.3 Metastorm Web client Authentication

4.3.1 Authentication Architecture

The Metastorm BPM 9.0 web client’s authentication mechanism is built on top of ASP.NET Windows and Forms authentication, as shown in the diagram below.

The web client can be configured to authenticate users by the following authentication modes:

• Form based Username and Password authentication using forms authentication

• Single Sign On (SSO) using windows authentication

Metastorm BPM Authentication Module

The Metastorm BPM authentication module sits behind the standard ASP.NET Windows Authentication Module and Forms Authentication Module, to provide single sign on (SSO) access or login access to the Metastorm web client. As such, the Metastorm web client authentication mechanism is a two stage authentication process:

• Firstly, a user is authenticated through the standard ASP.NET Windows or Forms authentication process. If the first stage authentication is successful then the Metastorm BPM Authentication Module will use the user’s credentials to logon to the Metastorm Engine using the Metastorm BPM Membership Provider.




• Secondly, if the logon is successful then a Metastorm BPM Identity object will be created for the Metastorm web client to talk to the Metastorm Engine.

Metastorm Membership Provider

The Metastorm Membership Provider must be configured in the web client’s web.config file, this is normally configured as part of the installation of Metastorm BPM 9.0.

1. Open the web client’s web.config file in a text editor such as Notepad.

This file is located C:\Program Files\Metastorm\BPM\Web 2. Find the <membership defaultProvider = "BpmMembership Provider"> tag, as displayed in

the code section below.

3. The "Service List" is the URL or UNC path to the Service List Configuration file (EngineServiceConfig.xml). The default install location for this file is C:\Program Files\Metastorm\BPM\IIS extensions\EngineServiceConfig.xml.

4. The "Default Engine Service" specifies the default engine service to use, as specified in the EngineServiceConfig.xml file. For SSO, the Default Engine Service value must be specified.

5. The "Provider Description" is an optional description for the Metastorm Membership Provider.

Note: The PublicAuthenticationProcess attribute must be set to a value of "Public" to enable the Metastorm Process Engine to authenticate public access.

4.3.2 Username and Password Configuration The user name and password combination is the default authentication mode for the Metastorm BPM 9.0 web client. This requires ASP.NET Forms authentication to be set in the web client and for the Metastorm BPM Engine to be configured to use the eUser.js authentication script which is the default Metastorm Authentication Process.

1. Open the web client’s web.config file in a text editor such as Notepad. This file is located C:\Program Files\Metastorm\BPM\Web

2. Find the <authentication mode="Forms"> tag, as displayed in the code section below. <configuration>


... <system.web> ... <authentication mode="Forms"> <forms name="MetastormBPMAuth"

loginUrl="Login.aspx" protection="All" timeout="525600" path="/"></forms>

</authentication> <authorization> <deny users="?"></deny> </authorization> ... </system.web> ...

</configuration>

Note: Please refer to the following link for more information on configuring Forms authentication: http://msdn.microsoft.com/en-us/library/1d3t3c61(VS.71).aspx

1. Use the Metastorm Administration Tools to set the eUser.js authentication script to be the first Server Authentication Provider (SAP)scripts in the list of Metastorm Authentication Processes to be used by the Metastorm Engine.

4.3.3 Single Sign On Configuration Windows® Single Sign-On (SSO) allows a user who is already logged into a Windows domain or Microsoft Active Directory to be automatically logged-in to Metastorm BPM, without re-entering their user name and password. This section details how to configure SSO for the Metastorm Web Client. When the user is logged into Metastorm BPM using his Windows credentials, their user name for the session will be the same as their Windows user name, and in the format domain\username. If static roles are to be used in Metastorm procedures, the roles must be assigned to these user names using the Metastorm Users and Roles tool. It is possible to customize SSO so that user names are returned in an alternative format, such as Active Directory’s Personal Name. Following are the steps involved:

• Alter the web client's web.config file

• Update Metastorm virtual directory

• Add the “Trusted Account” to the IIS_WPG group

• Set the Metastorm web application's application pool identity to the “Trusted Account”

• Update BPMEngine.NET virtual directory

• Enable the ActiveCallerID registry attribute

• Edit the SSO Authentication Script, eSSO_Web.js

• Setup Metastorm Authentication Process

• Update the Metastorm Authentication Process List

• Update Engine Application Settings, application.config


http://msdn.microsoft.com/en-us/library/1d3t3c61(VS.71).aspx



Alter the web client's web.config file

The Metastorm BPM web client's web.config file needs to be configured to allow the users to be authenticated first by Windows authentication.

1. Open the web client’s web.config file in a text editor such as Notepad.

This file is located C:\Program Files\Metastorm\BPM\Web 2. locate the following section of code:

   <authentication mode="Forms"> <forms name="MetastormBPMAuth"


</authentication>

3. Uncomment <authentication mode="Windows" /> tag and comment out <authentication mode="Forms"> tag, you should be left with a section of code similar to the one shown below:

 <authentication mode="Windows" /> 

4. Locate the following section of code:

 

5. Uncomment the <identity impersonate="true" /> tag, you should be left with a section of code similar to the one shown below:

 <identity impersonate="true" />

6. Save the edited file and restart IIS


Update Metastorm virtual directory

The Metastorm web application under Internet Information Services (IIS) must be configured as follows: For Windows Server 2003 (IIS 6.0)

1. Start IIS. 2. Right-click Metastorm virtual directory, and then click Properties. 3. Click the Directory Security tab. 4. Under Anonymous Access and authentication control, click Edit. 5. Make sure the Anonymous access check box is not selected and that Integrated Windows

authentication is the only selected check box. For Windows Vista and Windows Server 2008 (IIS 7.0)

1. Start IIS. 2. In the Connections pane, click the Metastorm application. 3. In Feature View, double-click Authentication. 4. On the Authentication page, select Anonymous Authentication. 5. In the Action pane, click Disable to change the status to Disabled. 6. On the Authentication page, select ASP.NET Impersonation. 7. In the Action pane, click Disable to change the status to Disabled. 8. On the Authentication page, make sure that only the status of Windows Authentication is set to

enabled.

Add the “Trusted Account” to the IIS_WPG group

For SSO, the concept of the “Trusted Account” has been retained in Metastorm BPM 9.0. However the trusted account now only needs to have full control on the C:\Windows\Temp folder and a Client of the Metastorm Process Engine COM+ application. This “Trusted Account” is used by the Metastorm Process Engine to authenticate the client making the request in an SSO scenario. The concept of the trusted account requires additional configuration in both IIS and the Metastorm Process Engine. First, for Windows Server 2003, the “Trusted Account” must be added to the IIS_WPG group as followed:

1. On the desktop, right-click My Computer, and then click Manage. 2. In the Computer Management screen, under System Tools, expand Local Users and Groups,

and then click Groups. 3. Right-click the IIS_WPG group, and then click Add to Group. 4. In the IIS_WPG Properties dialog box, click Add. 5. In the Select User dialog box, in the Enter the object names to select box, type the name of the

“Trusted Account”, and then click OK. 6. In the IIS_WPG Properties dialog box, click OK. 7. Close the Computer Management screen.

Note: The IIS_WPG group do not exist in Windows Vista and Windows Server 2008. As such, the above configuration is not needed.




