What security settings should be given to restrict support users to access only the process instance but should not have any access to the main object itself ?
Discussion posts and replies are publicly visible
Does this answer your questions:
docs.appian.com/.../process-model-object.html
So according to my understanding going through documentation, for a user (Support user) to have permission to a process model instance but only read only access to that process model object,
A user should be added to "Designer Role" but not in the "Process model creator" system groups so that the user will not have provision to design or modify a process model object but still can view the process instance in monitoring with adminstrator permission
Please correct me if I misunderstood anything here for the scenario
This sounds reasonable, but I highly recommend to test and validate this assumption.
Thanks , will try to validate this configuration
When you add a user to the 'Designers' group, the user may get access to logs, etc. Also, check the dependents of the 'Designers' group to see what access the user will get when they are added to the Designers group.
And for a general approach to PROD support, read this: appian.rocks/.../
Does this level of permission allow prod support users to alter a running process instance in Edit mode?
I would assume Designers + Viewers group on the Process Model itself for the ability to view Process Instances.
Removing them from Process Model Creators should remove the ability to create new Processes.