How can we easily remove the Designer portal for production system hardening? T

How can we easily remove the Designer portal for production system hardening? This is an audit requirement that the Designer portal should be "switched-off" by default. When there is a need to perform those Administration tasks like Application import etc, the system administrator can reactivate it or restore it back....

OriginalPostID-69338

OriginalPostID-69338

  Discussion posts and replies are publicly visible

  • Appian already has an extra layer of security to block the access to the Designer portal to every user that is not part of the "Designers" group nor a System Administrator. This would be the best way to go (the one that doesn't require touching base product files which is not a best practice)
  • Thanks Eduardo. That will do normally. However, this situation is a PCI usage and my client got an internal control policy that they need to be 100% on top of their environment. They need to monitor every activity that the Appian administrator may do such as adding/removing and granting permission to users. I am not sure if Appian will log each of this activity. Otherwise, we can disable the Designer access entirely and the administrator has to apply for the activation by changing a config file or something which will always trigger the system monitoring team as they got a tool to monitor file changes in the file system. Any suggestion?
  • You could "disable" it at the web server level, for instance, in Apache you would be created a rewrite rule to prevent users from accessing requests of type /designer.

    Another option would be a servlet filter plug-in. I actually have one that I created for a different requirement but that can work for yours as well: forum.appian.com/.../84700

    The way it works is:

    1. You create a group, let's say "Custom Designers Group" (this name can be any name)

    2. You need to have a constant called CUSTOM_DESIGNERS_GROUP (the constant has to match this exact name per the servlet filter's code) that will point to the group from step #1

    3. You deploy the servlet filter plug-in

    4. Only the "Administrator" account and members of "Custom Designers Group" will have access to /suite/designer/*. The main difference with the Designers group is that even if the account is a system administrator or part of the Designers group, if his username is not the word "Administrator" or he doesn't belong to "Custom Designers Group" then he will have no access to /suite/designer.

    5. If a user needs to access the Designer portal then you can login using the "Administrator" username and add him/her to this custom group or simply uninstall the plug-in.

    The JAR comes with the source code so you can modify it and adjust it to your needs.
  • Thx. Anyway to log the maintenance activities of that user group membership change? It can be written via log4j. Since Adminstrator can still possibly do something behind the scene, it is better off to log its activities on Designer whenever possible. We understand the implication of customisation on future appian upgrade but the securiy control is the no. 1 priority in this environment.
  • In that case you can disable it completely just change line #69 in that plug-in from:

    if (user.getUsername().equals("Administrator") ||

    to

    if(

    this way the Designer will be accessible only to users inside the Custom Designers Group mentioned before. If you keep that group empty then nobody will have access to Designer, not even the "Administrator" account. If a change is needed and somebody has to access designer, then that person has to go do the server and remove the plug-in, this action can be logged by monitoring tools in the OS level I'd assume.

    Keep in mind that when you have a web server in front of an application there is usually an access log which stores the URLs requested by the end-user, in Appian the name of the actions are very suggestive, for instance, if a user is updating a profile you will this in the web server log:

    2013-04-25 19:45:46 /suite/personalization/updateuser.bg?%24e=detailPane&appian_environment=designer - 200 0.048

    Those are the options that come to my mind right now given there's no specific configuration at the Appian level itself to log every action that is taken by the user once he's logged in.
  • Thx. That is very useful. We will stick to Jboss to provide the web server functionality given this appian env will have very light activity volume. I hope Joss can log such url usage for me.
  • It seems there was a little bit of confusion, my comment mentions: web server, in this case JBoss wouldn't be the one logging, by web server I mean Apache or IIS.
  • If security is the #1 priority, you should use a web server tier, not your app server for that functionality. Also, you definitely want to use JBoss EAP and not JBoss AS as AS doesn't get any security patches.
  • Now we managed to disable to access to Designer portal in the production environment. However, from time to time we need to enable the access in order to import a new version of the application. What would be the easy way to log the application import operation/action for audit purpose?