Set the Metastorm web application's application pool identity to the “Trusted Account”

The application pool identity of the Metastorm web application must be configured to that of the “Trusted Account” as followed: For Windows Server 2003 (IIS 6.0)

1. Start IIS. 2. Right-click Metastorm virtual directory, and then click Properties. 3. Click the Home Directory tab. 4. Under Application settings, make a note of the application pool that appears in the Application

pool box, and then click Cancel. 5. Expand Application Pools. 6. Right-click the application pool that identified in step 4, and then click Properties. 7. Click the Identity tab. 8. Under Configuration, specify the “Trusted Account” name (in Domain\UserName format) and

password in the User name and Password boxes, and then click OK.

For Windows Vista and Windows Server 2008 (IIS 7.0) 1. Start IIS. 2. In the Connections pane , click the Metastorm application. 3. In the Action pane, click Basic Settings... to open the Edit Application dialog. 4. Make a note of the application pool that appears in the Application pool box, and then click

Cancel. 5. In the Connections pane, click Application Pools. 6. On the Application Pools page, select the application pool identified in step 4. 7. In the Action pane, select Advanced Settings... to open the Advanced Settings dialog. 8. Select Identity under the Process Model group. 9. Click the ... button to bring up the Application Pool Identity dialog. 10. Select Custom account. 11. Click the Set... button to open the Set Credentials dialog. 12. Specify the “Trusted Account” name (in Domain\UserName format) and password in the User

name, Password and Confirm password boxes, and then click OK.

Update BPMEngine.NET virtual directory

The Metastorm BPM 9.0 web client talks to the Metastorm Engine using the .NET interface provided by the Metastorm Enterprise Class Library (ECL) for .NET.

Note: For SSO, the Engine Service in the EngineServiceConfig.xml file that ECL component uses must be configured to use the Hypertext Transfer Protocol (HTTP) protocol, see the Service List Configuration File.

Currently, the only supported remote open protocol is HTTP. So, make sure the <server> element of the EngineServiceConfig.xml file is setup as follows:

<Server>http://<ComputerName>/BPMEngine.NET/ECL.rem</Server>


Where <ComputerName> is the name of the machine on which the Metastorm Process Engine is running. The Engine .NET Interface server side component hosted under IIS must be configured as followed:

For Windows Server 2003 (IIS 6.0) 1. Start IIS. 2. Right-click the BPMEngine.NET virtual directory, and then click Properties. 3. Click the Directory Security tab. 4. Under Anonymous Access and authentication control, click Edit. 5. Make sure the Anonymous access check box is not selected and that Integrated Windows

authentication is the only selected check box. 6. Click the Home Directory tab. 7. Under Application settings, make a note of the application pool that appears in the Application

pool box, and then click Cancel. 8. Expand Application Pools. 9. Right-click the application pool identified in step 7, and then click Properties. 10. Click the Identity tab. 11. Under Configurable, specify the “Trusted Account” name (in Domain\UserName format) and

password in the User name and Password boxes, and then click OK. Note: SSO implementation for split deployment setups where the BPMEngine.NET web application is hosted under IIS 6.0 on a Windows Server 2003 machine will require further configuration to work correctly. This is because, under IIS 6.0, Kerberos is used by default. A full summary of the problem and resolution is available in the following Microsoft knowledge base article. http://support.microsoft.com/kb/871179 For Windows Vista and Windows Server 2008 (IIS7.0) 1. Start IIS. 2. In the Connections pane, click the BPMEngine.NET application. 3. In Feature View, double-click Authentication. 4. On the Authentication page, select Anonymous Authentication. 5. In the Action pane, click Disable to change the status to Disabled. 6. On the Authentication page, select ASP.NET Impersonation. 7. In the Action pane, click Disable to change the status to Disabled. 8. On the Authentication page, make sure that only the status of Windows Authentication is set to

enabled. 9. In the Connections pane, click the BPMEngine.NET application to go back to the application home

page. 10. In the Action pane, click Basic Settings... to open the Edit Application dialog. 11. Make a note of the application pool that appears in the Application pool box, and then click Cancel. 12. In the Connections pane, click Application Pools. 13. On the Application Pools page, select the application pool identified in step 4. 14. In the Action pane, select Advanced Settings... to open the Advanced Settings dialog. 15. Select Identity under the Process Model group. 16. Click the ... button to bring up the Application Pool Identity dialog.


http://support.microsoft.com/kb/871179



17. Select Custom account. 18. Click the Set... button to open the Set Credentials dialog. 19. Specify the “Trusted Account” name (in Domain\UserName format) and password in the User

name, Password and Confirm password boxes, and then click OK.

Enable the ActiveCallerID registry attribute

On the machine hosting the Metastorm Process Engine, change the ActiveCallerID registry attribute from 0 to 1. The ActiveCallerID key is located in the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Metastorm\e-work\Engine

Edit the SSO Authentication Script, eSSO_Web.js

In Metastorm Enterprise 9.0, the SSO authentication script file, eSSO_Web.js, is located in the following path by default: C:\Program Files\Metastorm\BPM\Engine\Authentication

To enable SSO, the eSSO_Web.js file must be edited as followed:

1. Locate the trustedAccount variable declaration in the eSSO_Web.js file. 2. Change the value of trustedAccount value to the “Trusted Account” name, in “domain\\username”

format. Note: domain\\username must be typed in lowercase.

Setup Metastorm Authentication Process

The default Metastorm Authentication Process must be setup to use the eSSO_Web.js authentication script, this can be done using the Metastorm Administrative Tools - view topic. The eSSO_Web.js needs to be placed first in the list so that its index is 0, this will cause the Process Engine to try and use this script first.

Update the Metastorm Authentication Process List

The default Metastorm Authentication Process must be setup to use the eSSO_Web.js authentication script. This can be done using the Metastorm Administration Tools.

Update Engine Application Settings, application.config

The application configuration file, application.config, of the Metastorm Process Engine COM+ application is located in the following path by default:

C:\Program Files\Metastorm\BPM\Engine

The SSOFieldName application setting needs to be added to the application.config file, it show look like the code section below.

<configuration> ... <appSettings>


... <add key="ThreadPool_MinWorkerThreads" value="25"/> <add key="ThreadPool_MaxWorkerThreads" value="1000"/> <add key="UseStaticRoleResolution" value="true"/> <add key="ExternalAssemblyReferencesPath" value=""/> <add key="SSOFieldName" value="nt4user"/>

... </appSettings> ... </configuration>

Note: The SSOFieldName application setting shows the “nt4user” value, as used in previous versions of Metastorm BPM, but the value can be set to any other value.

4.3.4 Public Access Authentication Public access involves opening up some of the Metastorm BPM URLs to consumer internet users. Users accessing via public access will be logged on as a guest user, and will only hold the role of “MetastormGuest”. Therefore, to enable public access users to open a particular form or report, the “MetastormGuest” role must be selected in the restrict viewing to... and Available to roles properties of the form and action. In previous version of Metastorm BPM, only the following URLs have been opened up to public access:

• eForm.aspx

• eList.ashx?Type=Blank

However, in the Metastorm BPM 9.0 web client, a much more flexible approach has been adopted. Public access is now completely under the control of the system administrator and all configurations are done using standard ASP.NET web application configurations. Note: Public access is only supported in combination with Forms authentication.

Configuring Web Client for Public Access

Public access is only supported in combination with Forms authentication. To enable public access, on a web server configured to use Forms authentication, the system administrator must first decide what Metastorm BPM functionality needs to be opened up to anonymous access, through the use of Metastorm BPM URLs.

