Tenant Management, Roles, and Permissions
Get familiar with IBM webMethods Integration tenant types, their associated settings, learn how to define roles for your tenant, permissions, and add users to a tenant.
Tenant Types and Plans
Credit-based TenantsCredits consumption criteriaSupported plansTransaction-based TenantsTransaction consumption criteriaSupported plansAutomatic suspension and deletion for Free Forever Edition tenantsIBM webMethods Integration supports two types of tenants:
- Credit-based Tenants
- Transaction-based Tenants
Credit-based Tenants
Tenants created before June 10, 2020 run (and will continue to run) on credits.
Credits consumption criteria
The credit consumption for each Flow service/Workflow is calculated based on the selected container and flow time.
| Flow Time (in minutes) | Credits Consumed by Containers with respect to Flow Time | ||
|---|---|---|---|
| 256 MB | 512 MB | 1024 MB | |
| 3 | 1 | 2 | 4 |
| 6 | 2 | 4 | 8 |
| 9 | 3 | 6 | 12 |
| 12 | 4 | 8 | 16 |
| 15 | 5 | 10 | 20 |
| 18 | 6 | 12 | 24 |
| 21 | 7 | 14 | 28 |
| 24 | 8 | 16 | 32 |
| 27 | 9 | 18 | 36 |
| 30 | 10 | 20 | 40 |
Note
The availability of the 512 MB and 1024 MB container depends on your subscription plan.
So, for example, if the workflow execution duration is 5 minutes and container size is 512 MB then, 4 credits will be consumed from your tenant account.
Supported plans
Users of credits-based tenants trial plan can upgrade to the Basic, Advanced, or Enterprise plan based on their requirements.
Transaction-based Tenants
Tenants created after June 10, 2020 will run on transactions.
Transaction consumption criteria
The transaction consumption for each Flow service or workflow is calculated based on the execution duration (in seconds) mentioned in your contract. The default is 3 seconds. For example, if your workflow execution duration is 10 seconds, 4 transactions will be consumed from your tenant account.
| Execution Time (in seconds) | Transactions Consumed |
|---|---|
| Up to 3 (default) | 1 |
| More than 3 and up to 6 | 2 |
| More than 6 and to up to 9 | 3 |
| More than 9 and to up to 12 | 4 |
| More than 12 and up to 15 | 5 |
| More than 15 and up to 18 | 6 |
| More than 18 and up to 21 | 7 |
| More than 21 and up to 24 | 8 |
| More than 24 and up to 27 | 9 |
| More than 27 and up to 30 | 10 |
Supported plans
When you sign up for a IBM webMethods Integration trial tenant, it is assigned the Free Forever Edition plan by default.
Under the Free Forever Edition plan, you are allocated a certain number of transactions per month. These transactions are replenished at the start of each month. If you consume all your transactions before the month is over, you can either wait for the transactions to be replenished next month or upgrade to one of the paid plans.
Automatic suspension and deletion for Free Forever Edition tenants
Your Free Forever Edition tenant can be suspended or deleted due to inactivity. An alert email notification is sent to you before tenant suspension and deletion. We recommend following the instructions given in the received alert email notification before due date to avoid tenant suspension and subsequent deletion.
Suspended tenant
During suspension, any attempts to login to the tenant using the App Switcher or product URL, deployment of Connector Builder application, invocation of any Public APIs, or any other means of accessing the tenant are prevented. Any scheduled executions are also halted.
Only users having one of the following roles in IBM webMethods iPaaS can reactivate a suspended tenant:
- Cloud Tenant Administrator
- Account Administrator
- webMethodsioIntegration-User
Deleted tenant
A tenant once deleted, cannot be recovered.
Note
- If your tenant is under the Free Forever Edition plan, you cannot run workflows or Flow services once you have reached the transaction limit.
- If your tenant is under one of the paid plans, you can continue running your workflows and Flow services even if you have reached the transaction limit. In such a scenario, the overage charges are added to the final bill.
