I'm looking for some best ideas to support read only access to prod. I'm leaning towards create dev/qa as basic user and add to designers group and view only application specific groups then remove designers from DB Editors which allows dev to access both DB and designer in read only mode. Any drawbacks or any articles/ ideas to do it in different way?
Appreciate your time! Thanks
Discussion posts and replies are publicly visible
You are on the right track with your thinking. It does depend on what your support policies say as well so consider that. If you have a privileged access policy, then there may be another system that grants access and moves the users in to an AD group that then maps to a set of "read only" groups linked to the app objects.
If this is just linked to Appian, so no AD / SSO integration, then you can do a similar thing and grant users access via a process and then move them to a group that denies them access to objects when the task has been completed. The key thing is auditing who has access etc.