Following are the steps involved:

• Enabling Public Access

• Enabling Form Opening in Public Access

• Enabling Blank Form List in Public Access

• Enable Reading Attachments

Enabling Public Access

Public access is not enabled by default. System administrators must enable this feature by setting the publicAuthenticationProcess attribute value to “Public” in the Metastorm Membership Provider.




Enabling Form Opening in Public Access

The web client’s eForm.aspx request processes all form requests in Metastorm BPM 9. This includes blank forms, administration forms and native reports. The web.config file of the Metastorm web client must be configured as followed:

 

The above configuration will enable public access users to attempt opening of blank forms, administration forms or native reports. One of the following errors will return if public access users attempt to start an action or open a form that does not have the MetastormGuest role selected in the Metastorm BPM 9 Designer:

Metastorm form access error.


Metastorm action access error. As stated previously, a new virtual path provider is introduced in Metastorm Enterprise 9.0 to allow the web client to serve Metastorm forms deployed to the Metastorm Process Engine Repository in ASP.NET format. This new virtual provider brings with it the following URL to enable system administrator to restrict the processes or forms that is exposed to public access: [Forms|Folders|Reports]/{Map Name}/{Locale ID}/{Form Name}.aspx Where the first part indicates whether the URL accessing a Metastorm form, Metastorm folder or Metastorm native report. The other parts of the above URL is described in the table below:

Part Description

Map Name Specifies the name of the Metastorm process.

Locale ID Specifies the locale ID of the deployed form. The Locale ID must be exactly as specified in the eLocaleID column of the eDeployedLanguage table.

Form Name Specify the name of the blank form, administration form or native report.

For example, the configuration below restricts public access to forms in the MempTest process:

<configuration> ...  <location path=”Forms/MempTest”> <system.web> <authorization> <allow users="?" /> </authorization>

</system.web> ... </configuration>

Likewise, the configuration below restricts public access to the English – United Kingdom Form1 blank form in the MempTest process:

<configuration> ...  <location path=”Forms/MempTest/en-GB/Form1.aspx”> <system.web> <authorization> <allow users="?" /> </authorization>




</system.web> ... </configuration>

Enabling Blank Form List in Public Access

In the Metastorm BPM 9 web client, the eList.aspx request serves to render form, alert and report lists in an external URL. Selection of a particular list type is done using the Type query field parameter. This gives us a problem. That is, if the eList.aspx request is opened up, in the web.config file, to public access then anonymous users will be able to view all the Metastorm Enterprise list types. The reason for that is because, in the web.config file’s <location> element, we only have the option to specify a path. There is no way we can authorize only a path with certain query field parameter using the <location> element. However, we can use URL mapping to get around the <location> element limitation. The sample configuration below illustrates how to open up only the Metastorm blank form list to public access:

=

Please refer to the following link for more information on configuring URL mapping: http://msdn.microsoft.com/en-us/library/ms228302.aspx The technique above can be used to open up other Metastorm Enterprise list type to public access.

Enable Reading Attachments

At runtime, the Metastorm web client uses the eReadAttachment.ashx request to retrieve information from the Metastorm Process Engine Repository’s eAttachment table. In a Metastorm Enterprise form, the eReadAttachment.ashx request is being used to perform the following tasks:

• Image field – retrieve the picture selected in the Metastorm Enterprise Designer.

• Attachment Clip and Attachment Grid – retrieve the currently selected attachment to open.

• Status field – retrieve the threshold images.

http://msdn.microsoft.com/en-us/library/ms228302.aspx


The eReadAttachment.ashx request can be opened up to public access by configuring the web client’s web.config file as followed:

Note: Customers should consider the security implication when opening up the eReadAttachment request to public access, as the eAttachment table could contain sensitive data.

4.3.5 Web Farm Deployment The Metastorm BPM 9.0 web client and the ASP.NET Forms authentication module depends on the machineKey web configuration settings to encrypt sensitive user data. In a web farm, the web.config file of each server must be configured as followed:

1. Open the web client’s web.config file in a text editor such as Notepad. This file is located C:\Program Files\Metastorm\BPM\Web

2. Uncomment and edit the following machineKey element to enable "Forms" authentication to work in a web farm.

3. Enter a manually generated key for decryptionKey to encrypt and decrypt data. This value must be the same on each server in the web farm.

4. Enter a manually generated key for validationKey to validate encrypted data. This value must be the same on each server in the web farm.

5. Final code should look similar to the example below:

<configuration>

…

<system.web>

…

<machineKey validationKey=“ ”

decryptionKey=“ ”

validation=“SHA1”

decryption=“AES”/>

…

</system.web>

…

</configuration>




Note: Please refer to the following link for more information on machineKey configuration and web farm deployment: http://msdn.microsoft.com/en-us/library/ms998288.aspx

http://msdn.microsoft.com/en-us/library/ms998288.aspx


5 METASTORM ADMINISTRATIVE TOOLS

5.1 Overview This section details how to use the Metastorm BPM Administrative Tools to perform standard administration and configuration tasks such as:

• Create users, define their attributes, and make static role assignments

• Perform administrative tasks such as registering Process Engines.

• Configure Public Access to make business processes available to users outside your organization, by enabling external users to create folders

• Configure Authentication scripts

5.1.1 Installing the Administrative Tools The Administrative Tool can be installed from the main Designer Installation disk, where you select it as an installation component. The installation creates two virtual directories in IIS, MetastormAdministration and MetastormAdministrationSvc. These virtual directories run under the MetastormAdminAppPool application pool. The MetastormAdministration Virtual Directory needs to have anonymous access disabled.

5.1.2 Launching the Administrative Tools The Administrative Tools is a web based application, it can be accessed by using Internet Explore with the following URL http://<server name>/MetastormAdministration/ The Metastorm Administrative Tools require the user to login. The Metastorm user needs to hold the ‘MetastormAdministrator’ role. This role is automatically created on running the Metastorm database creation scripts along with a default BPM user.

The default User Name and Password are as follows: Username: SysAdmin Password: metastorm




5.1.3 Recovery Mode Authentication If the Metastorm Process Engine is down or the Metastorm SAP scripts or roles were accidentally deleted, there is a “recovery mode” that allows the Administrative Tools to use the Metastorm BPM Services database credentials to authenticate the administrator (if database credentials are configured for Windows Authentication a blank login/password may be used). In the Web.config file there is a setting called “RecoveryMode” if this is set to true the "recovery mode" is activated. By default this is set to “false” as we only support the database mode as a recovery and not as a normal authentication mechanism. An example of the setting is show below.

<appSettings> <add key="EncryptConnectionString" value="false"></add> <add key="RecoveryMode" value="false"></add> </appSettings>

5.2 Users

5.2.1 User & Role Concepts Metastorm BPM uses the concepts of users and roles to control access to the various parts of the application and business processes.

A User is defined as an individual in an organization who uses a Metastorm BPM service. In many cases, this includes everyone on the staff roster, and can be expanded to include contract or temporary workers, suppliers, customers, or business partners, as required.

Roles are a method of grouping people within an organization. Individual Users can be grouped by skill, function, geographical location, or any other criteria relevant to the organization. A user can have any number of roles and a role can be assigned to one or many users. Static and Dynamic Roles are created during the process design and added to the database when a project is deployed.

In this section, we introduce you to the Users and Roles tool and cover the following topics:

• Role-based work management.

• Identifying users and role assignments in your organization.

• Managing users.

• Managing roles.

