Security ...

I've inherited an application with no documentation, no jira, no dev notes , nada.
I can see that the app has four groups defined, but have pretty much no idea the context behind the groups. If I use dependencies on the group - then I can see the security settings - but dont see any use of the groups within interfaces - for instance if user member of group then show section .....
Any ideas how to audit this info ?
i thought to export the application and search the sml directly for 'memberof' tye code but that doesn't seem to work ...

  • Are there any constants pointing to these groups? If yes, just search for them. There is not need to export. Appian supports search in code since some versions.

  • Simple thing in my mind would be to create test users as members of each group, each pair of groups, each set of 3, and a test user with all 4.  See what they can do.  See what actions they have, what records they can see, which related actions they can see on those records.

    It might still be extremely obtuse after that, but I think front-end approach may at least give your investigations a firm starting-point.

  • Select each Group in turn and hit the 'Dependents' button.This will show you what objects each Group is attached to and with what rights. You'll be able to see what access each Group has to, say, a Site or a Record type. And then for ;moving parts' (such as Process Models) which ones they can run. All this does assume, of course, that the Security has been configured correctly by the original developers. You may have to do some forensic digging (e.g. to find out which Process Models are ones that can be started from the front end as Actions or Related Actions...just select each model and check its 'Dependents' and you should be able to crawl the dependency hierarchy.

 Discussion posts and replies are publicly visible