Run as whoever designed the model

RE: Run as whoever designed the model

Ahmad Al-Buthom — Wed, 01 Dec 2021 15:16:01 GMT

Thank you mike so much.

RE: Run as whoever designed the model

Mike Schmitt — Tue, 30 Nov 2021 15:26:53 GMT

The best I can do is direct you to this old thread where I uploaded my version that was up-to-date at that point. If I had a more recent version sometime after that, I can't be sure. However I believe the version I attached there should still work provided the necessary plug-ins.

RE: Run as whoever designed the model

Ahmad Al-Buthom — Tue, 30 Nov 2021 13:21:17 GMT

Hey Mike,

Would you be ok sharing a package export containing the process model you've built to republish processes as different user please.

Thank you

RE: Run as whoever designed the model

Mike Schmitt — Wed, 24 Nov 2021 13:50:16 GMT

Hi,

Yes, the tool I mentioned above made use of the "republish as different user" plug-in as well as a process model which determined what models in that environment were not already published as that user, then ran through all of them.

Luckily in the interceding 3 years, subsequent Appian versions have given us new capabilities including Service Account functionality as well as direct imports (under the authority of a designated user, i.e. the service account), so the need for such a tool has been almost entirely mitigated.

RE: Run as whoever designed the model

Thenmozhi Mohanakrishnan — Wed, 24 Nov 2021 11:33:28 GMT

Mike Schmitt Could you please share how you created the custom app to republish with different user? Is it using the 'Republish Model as Different User' plugin? If yes, kindly share in which version of Appian you made use of this plugin.

RE: Run as whoever designed the model

Mike Schmitt — Fri, 12 Oct 2018 19:07:04 GMT

As an additional note - "run as initiator" does not account for processes changing hands; the initiator is inherited from the top level action only. Furthermore, if that user ever gets deactivated, it has immediate and severe implications upon the running process instance tree they've left behind.

It's for these reasons that on my main project, we are required to do 100% "run as designer" subprocess calls, and make sure that all models in the production environment are published by a shell "admin user" account as Robert mentions above. (We actually do imports under our personal accounts by necesity, and then use a custom app I built to republish all imported process models as the Admin user.)

RE: Run as whoever designed the model

Robert Shankin — Fri, 12 Oct 2018 19:05:57 GMT

This is true for 7.9, yes.

RE: Run as whoever designed the model

jesusa310 — Fri, 12 Oct 2018 18:32:01 GMT

Hi Robert, that is good news. Currently the deployments in producion are done through a generic account. Is that the behavior in old versions too? We are running on Appian 7.9

RE: Run as whoever designed the model

Robert Shankin — Fri, 12 Oct 2018 18:06:20 GMT

Hi Jesus -
Side note:

Remember, in the environment where the process model is imported, the user who performs the import assumes the identity of the process designer.

That's why it's a good practice to ~never import as a named user, and instead use an Appian service account such as "deployment.administrator" who never leaves the company.

RE: Run as whoever designed the model

Colton Beck — Fri, 12 Oct 2018 14:41:15 GMT

I wouldn't use the swim lane assignment defaults, unless you have a bunch of input tasks that you want to assign to specific user groups. Assignment is different from setting the context of a node running as the initiator or designer.

It's also a best practice to never assign anything to a specific user. Assignments should always be to groups.

RE: Run as whoever designed the model

jesusa310 — Fri, 12 Oct 2018 14:32:07 GMT

So the best practice would be to set the System lane as " Assign all nodes in this lane to a person or group of People" and then select a generic Service account, right?

RE: Run as whoever designed the model

Colton Beck — Fri, 12 Oct 2018 14:25:26 GMT

Also, there is a good conversation about this here worth reading.

RE: Run as whoever designed the model

Colton Beck — Fri, 12 Oct 2018 14:23:55 GMT

Yes, you would still have the issue.

The idea with user a service account is that it's tied to no specific person, so you wouldn't need to deactivate when somebody rolls off the project.

However, if your environment uses defined auto-deactivation rules, you'd need to be careful the service account isn't auto-deactivated, at which point a bunch of your processes could break.

RE: Run as whoever designed the model

jesusa310 — Fri, 12 Oct 2018 14:21:41 GMT

Thanks Colton. Your answer is in line with my thoughts but another question came to me reading you. What if the Setting is "Run as whoever designed the model" but the user that deploys the package in production is a generic Administrator. We would still have a Problem if the designer user is deactivated, wouldnt we?

RE: Run as whoever designed the model

Colton Beck — Fri, 12 Oct 2018 14:16:06 GMT

I always recommend against running processes as the Designer, unless it's specifically required. I've found it can be used as a crutch for bad security designs.

Additionally, if the publishing user is deactivated, the processes will break if using this design. You can mitigate this issue by always deploying as a service account user that will never be deactivated. But nonetheless, I believe you should only use this configuration when there is some specific reason to do so.