Run as whoever designed the model

Certified Lead Developer

Hi all,

 

What do you think of Setting the security of the lane that starts a process as "Run as whoever designed the model"? Is it a good practice? What happens if the designer leaves the Company and the user gets deactivated? Is it recommened to use instead Run as whoever started the process? I am interested in knowing if this could cause a security error.

 

Kind regards,

 

Jesus

  Discussion posts and replies are publicly visible

Parents
  • I always recommend against running processes as the Designer, unless it's specifically required. I've found it can be used as a crutch for bad security designs.

    Additionally, if the publishing user is deactivated, the processes will break if using this design. You can mitigate this issue by always deploying as a service account user that will never be deactivated. But nonetheless, I believe you should only use this configuration when there is some specific reason to do so.
  • Certified Lead Developer
    in reply to Colton Beck
    Thanks Colton. Your answer is in line with my thoughts but another question came to me reading you. What if the Setting is "Run as whoever designed the model" but the user that deploys the package in production is a generic Administrator. We would still have a Problem if the designer user is deactivated, wouldnt we?
  • Yes, you would still have the issue.

    The idea with user a service account is that it's tied to no specific person, so you wouldn't need to deactivate when somebody rolls off the project.

    However, if your environment uses defined auto-deactivation rules, you'd need to be careful the service account isn't auto-deactivated, at which point a bunch of your processes could break.
Reply
  • Yes, you would still have the issue.

    The idea with user a service account is that it's tied to no specific person, so you wouldn't need to deactivate when somebody rolls off the project.

    However, if your environment uses defined auto-deactivation rules, you'd need to be careful the service account isn't auto-deactivated, at which point a bunch of your processes could break.
Children