Got it, let's tackle this problem—since you're running a local RHPAM Business-Central and need to auto-create JBPM users when your app's users register, here are three reliable approaches based on common RHPAM setups:

1. Use WildFly Management API (For Default Elytron Security) #

RHPAM Business-Central runs on WildFly, and by default, it uses Elytron for identity management. You can call WildFly's admin API to create users directly in the application realm.

Steps: #

• Ensure WildFly's management interface is accessible (default address: http://localhost:9990/management)
• Use your WildFly admin credentials (default is admin/admin unless you changed it) to authenticate
• Send a POST request to add the user, including required groups/roles for JBPM task access

Example Curl Command: #

curl -u admin:admin -H "Content-Type: application/json" -X POST -d '{
    "operation":"add",
    "address":[
        {"subsystem":"elytron"},
        {"identity-realm":"ApplicationRealm"},
        {"user":"new-jbpm-user"}
    ],
    "parameters":{
        "password":"user123",
        "groups":["jbpm-users", "kie-server"]
    }
}' http://localhost:9990/management

Notes: #

• Adjust the groups array to match the roles your users need (e.g., task-admin for full task access, task-viewer for read-only access)
• If your RHPAM uses the legacy PicketBox security subsystem, replace the address path with ["subsystem" => "security", "security-domain" => "other", "user" => "new-jbpm-user"]

2. Call Keycloak Admin API (For Production-Grade Identity Management) #

If you've integrated RHPAM with Keycloak (the recommended setup for production), you can directly create users in Keycloak—JBPM will automatically sync these users for task access.

Steps: #

1. Get a valid access token from Keycloak using an admin client
2. Use the token to call Keycloak's user creation endpoint, adding the user to your RHPAM realm
3. Assign groups/roles that grant JBPM task permissions

Example Curl Commands: #

First, fetch the access token:

curl -X POST "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=admin-cli" \
-d "client_secret=YOUR_ADMIN_CLI_SECRET"

Then create the user:

curl -X POST "http://localhost:8080/auth/realms/YOUR_RHPAM_REALM/users" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
    "username": "new-app-user",
    "enabled": true,
    "credentials": [{"type": "password", "value": "user123", "temporary": false}],
    "groups": ["jbpm-users"]
}'

Notes: #

• Replace YOUR_RHPAM_REALM and YOUR_ADMIN_CLI_SECRET with your actual Keycloak configuration
• The jbpm-users group is typically required for users to access JBPM tasks; adjust based on your role setup in Business-Central

3. Use JBPM Java API (For Java Apps Integrated With JBPM) #

If your registration app is a Java application already integrated with JBPM's runtime, you can use the built-in UserGroupManager API to create users directly.

Example Java Code: #

import org.kie.api.task.UserGroupManager;
import org.kie.internal.runtime.manager.RuntimeManager;
import org.kie.internal.runtime.manager.RuntimeManagerFactory;

// Initialize the RuntimeManager (point to your JBPM KJAR or runtime configuration)
RuntimeManager runtimeManager = RuntimeManagerFactory.Factory.get()
    .newSingletonRuntimeManager("classpath:/META-INF/kmodule.xml");

// Get the UserGroupManager from the runtime environment
UserGroupManager userGroupManager = runtimeManager.getEnvironment()
    .get(UserGroupManager.class);

// Create the user with required groups
userGroupManager.createUser("new-jbpm-user", "user123", 
    new String[]{"jbpm-users", "task-viewer"}, new String[]{});

// Clean up the runtime manager when done
runtimeManager.close();

Notes: #

• This requires your app to have JBPM runtime dependencies (e.g., org.jbpm:jbpm-runtime-manager in your pom.xml)
• Ensure the runtime environment is configured to connect to your local RHPAM instance if running remotely

Final Tip: #

After creating the user, verify they can log into Business-Central and access tasks by assigning them to a test task. This will confirm you've assigned the correct groups/roles.

内容的提问来源于stack exchange，提问作者S.R