5.2.2 Managing Users The Metastorm BPM Administrative Tools allows Administrators to undertake a number of User Management tasks. This tool has a tabbed interface. The first tab is "Users" and it is in this area where the user can undertake the following tasks:

• Create users

• Delete user

• Update user (including change password)

• Create custom attributes


• Assign static roles to users

• Find User/Search.

• Create a "Reports To" company hierarchy structure

Steps needed to access the User Tab

1. Using Internet Explorer, access the Metastorm Administrative Tools via the following URL http://<server name>/MetastormAdministration/

2. When the login page displays enter the User Name and Password for the default Administration account. Username: SysAdmin Password: metastorm Note: The default Administration account is created when the Metastorm database creation scripts are run.

3. Select the User Tab, once the page has loaded you should see a screen similar to the image below.

Here the "All" option has been selected at the top causing all the users to be displayed below. Selecting a letter of the alphabet will display the users accounts of the corresponding User Names beginning with this letter. The default display order is based on the "Last Update" column, this is when the user account was created or last updated. This is a paged interface and can be viewed from various pages either via the greater and lesser than brackets or by typing in the page number and hitting the Go Button. You can also alter the number of rows returned per page by typing the number you wish into the "Page Size" field and clicking the Change button. The Administrative Tool allows Administrators to undertake User account searches and also display user accounts grouped by their Management structure. More information on searching is available in the "Find User/Search" topic.




5.2.3 Create users A user is defined as anyone in an organization who uses a Metastorm BPM service. Their credentials must be added through the Administrative Tools > User tab before the Metastorm Process Engine will be able to authenticate them as a valid user.

Note: Metastorm BPM has a Public Access option which is discussed further in the Authentication section of this guide. This allows unknown or anonymous users to interact with the Metastorm Process Engine.

Steps needed to create a user

1. Browse to the Administrative Tool using Internet Explorer and login. 2. Select the User Tab. Click on the New User button (see image below) to open up the New User Section;

this will appear in the bottom half of the screen above the list of existing users. 3. Data entered in the New User section will be added to the Metastorm database, once the Create button is

clicked (see image below).

Explanation of User Properties:

• User Name - This is the name by which users will be known by the Metastorm Process Engine. This is the only required field. It will need to be typed into the Web Client's login window if Single Sign On (SSO) has not been configured.

• Reports To - Represents a company employee structure; you can select the users relevant Line Manager / Team Lead for example from this field. The drop down field displays all the Metastorm BPM users presently set up in this Metastorm database. To speed up the search you can type into the field itself, it will refresh and present only the relevant user names.

• Directory Tree - This field is used when users are created from a company's user directory (e.g. Active Directory service). However this information can also be manually added.

• Distinguished Name - This field is used when users are created from a company's user directory (e.g. Active Directory service). However this information can also be manually added. Note: Full Directory Integration services are not available in the present version of Metastorm BPM 9 but will be available in later releases.

• Deliver Alerts by E-Mail - This is a Boolean field, select "Y" to send e-mail and select "N" to not send e-mail. If you chose "Y" every time the user receives an alert that they have a new folder on their To Do List or Watch List an e-mail will be sent to the address specified in the E-Mail Address property.


Note: This message is an automated Metastorm Process Engine response and as such cannot be customized. If a customized email is required this can be programmatically created in the BPM Designer.

• E-Mail Address - This is the user's email address

Select the Change Password button to access the Password fields (see image below). This is the password that the user must type into the web client's login window if SSO has not been configured. The value entered is MD5 encrypted and stored in the Metastorm Database.

This is not a required field and for testing purposes user accounts can be created with a blank password the value of "blank" is encrypted and stored in the Metastorm Database. This is not a recommended practice for production systems. The data entered will be added to the Metastorm database, once you click on the Create button.

The time at which the user account was created also gets recorded, this will be displayed in the Administrative Tools user interface in the "Last Update" column.

5.2.4 Delete Users Deleting a user removes the user from the eUser table, effectively removing their access permissions to the Metastorm Process Engine and therefore the Web Client. Steps needed to delete a user

1. Browse to the Administrative Tools using Internet Explorer and login. 2. Select the User Tab. Search for the User that you want to delete. View the Find User/Search topic

for more information on doing this. 3. Select the delete icon next to the user account you want to remove. You will be prompted by a

dialog box asking you to confirm your intention to delete the user account. Selecting 'Yes' will permanently remove the user account from the eUser table. Selecting 'No' will cancel the deletion request. Note: Deleting user accounts should be done with caution, an assessment needs to be made of the implications of removing the user account.

5.2.5 Update User

Steps needed to update a user




1. Browse to the Administrative Tool using Internet Explorer and login. 2. Select the Users tab. Use the search functionality available within the Administrative Tools to find

the user account that needs to be updated.

3. Select the Pencil icon to open up the User Account in Edit mode, (see image below). 4. Make any necessary changes and click the Update button to save the changes.

5.2.6 Create Attributes

Tables of attributes can be created and added to user accounts in dynamic roles in BPM projects. Steps needed to add attributes to a user:

1. Browse to the Administrative Tool using Internet Explorer and login. 2. Select the Users tab, expanding the user account to view the full user details; this is achieved by

clicking on the arrow next to the relevant account. 3. Below the user account entry the Attributes tab can be selected to display the attributes assigned to

the user and stored in the eAttribute table. 4. Select the New Attribute link, this exposes editable fields to enter data into, selecting the green tick

insert the values into the eAttribute table. Selecting the red cross cancels the entry (See image below).


5.2.7 Assign Static Roles to Users Sometimes you will need to update user accounts by amending the roles assigned. This can be configured in the Roles tab of the Administrative Tools or in the User tab by directly editing expanded user accounts (See figure below). Note that Static and Dynamic Roles are defined within BPM Projects and the Administrative Tools only displays Static Roles.

Steps needed to assign a static role to a user

1. Browse to the Administrative Tools using Internet Explorer and login. 2. Select the Users tab. Expand the user account to view the full user details by clicking on the arrow

next to the relevant account. 3. Below the user account entry you can view the roles held by the user and the roles available to be

assigned (see image below).




4. Select the role you wish to assign in the Available Roles list on the right hand side and use the arrows to move that role over to the left hand side Roles Held By User list. As soon as the role appears on the left hand side the user holds the role. Note: Multiple roles can be assigned in one go, by holding down the Shift key whilst selecting multiple roles.

5.2.8 Find Users The Metastorm BPM Administrative Tools offer several methods to allow administrators to find existing user accounts.

Alphabetical Search

This is the simplest search facility which will bring back all the user accounts that have a user name that starts with the letter chosen (in alphabetical order). In the figure below the letter S has been selected and the screen has refreshed to display only the user accounts that have a User Name starting with the letter S. Note that the search is case sensitive, so in this example users with names beginning with 's' will not be found.

Grouping and Search/Filter Options

On the left hand side of the Users tab interface there is a panel which offers two more refined searching methods, Grouping Options and Search/Filter Options.

Grouping Options

Administrators can group user accounts by the configured company hierarchical structure established by the Reports To field content with the Group By Manager options, or to clear this level of search refinement by selecting the No Grouping option.

The figure below shows users accounts displayed in their Reports To structure following the selection of the Group By Manager option. The interface allows the administration to expand and contract each Mangers reports to section to view the user accounts of the people they manage.


Each of the user accounts has an arrow next to it which allows access to the roles and attributes associated with that user. From this area roles and attributes can be added or removed.

