Business Transaction Management System Security

This section provides information to help you administer Business Transaction Management system security and includes the following subsections:

Authentication and Role Mapping

Business Transaction Management relies on the application server in which it is deployed for authentication of users. By default, authentication is enabled for the Management Console. To disable authentication, use whatever tool or procedure is appropriate for the application server you are using.


In order to log into the Management Console, you must use credentials that are mapped to at least one of these Business Transaction Management user roles: btmAdmin, btmUser, or btmObserver.

If you disable authentication, users of the Management Console must still log in. However, they can log in using any user name and are not required to provide a password. Note that all UI personalizations, such as edits to the Navigator, filters, and column sets are stored as preferences and associated with the user name.

This topic describes how the supported application servers authenticate users and map them to Business Transaction Management application roles.

Summary of Initial Application Role Mapping

Business Transaction Management Role WebLogic Group WebSphere Group
btmAdmin WebLogic Administrators Administrators (Windows)

adm, sys, bin (Unix-like systems)

btmUser WebLogic Operators & Monitors All authenticated users
btmObserver Everyone All authenticated users

(Note that the role name is singular while the group name is plural.)

btmInspectors btmInspectors


The role btmInspector is, by default, mapped to a group named btmInspectors, but the application server administrator must create a group named btmInspectors and assign it to the appropriate users.


Business Transaction Management applications rely on the WebLogic container for authentication and association of roles with users.


If you installed Business Transaction Management into a WebSphere container, the WebSphere server authenticates users and maps roles to groups. Note that the initial mappings assume that WebSphere security is configured to use Local OS Registry. If you are using a different security setup, you may have to remap users/groups based on your authentication domain settings. You can change these mappings in the WebSphere Administrative Console, on the "Mapping Users to Roles" page. If you change the mappings, you should change them for all Business Transaction Management applications. The names of all these applications (EAR files) begin with the string "btm".

Business Transaction Management Application User Roles

Business Transaction Management uses roles to authorize access to various parts of the user interface.

Primary Roles

Each user must be assigned at least one primary role. The primary roles are:

btmAdmin – users with this role are granted all privileges. These users can use all tools and facilities provided by the Business Transaction Management Console, including the ability to view and create sensitive properties and to view all message content.

btmUser – users with this role have most privileges needed to configure basic monitoring. For example, they can configure monitors; create, edit, and delete policies (does not include system policies); register services; set registry attributes on services and endpoints; and create and edit transactions and conditions. They also have all the privileges of btmObserver. This role does not grant the privilege to modify the Business Transaction Management environment, access message content, or view or edit sensitive properties.

btmObserver – users with this role have privileges to use most of the basic monitoring facilities. They can view summary, dependency, and administrative information about the monitoring system, but are not allowed to configure any of the policies or settings related to it. They can also view transactions and conditions, but are not allowed to create or edit them. This role does not allow users to modify the Business Transaction Management environment, access message content, or view or edit sensitive properties.


All navigation and views in the Management Console are available to all primary roles. However, some roles cannot access certain menus and menu items and the tools associated with them.

Auxiliary Role

In addition to the primary roles, Business Transaction Management defines an auxiliary role. The auxiliary role provides additional privileges that you might want to assign certain users. For example, you might want to let a user access message content but not want to give that user full administrative privileges. You could do this by assigning the user a primary role of btmUser and an auxiliary role of btmInspector. The auxiliary role is:

btmInspector – users with this role can view message content and view and create properties, including sensitive properties.


The btmAdmin role has all of the privileges of btmInspector.