Tenant Profile
No subtopics in thissection
IBM webMethods Integration allows you to centrally view and manage the details of your tenant. Once you have logged in to your tenant, click on the tenant profile icon located at the top-right corner of the home screen, and select Profile from the list of options that appear.
You will be redirected to the Profile screen where you can view and manage your tenant profile settings.
- First name: First name of the tenant user.
- Last name: Last name of the tenant user.
- Work Email: Email ID of the tenant user.
- Environment Name: Name of the tenant.
- Plan: Current subscription plan of the tenant.
- Developer key: Developer key associated with the tenant. You can copy this key using the Copy icon or can regenerate it by clicking the Generate Token button.
- Assigned Role: Roles created for the tenant.
Role Management
RolesRoles and access permissionsCreating new rolesPermission typesReadExampleWriteExampleExecuteExampleEditing or deleting custom rolesIBM webMethods Integration provides you a quick overview of roles assigned to a user and allows you to also define custom roles with specific permissions for your tenant.
Roles
A role is a set of permissions. When you assign a role to any user, the role’s permissions are assigned to that user.
To view and create roles, log in to your tenant, click on the tenant profile icon located at the top-right corner of the home screen, and select User Management from the list of options that appear.
You will be redirected to the Roles screen.
The Roles screen allows you to view the list of existing roles and create new roles for your tenant. Only the tenant owner and admin have access to this screen.
IBM webMethods Integration provides two default roles:
- Admin: Can manage users, roles and projects in the tenant. The owner of the tenant is assigned this role by default.
- Developer: Can manage all projects of your tenant.
Note
The default roles cannot be edited or deleted from a tenant.
Roles and access permissions
The role assigned to you determines which operations you can and cannot perform in the tenant. The list of access permissions for each role is listed in the table below:
| Role | Manage Free Forever Edition Plan Settings | Manage White Labeling Settings | Manage Tenant Users | Manage Environments | Publish Project | Deploy Project | Create Project | Update Project | Delete Project | Create/Delete/Update Workflow | Manage Roles | Monitor Dashboard | Monitor Audit Logs |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Admin (Tenant Owner) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin (Not a tenant Owner) | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Developer (Cloud-Tenant-Administrator and webMethodsioIntegration-User) | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
| Developer (webMethodsioIntegration-User) | Yes | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
| Custom Role - (Read) | No | No | No | No | No | No | No | No | No | No | No | Yes | No |
| Custom Role - (Write) | No | No | No | No | No | No | No | No | No | Yes - Only applicable to the project(s) of which access is granted to the role | No | Yes | No |
| Custom Role - (Execute) | No | No | No | No | No | No | No | No | No | No | No | Yes | No |
Creating new roles
You can also create custom roles for your tenant. These roles determine which projects should be made accessible for users of a particular role.
To create a new role, click on the New Role button given on the top-right corner of the Roles screen. A new Add Role window will appear where you will be prompted to provide the following details:
- Role Name: Provide a unique name for the role you want to create.
- Description: Provide a short description of the role. This description will be displayed beside the role name in the roles list.
- Set project permissions for this role: Specify which projects are accessible under this role and what permissions should be granted for each project. We will understand each permission type in detail in the next section.
Once you have assigned relevant permissions for required projects, click Done. This will create a new role in your tenant.
Note
- Admins can only modify other users’ roles. They cannot modify the tenant owner’s role or their own role.
- Whenever you create a new project, please ensure to add it under relevant roles with required permissions to make it accessible for intended users.
- The Alert Rules tab will not be visible to the users added under a custom role.
Permission types
There are three types of permissions that can be granted for each project:
- Read
- Write
- Execute
Each permission determines the actions a user can perform in that particular project.
Read
The read permission allows users to only view the assigned projects and the project assets.
Example
Let’s say Tenant Demo has 3 projects: Project 1, Project 2, and Project 3. The tenant admin created a ‘Read Only’ custom role with only read access for Project 1 and Project 2.
