Is it possible to create a L2 support group for an application with process monitoring view but without giving them designer acces?
main objective is to monitor the process instances and in case of failure doing basic analysis and report L3.
Discussion posts and replies are publicly visible
Process monitoring can only be done from the designer. But you can restrict this in a way that L2 cannot make any changes.
Thanks Stefan, yes we can restrict them from making any changes but with designer access L2 can create objects outside the application and project management does not want this.
I don't think there is a way to achieve it. You can restrict creation of process models but not any other object.
Some of my clients are in a highly regulated market. The process that we successfully implemented works like this.
Each application has a group "Application Support". This group is a member of the "Alert Receivers" group which is used to send process alerts to. The operations people are member of this group.
The "Application support" has only access to a separate UI from which they can start a support process. This support process adds that user temporarily to the group "Active Supporter" which allows access to the designer and monitor and fix process issues. After some minutes or hours, that user is automatically removed from that group. All this is persisted to an audit trail and includes an approval step.
This can easily be implemented, was accepted by security and made the ops people happy.
Hi , Thanks for the detailed answer. What is the best way to secure UAT environment from developer access? Developers can monitor process instances of their application but should not able to edit anything in UAT.
Deploying application/package/plugins from UAT to PROD.
Creation of new users and adding them in respective groups in UAT.
Editing of process instance in monitoring mode in UAT.
I think the cleanest way of doing this is no introduce separate groups for each environment and assign these groups the respective object security roles. Then remove any DEVs from their developer groups and put them in the new groups on UAT.
But I suggest another option. As any change to code should always originate from DEV, why not just forward the package created on DEV -> UAT -> PROD. This way, you can make sure that nothing has been changed.
Hi ,
I think my requirement is not clear. I wanted to ask, I want developers to have "basic user" in UAT, but they can view the process instances of their OWN application, but should not be able to edit anything. They should be able to do following things as well:
I understand adding them to Designer group make few things possible. But Designer group also enable them to edit process models in UAT. How can I ensure they should not be able to edit any thing in UAT.
Swati Sharda You can use modify process security smart service to change the process instance security and give permission to the use who does not have edit access to that process model.
Creation of new users and adding them in respective groups in UAT.- This can be achieved by creating a process model to add user in the respective group.
I think this specific combination of requirements is not easily possible. That's why I made that suggestion.
If you want to deploy applications from UAT to Production without access to the environment I would suggest you looking into deployment API.
Creating users could be managed via a dedicated app.
Editing of process instances without admin is not possible AFAIK. You can update PVs as an editor, but that's pretty restrictive.