Skip to Main Content
Digital Business Automation Ideas

This is an IBM Automation portal for Digital Business Automation products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Please use the following category to raise ideas for these offerings for all environments (traditional on premises, containers, on cloud):
  • Cloud Pak for Business Automation - including Business Automation Studio and App Designer, Business Automation Insights

  • Business Automation Workflow (BAW) - including BAW, Business Process Manager, Workstream Services, Business Performance Center, Advanced Case Management

  • Content Services - FileNet Content Manager

  • Content Services - Content Manager OnDemand

  • Content Services - Daeja Virtual Viewer

  • Content Services - Navigator

  • Content Services - Content Collector for Email, Sharepoint, Files

  • Content Services - Content Collector for SAP

  • Content Services - Enterprise Records

  • Content Services - Content Manager (CM8)

  • Datacap

  • Automation Document Processing

  • Automation Decision Services (ADS)

  • Operational Decision Manager

  • Robotic Process Automation

  • Robotic Process Automation with Automation Anywhere

  • Blueworks Live

  • Business Automation Manager Open Edition

  • IBM Process Mining

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Under review
Created by Guest
Created on Jun 13, 2024

ODM Helm deployments in OpenShift - related to security requirements for handling passwords and secrets.

The main issue is how passwords/secrets are managed within ODM Helm chart deployments in OpenShift.

Since unencrypted passwords (i.e. cleartext) cannot be used due to your security requirements, CyberArk is being used as a credential vault 

to manage IAM resource at USAA across the enterprise to avoid usage of cleartext passwords anywhere.

 However, this still presents a deployment issue whenever passwords need to be changed or rotated on a recurring basis 

as the ODM deployments in OpenShift require an update or redeployment if a password has changed, due to secrets becoming invalid.

1) The main painpoint with this approach is that USAA is not able to rely on the standard Kubernetes replicaSet for the rollout of the updated credentials (such as the SQL Server database password) without having some downtime in the pods due to their custom process. This impact causes a temporary outage for the ODM users and the business impact is substantial for your critical lines of business.

2) Another, less-critical security issue than the first, is the inabiity for the Decision Center Business and RES Consoles to directly support unencrypted passwords for some of the functions.

  Within Decision Center Administration --> Servers tab, a list of servers is maintained for the various RES and Decision Runner URLs which require service accounts and credentials.

 These resources do not easily support seamless integration with CyberArk vault.

 This impact does not incur an outage at the pod level, but is a maintenance challenge for the support teams whenever a password is changed/rotated.

Idea priority High
  • Guest
    Jun 13, 2024

    Adding additional customer input, which seems to be missing from initial submission:

    issue #1. The only things I will add on is that addressing secrets, depending on the solution, can be considered separate from the ODM not supporting password vaults. Also, from an operational perspective, while both Decision Center and RES are impacted by these problems the RES is higher priority because we can allow downtime on release of Decision Center. For our RES we cannot have any downtime during a release.

    Just for additional context, USAA infrastructure utilizes alias that map to two service accounts, so that it’s possible to rotate service accounts as needed for maintenance, along with a security requirement for periodic password rotation of our service accounts. We have created a custom solution that from the alias retrieves one of the service accounts and its respective password and sets the secret as part of the helm deployment. The issue comes with service account and password rotations. Or whenever we are doing a deployment that requires any change to the secrets.

    While we continue to try build custom work arounds internally to USAA this comes with overhead of maintenance along with the fact these custom solutions usually break on upgrades, which delays our ability to move to newer versions. 

    As for issue #2 some clarification. We are unable to inject (like we do for the ldap sync) or utilize Openshift secrets for the service account/password for ONLY Decision Center “Test and Simulation Execution” and “Decision Service Execution”. We have a solution for RES and the rest of the URLs in Decision Center.

    To work around this issue, we have “unmanaged” service account and password (which is to say a person knows the password and manually enters it). However, this is only allowed for of a year before we get push back on this this.

    I appreciate your time and attention to these issues.

    Amanda Videtich @USAA