When User A is assigned the ‘Read Only’ role, they can view only Project 1 and Project 2 in the Projects dashboard (i.e. they won’t see Project 3 as it is not added under the ‘Read Only’ role).
Given below is the table of operations user A can and can’t perform as per the ‘Read Only’ role settings.
| User A Can | User A Can’t |
|---|---|
| View only project 1 and Project 2 in the Projects dashboard | Modify project 1 or Project 2 |
| View the Workflows and Flow services created under Project 1 and Project 2. | Create, update, delete, or execute any of the Workflows or Flow services in Project 1 and Project 2. |
| View the project APIs (REST and SOAP) and connectors (predefined, REST, SOAP, on-premises, and flat file) created in Project 1 and Project 2. | Create, update, delete, or execute any of the APIs (REST and SOAP) and connectors (predefined, REST, SOAP, on-premises, and flat file) in Project 1 and Project 2. |
Write
When you grant the ‘Write’ permission for a project, the ‘Read’ and ‘Execute’ permissions too are granted by default. Because of this, the ‘Write’ permission allows users to read, create, update, delete, and execute all assets of the assigned project.
Example
Let’s say Tenant Demo has 3 projects: Project 1, Project 2, and Project 3. The tenant admin created a ‘Write’ custom role with the ‘Write’ permission for Project 3 . As per the default settings, the ‘Read’ and ‘Execute’ permissions too are added for the ‘Write’ role automatically.
When User B is assigned the ‘Write’ role, they can view only Project 3 in the Projects dashboard (i.e. they won’t see Project 1 and Project 2 as they are not added under the ‘Write’ role).
Given below is the table of operations user B can and can’t perform as per the ‘Write’ role settings.
| User B Can | User B Can’t |
|---|---|
| View and edit only Project 3 in the Projects dashboard | Note
Since the ‘Write’ permission by default adds ‘Read’ and ‘Execute’ permissions, users can perform all operations in the assigned project.
|
| View, create, update, delete, and execute the Workflows and Flow services in Project 3. | |
| View, create, update, delete, and execute the APIs (REST and SOAP) and connectors (predefined, REST, SOAP, on-premises, and flat file) in project 3. |
Note
- You can optionally deselect the checkbox for ‘Execute’ permission after adding the ‘Write’ permission.
If you do so, you won’t be able to execute any of the project Workflows, Flow services, APIs, or Connectors available under that project. - You cannot manually remove the ‘Read’ permission from a project as long as the ‘Write’ permission stays assigned to it.
Execute
The execute permission allows users to only execute the Workflows, Flow services, and APIs available in the assigned project. However, users can’t view or modify the assigned project or project assets.
Example
Let’s say Tenant Demo has 3 projects: Project 1, Project 2, and Project 3. The tenant admin created a ‘Execute Only’ custom role with the ‘Execute’ permission for Project 2.
When User C is assigned the ‘Execute Only’ role, they can’t view Project 1 and Project 2 (since they are not added under the role) and project 3 (since they don’t have the ‘Read’ permission for that project) in the Projects dashboard. They can only execute the Workflows, Flow services, and APIs available under project 3.
Given below is the table of operations user C can and can’t perform as per the ‘Execute Only’ role settings.
| User C Can | User C Can’t |
|---|---|
| Execute workflows in Project 2 only via webhook | View any projects in the Projects dashboard |
| Execute Flow services in Project 2 only via HTTP | |
| Execute project APIs (REST and SOAP) in Project 2 |
Note
- The default project will always be accessible to only those users who have read and write permissions.
- If users have the 'Read' permission along with the 'Execute' permission for a project, only then can they manually execute Workflows or Flow services under that project.
Editing or deleting custom roles
You can also edit or delete a custom role. To do so, navigate to the tenant profile icon > User Management > Roles.
You will see a list of existing roles associated with your tenant. Locate the custom role you want to edit/delete. You will see two options, Edit and Delete, using which you can modify the custom role or delete it.
