Run as whoever designed the model

jesusa310

Certified Lead Developer

over 5 years ago

Hi all,

What do you think of Setting the security of the lane that starts a process as "Run as whoever designed the model"? Is it a good practice? What happens if the designer leaves the Company and the user gets deactivated? Is it recommened to use instead Run as whoever started the process? I am interested in knowing if this could cause a security error.

Kind regards,

Jesus

Discussion posts and replies are publicly visible

Top Replies

Parents

Colton Beck over 5 years ago

I always recommend against running processes as the Designer, unless it's specifically required. I've found it can be used as a crutch for bad security designs.

Additionally, if the publishing user is deactivated, the processes will break if using this design. You can mitigate this issue by always deploying as a service account user that will never be deactivated. But nonetheless, I believe you should only use this configuration when there is some specific reason to do so.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
jesusa310
Certified Lead Developer
over 5 years ago in reply to Colton Beck

Thanks Colton. Your answer is in line with my thoughts but another question came to me reading you. What if the Setting is "Run as whoever designed the model" but the user that deploys the package in production is a generic Administrator. We would still have a Problem if the designer user is deactivated, wouldnt we?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Colton Beck over 5 years ago in reply to jesusa310

Yes, you would still have the issue.

The idea with user a service account is that it's tied to no specific person, so you wouldn't need to deactivate when somebody rolls off the project.

However, if your environment uses defined auto-deactivation rules, you'd need to be careful the service account isn't auto-deactivated, at which point a bunch of your processes could break.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Reply

Colton Beck over 5 years ago in reply to jesusa310

Yes, you would still have the issue.

The idea with user a service account is that it's tied to no specific person, so you wouldn't need to deactivate when somebody rolls off the project.

However, if your environment uses defined auto-deactivation rules, you'd need to be careful the service account isn't auto-deactivated, at which point a bunch of your processes could break.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Children

Colton Beck over 5 years ago in reply to Colton Beck

Also, there is a good conversation about this here worth reading.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
jesusa310
Certified Lead Developer
over 5 years ago in reply to Colton Beck

So the best practice would be to set the System lane as " Assign all nodes in this lane to a person or group of People" and then select a generic Service account, right?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Colton Beck over 5 years ago in reply to jesusa310

I wouldn't use the swim lane assignment defaults, unless you have a bunch of input tasks that you want to assign to specific user groups. Assignment is different from setting the context of a node running as the initiator or designer.

It's also a best practice to never assign anything to a specific user. Assignments should always be to groups.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel