LiveCycle ES2 enables you to configure security settings for each service, which allows you to configure fine-grained access control on a service-by-service level.
Default security profiles are installed, which can then be configured to meet your system needs. Each security profile has an associated domain and is created at either the user level or the group level.
Modify security settings for a service
- In LiveCycle Administration Console, click Services > Applications and Services > Service Management.
- On the Service Management page, click the service to configure.
- Click the Security tab.
- In the Require Callers To Authenticate list, select either Yes or No to specify whether the service can be invoked with or without credentials.
If you select Yes, the caller of the service must be authenticated and the user principal for that caller must be authorized to invoke the service; otherwise, the invocation attempt will be refused.
If you select No, the caller of the service may or may not be authenticated. The invocation of the service will always succeed because there is no authorization check.
- For services that contain one or more operations flagged for anonymous access, select or deselect Anonymous Access Allowed. When anonymous access is enabled, any user within the system can invoke operations on the service. If anonymous access is disabled, users must be granted permission to call the service and invoke operations. Users are granted these permissions either directly or as being part of a group that has such permissions.
- For some services, the user account that executes the operation affects the results. For example, in Content Services ES, the user that stores content is made the owner of the content, which affects who can later access the content. If you are using a process to store content, you need to think about what user is used to execute the Document Management service, because that user will own the stored content.
To specify the run-time identity used by a service to execute operations, select Specify Run As and select an option from the associated list. Choose from the following options:
Invoker: Uses the same identity as the user who invoked the service.
System: Uses the System user to run the service with full privileges.
Named User: Enables you to run the service as a specific user. When you select this option, click Select User to display the Select Principal page, where you can search for and select the user.
If you do not select Specify Run As, the default behavior is used.
Note: Render and submit services that are used with xfaForm, Document Form, and Form variables are always executed using the System user account.
- Click Save and then click Add Principal.
- Click the security profile to assign to the service.
- Select the permissions to assign to this profile and service:
- INVOKE_PERM: To invoke all operations on the service
- MODIFY_CONFIG_PERM: To modify the configuration of a service
- SUPERVISOR_PERM: To view process instance data for a service that is created from a process
- START_STOP_PERM: To start and stop a service
- ADD_REMOVE_ENDPOINTS_PERM: To add, remove, and modify endpoints for a service
- CREATE_VERSION_PERM: To create a new version of the service
- DELETE_VERSION_PERM: To delete a version of the service
- MODIFY_VERSION_PERM: To modify a version of the service
- READ_PERM: To view the service
- Click Add.
Remove the principal from a security profile
- On the Service Management page, select the service to configure.
- Click the Security tab, select the security profile to remove, and click Remove.
Stop or start services
Configure service settings
Configuring pooling for a service