How to work or assign user roles

Hi all,

I spent pretty much the whole year trying to find where i can find the system roles are referred to in the following user roles documentation so I can properly assign privileges to users. Right now the only group type I see in my Appian version is Custom. How and where should I look in order to access the system roles in order to use them. Can someone point me out on what I am missing?

This is definitely what I believe Appian should improve in their documentation

https://docs.appian.com/suite/help/20.1/User_Roles.html

https://docs.appian.com/suite/help/20.1/System_Groups.html

Thank you in advance,

Roberta

  Discussion posts and replies are publicly visible

Parents
  • Hi Roberta - I'm not sure I fully understand what you're asking for. In short:

    • there are two type of User Account: 'Basic' and 'System Administrator'
    • Appian applications that you develop (and the Appian toolset itself) are 'Role-based' applications - that is, in order to be able to see/do specific things you need to be granted that 'Role'
    • a 'Role' is always implemented using an Appian Group
    • Appian comes with an out-of-the-box Group 'type' (a 'class' if you will) from which you can make your own group instances. This is the ;'custom' Group type that you refer to
    • You can (optionally) create your own Group 'types' (the only advantage over the 'custom' Group type being that you can optionally add custom attributes to that Group type so that an Group Instances you create from that Group type will inherit those attributes
    • Appian's Security model applies both to the 'Design Time' activities (i.e. developers who build Appian Applications) AND to the 'Run Time' activities - end-users who use the developed Applications. In both Cases security is implemented using Groups. Groups are attached to objects and confer rights to Users who are in those Groups. Groups can be nested so that Users can inherit rights from the Group they're in AND any Group that that Group is in
    • By default 'System Administrator' User Accounts can do pretty much anything within an environment which may not be what you want for your Developer community. So you have the option to turn 'Basic User' accounts into Developers by adding them to the relevant System Groups. In this way you can (if you wish) implement partitioning between Developer communities

    I'm not sure what else to add until I understand exactly what you're looking to achieve.Feel free to elaborate and we will see what we can do to help you,

  • Hi Steward,

    Thank you for replying. 

    I understand the concept of roles. What i need is direction on how to setup users to be admin to a specific application. For example, when I assigned Designers role to a group, they actually can create applications. I don't want that, I want them to be contained within their own application.

    My question is how do I set this up using the out-of-the-box groups and permissions.

    Thanks,

    Roberta

  • In which case you need to create your Designers as Basic Users, assign them Designer rights (add them to the 'Designer' group) and also add them to a Group that controls access to your Application (with default access of 'None' so that Users NOT in that Group cannot even see the Application object). This is what I was describing in my last bullet point in my initial reply. If you want them to access the Appian database you'll also need to add them to the 'Database Administrators' group (note: there's only one DB Schema for the Appian DB so anyone in that group can access ALL Database tables)

  • Hi Steward,

    I did this and they still can create applications. Maybe there is a step here that I still need to do.

    Do you have a recipe link that I can follow step by step?

    Thanks,

    Roberta

  • What security settings do you have on your Application objects:

  • Hi Roberta - 

    Designers can create applications.  This behavior of the product is not likely to change anytime soon.  So let's table that.

    My recommendation is that you institute and manage governance in support of your organization's policies.  

    Next, I'm assuming that access to environments other than dev and test is carefully controlled.  This way, even if you have designers creating applications in dev you don't want.  They should never get promoted to prod.  (I trust you don't allow dev in Prod.)
    Further - provided your devs aren't sharing passwords (let's hope not), you can trace the origin of unwanted applications to the user who created it.  

    Assuming that most designers are not sys admins, you do have means to secure appian objects.  The key is that all Application objects need to be secured to <App> Admins or <App> designers, or <App> All users, etc.
    Further, if there are only very few sys admins, then designers can't create new users, and you should be able to communicate policy to all new devs.  

    If one dev team chooses to not secure their app.  Other designers will be able to see it.


  • Hi Robert,

    Thank you for your reply. 

    Yes, we do have all these controls in place for DEV, UAT and PROD environments.

    Good advice for the application objects, I will go back to them and make sure they were setup properly.

    Roberta

Reply Children
No Data