Search/Filter Options

Administrators can search user accounts by putting values into the search fields: User Name, EMail Address, Reports To, Last Update. There are two search options: Simple Search and Complex Filter.

Simple Search

This search method allows administrators to simply enter a value in any of the search fields and pressing the "Enter" key or click on the "Refresh" button. In the figure below the letter "s" has been entered in the User Name field causing all user accounts to be returned where "s" is included in the user name.

Complex Search

This search method allows administrators to undertake more complicated searches. Once the Complex Search option has been selected from the panel on the left hand side Filter arrows will appear to the right of the search fields in the User Tab interface. When the Filter arrow is selected the drop down list of search criteria is displayed for your selection. Using the complex search facility you can find user accounts that have user names that begin with the letter "s" by entering "s" into the User Name field and then selecting the StartsWith option from the search criteria drop down (see figure below).




Note: User search is case sensitive in Oracle by default, however in SQL Server it is case insensitive by default.

5.2.9 Create a Reports To Structure A company hierarchical structure can be represented by using the Reports To drop down field in the User account information. This can be set up at the same time as the initial creation of the User account or at a later stage by updating the User account.

Once set up administrators can use the Group By Manager search, more information can be found in the find user topic. Additionally the Metastorm BPM Designer has a User's staff and User's manager formula that can be used during process development. User's manager returns the manager, who has a specific role with respect to the specified user and User's staff return a list of the staff who have a specific role and report to the specified user.

Steps needed to configure the Reports To feature

1. Browse to the Administrative Tool using Internet Explorer and login. 2. Select the User Tab. 3. Open up an existing user account or create a new user account and add information to the Reports

To field. 4. Select the drop down fields arrow, the field will expand containing a list of all the user names in

the Metastorm Database. To speed up the search you can start to type the user name if know into the drop down field and the list of user names will begin to be filtered.

5. Select the correct user name and click the Update button to save the change, or complete the rest of the fields and click on the Create button.

5.3 Roles

5.3.1 Role-based Work Management


Metastorm BPM is patterned on the concept of role-based work management, which involves assigning tasks and routing information to a role (such as System Engineer), rather than to a person (such as John, who is a System Engineer). For the designer, role-based work management eliminates the need for knowledge of the names of specific individuals in an organization and the positions they occupy. For the recipients, role-based work management eliminates the need for a response from a specific person, but instead places the responsibility on the role, regardless of whether it is held by an individual or a group of individuals.

Metastorm BPM offers the following options for user and role management via the Administrative Tools:

• Users & Roles Management - Allows the creation and maintenance of User accounts. Static Role assignment and attribute management.

• Open Authentication - Allows Process Designers to create and deploy custom authentication solutions.

Note: Directory Extraction Service - A set of modules used to extract user-related attribute data from Directory Services and store this data in the Metastorm BPM database. A full implementation will be included in later versions of Metastorm BPM 9.

5.3.2 Identifying the User & Role Assignments in Your Organization

To identify the roles in your organization, and assign the proper users to these roles, you must answer the following two questions:

1. What individuals will use the system (in any capacity)? 2. What roles do these individuals occupy in my organization?

Identifying Users

You can create an initial user list based on your organization’s employee list. Depending on your organization’s needs and organization, the employee list may:

• Contain individuals who are not participants in workflow procedures (such as a pool of workers without access to the system, but who answer directly to a supervisor who logs their production). These employees should be deleted from your preliminary list.

• Not include any non-employees (such as contract workers or temporary employees) who may become process participants. These non-employee users should be added to your list.

Note: If you discover that you need to add or delete a user for any reason, you can return to the Users tabs and make the necessary modifications to the user list. These changes become effective immediately.

As you refine your user list, it is a good idea to organize it by workgroups, teams, departments, etc. This method not only helps ensure that all individuals are accounted for, but it is useful when you move to the next step, identifying role assignments.

Identifying Role Assignments

Role-based work management is based on the concept that responsibilities are assigned based on an individual’s job function or role within the organization. The simplest way to make the proper role assignments is to link users with their job title. This is where having organized your user list according to your organization divisions becomes helpful.

The list you develop may not reflect all possible role assignments in your organization. You can define new roles (static or dynamic) as procedures require them. Similarly, you can modify role assignments as changes in your organization require.




Defining Roles

Roles are defined in the Project containing the process. For detailed information on how to define roles, see the Designer User Guide.

5.3.3 Managing Roles The Metastorm BPM Administrative Tools allows Administrators to undertake a number of Role Management tasks. This tool has a tabbed interface. The second tab is "Role" which is where the administrator can carry out the following tasks:

• Searching Role Assignments

• Checking Roles

• Adding and Removing Users to/from Roles

Steps needed to access the Roles Tab

1. Using Internet Explorer, access the Metastorm Administrative Tools via the following URL http://<server name>/MetastormAdministration/

2. You will be taken to a login page. Enter the User Name and Password for the default Administration account. Username: SysAdmin Password: metastorm Note: The default Administration account is created when the Metastorm database creation scripts are run.

3. Select the Roles Tab, once the page has loaded you should see a screen similar to the image below.

5.3.4 Searching Roles The Metastorm Administrative Tools allow administrators to find existing static roles via two main search methods, Simple Search and Complex Filter Search.

Simple Search


This search method allows administrators to simply enter a value in any of the search fields and pressing the "Enter" key or click on the "Refresh" button.

Complex Filter

This search method allows administrators to undertake more complicated searches. Once the Complex Search option has been selected from the panel on the left hand side filter arrows will appear to the right of the search fields in the Role Tab interface. When the Filter arrow is selected the drop down list of search criteria is displayed for your selection.

5.3.5 Checking Roles The Metastorm Administrative Tools offer two methods to allow administrators to check existing Static Roles, Roles Without Users and Undefined Roles. Roles Without Users

This method generates a message box response detailing which Static roles in the Metastorm BPM Database presently have no users assigned to them. See image below. This method it initiated by selecting the "Roles Without Users" option in the left pane.

Undefined Roles

This is initiated by selecting the "Undefined Roles" option in the left pane. This checks to make sure that all static roles are used in deployed projects. This method also opens a message box, see image below.




5.3.6 Assign Static Roles to Users Sometimes you will need to update user accounts by amending the roles assigned. This can be configured in the Roles tab of the Administrative Tools or in the User tab by directly editing expanded user accounts (See figure below). Note that Static and Dynamic Roles are defined within BPM Projects and the Administrative Tools only displays Static Roles. Steps needed to assign a static role to a user

1. Browse to the Administrative Tools using Internet Explorer and login. 2. Select the Users tab. Expand the user account to view the full user details by clicking on the arrow

next to the relevant account. 3. Below the user account entry you can view the roles held by the user and the roles available to be

assigned (see image below).

4. Select the role you wish to assign in the Available Roles list on the right hand side and use the arrows to move that role over to the left hand side Roles Held By User list. As soon as the role appears on the left hand side the user holds the role. Note: Multiple roles can be assigned in one go, by holding down the Shift key whilst selecting multiple roles.

5.4 Log

5.4.1 Managing Error Logs When the Engine encounters a problem in a BPM Process an error is generated and stored in the eLog table of the Metastorm database, these errors can be viewed via the Log Tab of the Administration Tool Interface. The following Designer Log categories are available:

• Authentication Errors —failed login attempts to the Metastorm Engine.