User Management
UsersAdding usersDeleting usersEditing user rolesIBM webMethods Integration allows you to view users for a tenant, create, edit, and remove user roles, set project permissions (Read, Write, Execute) for a role, and remove users if you have the required permissions. To do these tasks, log in to your tenant, click on the tenant profile icon located at the upper-right corner of the home screen, and select User Management.
Note
- The User Management option is available only if you have the Cloud-Tenant-Administrator role assigned to you in IBM webMethods iPaaS.
- You can remove users in IBM webMethods Integration only if you are a tenant Owner.
Users
To view the list of existing users in IBM webMethods Integration, go to the tenant profile icon > User Management > Users. On the Users screen, you can view existing users along with the assigned roles. Only the tenant Owner and Admin has access to this screen.
Adding users
Do the following to add new users to access your tenant:
Log in to IBM webMethods Integration, click the App Switcher (bento menu) icon, and select IBM webMethods iPaaS.
You will be redirected to the IBM webMethods iPaaS screen. From the menu bar, select Administration.
On the Users screen, click Add user to add a new user to your tenant.
Fill in the required information of the user you want to add and click Save. Note that the newly created user will be associated with the Developer role in IBM webMethods Integration if you select the webMethodsioIntegration-User role in IBM webMethods iPaaS while creating the user, or the Developer, Admin role in IBM webMethods Integration if you select the Cloud-Tenant-Administrator role in IBM webMethods iPaaS.
NoteAny time stamp displayed in IBM webMethods Integration is based on the user’s registered time zone specified in IBM webMethods iPaaS. Not all the time zones in IBM webMethods iPaaS are supported in IBM webMethods Integration. If a time zone in IBM webMethods iPaaS is not supported, then the time stamp in IBM webMethods Integration defaults to the Pacific Standard Time (PST) time zone.After you save the user details in IBM webMethods iPaaS, the new user will receive an email to update the login password. Once the user updates the password to activate the account, and logs in using the IBM webMethods iPaaS login page, the user will be created in IBM webMethods Integration.
As soon as the user logs in to IBM webMethods Integration, the user’s name will be added to the list of users under the Users tab. If the user has Admin permissions (Cloud-Tenant-Administrator), the user can change the role to allow or restrict access to specific projects in IBM webMethods Integration. Note that you can remove users in IBM webMethods Integration only if you are a tenant Owner. (
)
Further, if you have created User U1 in IBM webMethods iPaaS, the first time U1 logs in to IBM webMethods Integration, user U1 will be created in IBM webMethods Integration. Now if U1 is removed from IBM webMethods iPaaS but exists in IBM webMethods Integration, U1 will not be able to log in to IBM webMethods Integration. If U1 is removed from IBM webMethods Integration but exists in IBM webMethods iPaaS, U1 will be created in IBM webMethods Integration when the user again logs in to IBM webMethods Integration.
Note
- A new user is created in IBM webMethods Integration when the user logs in for the first time using the IBM webMethods iPaaS login page. Roles associated with the user are synchronized during the first-time login to IBM webMethods Integration.
- To use public APIs, you must:
- Be registered under IBM webMethods iPaaS.
- Log in at least once to your IBM webMethods Integration tenant.
- Use basic authentication (login credentials). SSO authentication is not supported for public APIs.
Deleting users
You can delete users in IBM webMethods Integration only if you are a tenant Owner. The delete icon is not available for other roles.
Further, you can delete users from IBM webMethods iPaaS only if you have the Admin role. After you delete a user in IBM webMethods iPaaS, you have to delete the user in IBM webMethods Integration.
To delete users, click the delete icon 
provided against the name of the user.
Note
On deleting a user, the user is deleted immediately. However, it takes some time for the changes to be reflected in the user interface.
Editing user roles
If you have Admin permissions, you can change the current role assigned to a specific user. To do so, click on the Edit icon provided against the name of the user and then assign roles in the Edit User > Roles window.
After you have made the relevant changes, click Save. This will change the role assigned to the user.