Creation of support group with view access and monitoring view without designer role

Is it possible to create a L2 support group for an application with process monitoring view but without giving them designer acces?

main objective is to monitor the process instances and in case of failure doing basic analysis and report L3.

  Discussion posts and replies are publicly visible

Parents
  • 0
    Certified Lead Developer

    Process monitoring can only be done from the designer. But you can restrict this in a way that L2 cannot make any changes.

  • Thanks Stefan, yes we can restrict them from making any changes but with designer access L2 can create objects outside the application and project management does not want this.

  • 0
    Certified Lead Developer
    in reply to rajeshciti

    I don't think there is a way to achieve it. You can restrict creation of process models but not any other object. 

  • 0
    Certified Lead Developer
    in reply to rajeshciti

    Some of my clients are in a highly regulated market. The process that we successfully implemented works like this.

    Each application has a group "Application Support". This group is a member of the "Alert Receivers" group which is used to send process alerts to. The operations people are member of this group.

    The "Application support" has only access to a separate UI from which they can start a support process. This support process adds that user temporarily to the group "Active Supporter" which allows access to the designer and monitor and fix process issues. After some minutes or hours, that user is automatically removed from that group. All this is persisted to an audit trail and includes an approval step.

    This can easily be implemented, was accepted by security and made the ops people happy.

  • 0
    Certified Senior Developer
    in reply to Stefan Helzle

    Hi , Thanks for the detailed answer. What is the best way to secure UAT environment from developer access? Developers can monitor process instances of their application but should not able to edit anything in UAT.

    Deploying application/package/plugins from UAT to PROD.

    Creation of new users and adding them in respective groups in UAT.

    Editing of process instance in monitoring mode in UAT.

  • 0
    Certified Lead Developer
    in reply to Swati Sharda

    I think the cleanest way of doing this is no introduce separate groups for each environment and assign these groups the respective object security roles. Then remove any DEVs from their developer groups and put them in the new groups on UAT.

    But I suggest another option. As any change to code should always originate from DEV, why not just forward the package created on DEV -> UAT -> PROD. This way, you can make sure that nothing has been changed.

  • 0
    Certified Senior Developer
    in reply to Stefan Helzle

    Hi ,

    I think my requirement is not clear. I wanted to ask, I want developers to have "basic user" in UAT, but they can view the process instances of their OWN application, but should not be able to edit anything. They should be able to do following things as well:

    Deploying application/package/plugins from UAT to PROD.

    Creation of new users and adding them in respective groups in UAT.

    Editing of process instance in monitoring mode in UAT.

    I understand adding them to Designer group make few things possible. But Designer group also enable them to edit process models in UAT. How can I ensure they should not be able to edit any thing in UAT.

Reply
  • 0
    Certified Senior Developer
    in reply to Stefan Helzle

    Hi ,

    I think my requirement is not clear. I wanted to ask, I want developers to have "basic user" in UAT, but they can view the process instances of their OWN application, but should not be able to edit anything. They should be able to do following things as well:

    Deploying application/package/plugins from UAT to PROD.

    Creation of new users and adding them in respective groups in UAT.

    Editing of process instance in monitoring mode in UAT.

    I understand adding them to Designer group make few things possible. But Designer group also enable them to edit process models in UAT. How can I ensure they should not be able to edit any thing in UAT.

Children