• Process Errors –procedure warnings and errors.


On the left hand side of the interface you will view the navigation panel displayed below, that allows you to drill down into the errors that have been logged.

• Log Type -You can choose to view either Authentication Errors or Process Errors.

• Grouping Options - You can choose to group the errors by Process or not.

• Search/Filter Options - Configures the interface to allow Simple and Complex Filter searches to be undertaken.

• Simple Search - Allows the user to search the errors by column heading.

• Complex Filter - Allows the user to set up a filtered search involving several columns

Steps needed to View the Log Tab

1. Browse to the Administration Tool using Internet Explorer and login. 2. Select the Log Tab (see image below). 3. Choose to review Process Errors or Authentication Errors. 4. Use either the Grouping Options or the Search/Filter options to allow you to find the error you

wish to review 5. Drag and drop the grid columns until they are in an order that allows you to view the information

you are interested in. 6. Expand the error to view full details.

5.5 Metastorm Repository

5.5.1 Managing Metastorm Repository

The Metastorm Database tab allows the Administrator to undertake a number of important Database and System functions, as listed below:

• Managing Service Level Settings

• View deployed Projects and Libraries and their Version History

• Delete a specific version of a Project

• Delete a Project

• Delete a specific version of a Library

• Delete a Library

• View and edit the following elements of Projects and Libraries:

• Connections

• Start Groups

• Processes

• Report Groups

• Administration Groups

• View and Administer folders

• Searching for folders

• View folder attachments, history, parent/child folders, alert lists

• Update folder (subject, category, priority)




• Unlock All Folders

• Unlock a Folder

Note: Alerts are handled differently in version 9 preventing the need for Administrators to purge deletion alerts.

Accessing the Metastorm Database Tab

1. Using Internet Explorer, access the Metastorm Administration Tools via the following URL http://<server name>/MetastormAdministration/

2. You will be taken to a login page. Enter the Username and Password for the default Administration account: Username: SysAdmin Password: metastorm

3. Select the Database tab and the explore tree has been expanded only as far as to display the Projects and Libraries nodes (see image below).

5.5.2 Managing Service Level Settings

It is possible to configure system settings through the Administrative Tools Metastorm Repository tab. Select the top node of the Metastorm Repository explore to open a form to the right that contains two sections a Basic settings section and an Advanced Settings section. These settings are detailed below and should only be changed with caution and consideration, especially the Advanced settings.

Basic Settings


• Session time out period - Sets the number of minutes of no interaction with a Metastorm service that is required to elapse before the session times out. Default 60. Click here for more information.

• Folder lock time out period - Sets the number of minutes after which a locked folder is automatically released for action by a user other than the user who locked it. Default 60. Click here for mire information.

• Guest user name - Sets the name of the user account used for Public Access Authentication. Default eGuest. Click here for more information.

Advanced Settings

• Alive Interval - Sets a time period (in minutes) for each engine to update the repository to show that engine is still running. Default value is 2

• Alert Generation - Configures the whole system to either generate alerts or not. The Default value is -1 causing alerts to be generated. Click here for more information.

• Deletion Alerts - Causes deletion alerts to either be generated or not. The default value is -1 which prevents deletion alerts from being generated. Click here for more information.

• Multi-Lingual List Support - Determines if your system will support Multiple Languages. Default value is 0 indicating that the Metastorm BPM system does not supports Multi Lingual Processing. This setting should only be changed once and requires further configuration steps. Click here for more information.

Note: The format of the FolderID has changed. By default it is now prefixed with 0900 followed by 27 digits. This prefix value is stored in the eFolderIDPrefix column of the eServer table and can be altered if needed. It should be noted however that the FolderID is the systems unique reference to folders and should therefore only be altered with care and consideration.

5.5.3 Session Timeout Period

If a user attempts to access a service after a set period of inactivity, Metastorm BPM displays a message telling them that their session has timed out and that they must log out and log back in again. If the user is accessing Metastorm BPM with Outlook any open forms will be closed when they log out, and any data that has not been submitted will be lost. If the user is accessing Metastorm BPM with Internet Explorer using the Web Client, they may leave a form open while logging out and logging back in, and then continue working with the form. Users of the Web Parts must close any open forms when the session times out, as any open forms will be using an out-of-date session id. The session times out if the user does not interact with a service for a set period. The following are examples of interacting with a service:

• Refreshing a list

• Opening a folder

• Submitting a folder

• Entering data and moving to another field when there are dependencies




However, carrying out the following actions are not counted as interacting with a service:

• Spending a long time entering data into a field

• Adding or retrieving an attachment Note: The session will not time out when Metastorm BPM is taken offline. Note: For users of the Outlook client, the session will only ever time out if the refresh interval is set to 0 or set to a length of time longer than the time-out period.

The session time-out setting for an Engine is held in the database. To update this setting, open the ‘Update Time-out’ Administration Form, enter the time period in the Session time-out field and submit the form. The default value for this setting is 60 minutes. If the value is set to 0, the session will not time out. The change only takes effect for sessions started after the update is made. We recommend that for security reasons you do not set the session time-out value to 0. In addition, if the session time-out value is set to 0, the eSession table will fill up with unexpired sessions and should be cleared manually at regular intervals.

The setting corresponds to the length of a time-out period. The first time-out period begins when the user first interacts with Metastorm BPM. If the user stops interacting with Metastorm BPM during the first half of the time-out period, the session ends when this time-out period ends.

For example, if the session time-out is set to 60 minutes, and the user interacts with Metastorm BPM for just 20 minutes, the session will time out 60 minutes after it began (i.e. 40 minutes since the user’s last interaction with Metastorm BPM). If the user attempts to interact with Metastorm BPM after this, he will be asked to log out.

A new time-out period automatically begins the first time the user interacts with Metastorm BPM during the second half of a time-out period. This new time-out period is treated in the same way as the first one. If the user carries out their last interaction with in the second half of a time-out period, the session will continue to be available until the end of the next time-out period.

For example, if the time-out period is set to 60 minutes, and the user interacts with Metastorm BPM for 45 minutes, the interaction that happens in the 31st minute sparks a new time-out period. The session will time out at the end of the new time-out period, 1 hour and 31 minutes since the first interaction. However, if the user starts to interact during the second half of the second time-out period, a further time-out period will begin.

5.5.4 Folder Lock Timeout

This dialog enables you to specify the number of minutes after which a locked folder is automatically released for action by a user other than the user who locked it (it is always available to the user who locked it). A folder is locked when a user is modifying it or performing an action upon it, such as filling out a form. This prevents multiple users from editing or modifying a folder at the same time. If a user attempts to open a folder for an action (by selecting the action button) and this folder is already locked by another user, the following error message is displayed: Folder already locked for <action name> by <username>


If two users, logged in using the same user id, lock the same folder to perform an action then the second user to submit the folder will get the error message: Folder not locked.

The Folder Lock Timeout can be used to:

• Prevent a user from leaving a folder open too long and denying access to others.

• Prevent a folder from being permanently inaccessible when a network or workstation fails.

• Prevent a folder remaining inaccessible, when a user’s browser has been closed in the middle of taking an action without committing the action or canceling it.

5.5.5 View Projects and Libraries Metastorm Administrators can use the explorer tree on the left hand side of the Repository tab to view all the Projects and Libraries that have been deployed to the Metastorm Repository along with all their subsequent parts. The image below, shows that one project and two libraries have been deployed to this example Metastorm Repository.

By selecting the Project or Library name the version history is displayed and the element expands to show the processes, connections and start groups that are contain within it, as shown in the image below.

If you select the Start Groups (see image below) you will see an entry for each different Process, Administration form, and Report that has already been created and deployed; you can then change their "Group Name" which will effect how they are grouped in the Web Client's Blank Forms, Administration




Forms and Reports Lists. .

Note: Please note that connections in Libraries do not show under the Library nodes. Library connections will appear under the Project nodes of those projects that reference the library.

5.5.6 Deleting a Project

As part of cleaning up the Metastorm Repository it is good practice to delete Projects they are no longer needed and their folder information is not required to be archived and stored. This can be done by performing the following steps:

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm DB explore tree node 3. Expand the Projects node 4. Select the name of the Project you wish to delete from the Metastorm Repository and right click 5. Select the option "Delete" from the sub menu.

Note: Deleting a Project will remove all references to this project from the repository including all the information related to its folders. Note: Tables relating to Sub-Process will not be deleted from the Metastorm Repository when the Project's they are associated with are deleted, if there is no reference to them being used by the Project.

Deleting a Version History


As part of cleaning up the Metastorm Repository you can remove old copies of Projects that are no longer used and will not be needed to be recovered. This can be done by performing the following steps:

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Project you wish to delete. 5. View the Version History in the right hand panel and select the trash can icon next to the version

you intend to remove.

5.5.7 Deleting a Library As part of cleaning up the Metastorm Repository it is good practice to delete Libraries if they are no longer needed and their folder information is not required to be archived and stored. This can be done by undertaking the following steps:

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Libraries node 4. Select the name of the Library you wish to delete from the Metastorm Repository and right click 5. Select the option "Delete" from the sub menu.

Note: Deleting a Library will remove all references to this Library from the repository; this may cause problems if it is being used by processes.

Deleting a Library Version History

As part of cleaning up the Metastorm Repository you can remove old copies of Libraries that are no longer used and will not be needed to be recovered. This can be done by undertaking the following steps:

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Library node 4. Select the name of the Library you wish to delete . 5. View the Version History in the right hand panel and select the trash can icon next to the version

you intend to remove.

5.5.8 Administer Folders The Administrative Tools can be used to administer Metastorm BPM Folders in the following ways:

• Searching for a Folder

• Unlock Folders

• Unlock All Folders

• Unlock individual Folders

• Updating Information




• Update Folder (subject, category, priority)

• View and Update Folder Attachments, History, Parent/Child Folders, alert lists

• Update Folder Alerts

• Delete Folders

Searching for Folders

To view a list of all folders associated with a specific process: 1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to view

relates 5. Select the Process and view all the folders contained within it on the right hand side

This area displays the following information about each folder (each heading can be a filter):

• Folder name

• Stage at which the folder is currently located

• Folder ID

• Subject of the folder

• Priority of the folder

• If it is locked Unlock Folder Folders are automatically locked to everyone but their present user by the Engine. It may become necessary to unlock the folders to:

• Prevent a user from leaving a folder open too long and denying access to others.

• Prevent a folder from being permanently inaccessible when a network or workstation fails.

• Prevent a folder remaining inaccessible, when a user’s browser has been closed in the middle of taking an action without committing the action or canceling it.

Using the Administrative Tools the Metastorm administrator can choose to Unlock all the folders in one go or on an individual basis. Unlock all folders in one go

1. Select the "Metastorm Repository" tab of the Administrative Tools interface. 2. Right click on the top node of the explore tree "Metastorm Repository" and select the "Unlock

Folders" sub menu that appears, as in the diagram below.


3. A dialog will appear stating how many folders will be unlocked, and an "OK" button to initiate

this process.

Unlock individual folders 1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to edit relates 5. Select the Process and view all the folders contained within it on the right hand side 6. Select the unlock folder option next to the folder.

Updating Information

Update Folder (subject, category, priority) 1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explorer tree node 3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to edit relates 5. Select the Process and view all the folders contained within it on the right hand side 6. Select the pencil icon next to the folder you wish to edit and Edit the information, selecting the

green tick when complete View Folder Attachments, History, Parent/Child Folders, alert lists

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explorer tree node 3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to edit relates 5. Select the Process and view all the folders contained within it on the right hand side 6. Select the white triangle next to the folder you wish to view the information for. This will expand

the row and display a tab interface (see image below). You can use this interface to find out the relevant folder information.

Update Folders Alert List

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node




3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to edit relates 5. Select the Process and view all the folders contained within it on the right hand side 6. Select the white triangle next to the folder you wish to view the information for. This will expand

the row and display a tab interface (see image below). 7. Select the Alert List Tab to view and edit the alerts for this folder. This means that you can add or

remove the folder to and from peoples ToDo List and Watch List.

Delete a Folder

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Project that contains the Process to which the folder you wish to delete

relates 5. Select the Process and view all the folders contained within it on the right hand side and use the

column filtering to allow you to find the folder 6. Select the trash can icon next to the relevant folder to delete it from the Metastorm Repository.

5.5.9 Administer Procedure and Library Elements

The Administrative Tools can be used to administer the subsections that belong to Projects and Libraries, such as those listed here:

• Editing Connections

• Editing Start Groups

• Deleting Processes

• Deleting Report Groups

• Deleting Administration From Groups

Administering Connections

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository node 3. Expand the Projects node 4. Select the name of the Project that contains the Connection you wish to edit, you will see a list of

associated Connections appear on the right hand side. 5. Select the pencil icon next to the Connection you wish to edit, you will then be able to edit the

Connection and save your changes (please see image below). Note: Selecting the Overridden checkbox property means that the connection was overridden by external tool and will not be modified by further deployment of the project containing the connection.


Start Groups

Processes, Administration Forms and Reports can be grouped together to enable a more organized user experience when viewing the items in the Web Client. This grouping can be achieved by editing the Start Groups section of a Project, as follows:

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository node 3. Expand the Projects node 4. Select the name of the Project that contains the Start Group you wish to edit, you will see a list of

associated items appear on the right hand side. 5. Select the pencil icon next to the item you wish to edit, edit and save your changes (please see

image below).




Deleting Processes

As part of cleaning up the Metastorm Repository it is good practice to delete Projects if they are no longer needed.

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Process you wish to delete, right click and select delete.

Deleting Report Groups

As part of cleaning up the Metastorm Repository it is good practice to delete Report Groups if they are no longer needed.

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Report Groups you wish to delete, right click and select delete.

Deleting Administration Form Groups

As part of cleaning up the Metastorm Repository it is good practice to delete Administration Form Group if they are no longer needed.

1. Go to the "Metastorm Repository" tab in the Administrative Tools 2. Expand the Metastorm Repository explore tree node 3. Expand the Projects node 4. Select the name of the Administration From Group you wish to delete, right click and select

delete.


5.6 Authentication

5.6.1 Administering Server Authentication Provider (SAP) Scripts

The Metastorm BPM authentication architecture is designed to support multiple mechanisms of authentication, this enables the User to experience a seamless log in process every time even when they are connecting to the Metastorm service though different devices, and via different connection methods.

The Administrative Tools can help you administer this via the "Authentication" tab. The following tasks can be undertaken:

• View Present Authentication Configuration

• Add a SAP Script

• Remove a SAP Script

• Change the order of SAP Script execution

• Download the SAP Script file

• Set up Public Access

• Remove Public Access

• Enable a Signature

• Remove a Signature

View Present Authentication Configuration

1. Go to the "Authentication" tab in the Administrative Tools 2. On the right hand side you will see the list of SAP scripts and there order of execution. By default

initially you will only see the euser.js scripts (see image below).

Add a SAP Script

1. Go to the "Authentication" Tab in the Administrative Tools 2. Select the Add SAP Script button on the left had side 3. You will be prompted to browse for your SAP Script file and click the Add Script button.

At this point you can select a customized SAP script or choose from the ones shipped with the Metastorm BPM product. Following a default install the file path would be: C:\Program Files\Metastorm\BPM\Engine\Authentication. Metastorm Ships with the following SAP script examples:

• eerror.js

• eguest.js

• eremdetails.js

• erempwd.js

• erempwddetails.js

• eSSO_Web.js = this is the SAP script required for Windows Single Sign On

• euser.js = this is the default SAP script




• installOA.js

• mqauthentication.js 4. The screen will refresh and you will see your SAP script added to the list on the right hand side.

Remove a SAP Script

1. Go to the "Authentication" Tab in the Administrative Tools 2. On the right hand side you will see the list of SAP scripts and there order of execution, find the

one you wish to remove. 3. If you wish you can choose to download a copy of it and save it locally by selecting the Download

button. Or you can jump to step 4. 4. Click on the Trash can icon next to the SAP script you wish to remove. 5. Then select the OK button when prompted to confirm you request.

Change the order of SAP Script execution

1. Go to the "Authentication" Tab in the Administrative Tools 2. On the right hand side you will see the list of SAP scripts and there order of execution indicated in

the index column. 3. Click on the SAP script you wish to re-order and drag it up and down until you are happy with the

order of execution, you will notice that the line goes green to indicate your selection. Note: The SAP order starts at 0, as being the first SAP script that the Metastorm Process Engine will try and execute, and increments up.

To download the SAP Script file:

1. Go to the "Authentication" Tab in the Administration Tool 2. On the right hand side you will see the list of SAP scripts and there order of execution. 3. Find the one you wish to download a copy of and click its Download button. 4. You will be prompted to confirm your intention, select the Download button. 5. Chose to open the file, by selecting the Open button, or save the file locally by selecting the Save

button. 6. Follow the options to save the file in a location of your choosing.

Set up Public Access A Public Access license can been purchased and installed, this provides anonymous access to Metastorm Blank Forms and Administration form.

1. Go to the "Authentication" Tab in the Administrative Tools 2. On the left hand side select the Public Access button 3. You will be prompted to browse for your eguest.js SAP Script file and you will be allowed to

amend the Guest Username (by default this is set to eGuest). Click the Add Script button. Note: When a guest user logs in, the Process Engine will give them the Guest Username.


Note: Following a default install the file path the eguest.js file would be: C:\Program Files\Metastorm\BPM\Engine\Authentication.

4. On the left hand side view the Status panel (see image below) to check that Public Access is now showing as being Enabled. Note that the eguest.js SAP script will not be displayed in the list of active SAP scripts on the right hand side.

Remove Public Access

1. Go to the "Authentication" Tab in the Administrative Tools 2. On the left hand side select the Remove Public Access button 3. Select the OK button when notified that Public Access has been removed. 4. On the left hand side view the Status panel (see image below) to check that Public Access is now

showing as being Disabled.

Enable Signature

A digital signature is an electronic tag which guarantees that data has been supplied by a particular system user and has not been changed by a third party. The Metastorm signature control which a process designer can deploy on a Metastorm form comes with a script which populates the signature with the process participant’s user ID and a time stamp. This script can be amended to suit the needs of your organization.

1. Go to the "Authentication" Tab in the Administrative Tools 2. On the left hand side select the Enable Signature button 3. You will be prompted to browse for your eClientSignature.js 4. On the left hand side view the Status panel (see image below) to check that Signature is now

showing as being Enabled. Note: Following a default install the file path the eClientSignature.js file would be:C:\Program Files\Metastorm\BPM\Engine

Remove Signature

1. Go to the "Authentication" Tab in the Administration Tool 2. On the left hand side select the Remove Signature button 3. Select the OK button when notified that Signature has been removed. 4. On the left hand side view the Status panel (see image below) to check that Signature is now

showing as being Disabled.

5.7 Services

5.7.1 Registering Services This area allows you to register additional Metastorm Engine Services and Metastorm Deployment Services. Because you are doing this through the Administrative Tools you do not have to hold any further




system permissions beyond holding the "MetastormAdmintrator" role. Once configured you will be able to check the status of these services and start and stop them from one location.

How to Register a Service:

1. Go to the "Services" Tab in the Administration Tools 2. Enter the machine name on which the Services are connected and hit the Register button 3. You should see your services appear as registered on the right hand side (see the image below)

Note: The browser needs to be started using the ‘Run as administrator’ option on Vista and Server 2008 for this to work.

5.7.2 Configuring Registered Services

This area allows you to configure both the Engines Service and the Deployment Service, because the user is doing this through the Administration Tools he/she does not need to have rights to the machines on which the services are running, only hold the "MetastormAdministrator" role.

1. Go to the "Services" Tab in the Administration Tools 2. Then right click on the service you wish to configure (see image below).

The sub menu enables the user to perform the following actions:

• Start – Starts the selected service.

• Stop – Stops the selected service.

• Restart – Restarts the selected service.

• Update Status – Refresh the service status.


5.8 SSO Configuration

The Administrative Tools can be configured to use Windows® Single Sign-On (SSO) authentication, if the Metastorm Service has already been configured to do so - Learn how to configure SSO. This prevents the user from needing to enter any credential when they launch the Tools.

Follow these steps:

1. Open up the Administrative Tools web.config file in an editor such as Notepad or Visual Studio 2008. If default options were selected during the Metastorm install the location should be C:\Program Files\Metastorm\BPM\Administrative Tools\Web.

2. Edit the web.config file so it looks like the example below. Uncomment the <authentication mode ="Windows" /> and add the line <identity impersonate="true" />. Finally comment the <authentication mode="Forms"> section.

<authentication mode="Windows" /> <identity impersonate="true" /> 

3. Open up the browser and go to the following URL, you should be logged in to the Administrative Tools with out having to login. http://<server name>/MetastormAdministration/




6 ADMINISTRATIVE PROCESSES

6.1 Browser Settings

We have provided an administrative form process called "Browser Settings"; this process can be used ‘out of the box’, or modified to suit your own organizational requirements. It provides an Administration Form that allows any process user to alter their default locale settings (date, time and number formats). When deployed, the administrative form will automatically be available in French, Spanish and German.

Screen shot of the Administration Form – Browser Settings



Follow the instructions below to deploy The Browser Settings process: 1. the necessary files can be found following a default installation at the following path.

C:\Program Files\Metastorm\BPM\Administrative Tools\Administrative Processes\Browser Settings

2. Open and deploy the Browser_Settings.Solution in the Metastorm BPM Designer. 3. Open the Metastorm web client and launch the Browser settings form from the Administration

Forms List. Changing any settings and then submitting the form will save the changed settings as a persistent cookie on the user’s machine. Cancelling the form will leave the previous settings unchanged.

Documents

Metastorm BPM Version 9 - evolosoft · • AIX®, AIX 5L™, CICS®, CICSPlex®, DB2®, DB2 Universal Database™, ... Metastorm BPM Version 9.0 • Additional Configuration Steps