I created a portal that takes an application from the internet. As part of the process, a notification email has to be sent out the office notifying them that I have a new application.
I created a portal to accept the application and it runs under a Service Account and writes the record, but can not send out the notification email.
The email smart service is configured to send to a group (there are more than one individual that needs to get the email) and I am getting the following error message.
"An e-mail could not be sent because the run as user for this activity could not access one or more of the groups listed in the e-mail address."
The Service Account has initiator religious to the Process Model.
How do I give the service account access to the Group without adding it to the group?
If I add it to the group, wouldn't Appian send an email to the service account?
Am I obsessing about something that doesn't matter?
Discussion posts and replies are publicly visible
The process model should be published under the authority of a service account that has admin priveleges. The email node should be configured with "run as whoever designed this process model" assignment (which really means whatever account last published the model).
I am trying to keep the security access to the service account to the minimum needed to do its job and not have administrative privileges. Also, if I configure the email node to run under my account (as the designer). What would happen if I left the company and my account as disabled? The workflow would fail.
Chris.Gillespie said:Also, if I configure the email node to run under my account (as the designer). What would happen if I left the company and my account as disabled? The workflow would fail.
I hope you would not be deploying to produciton as your own personal account. By this point everyone should be doing auto-deployments across their environments under the authority of a service account, which would have admin privs. This is a self-solving problem when your configuration is correct.
If you leave the company, process instances in the Dev environment might be impacted: to handle this, my trick has been to turn old dev accounts into service accounts until they're fully phased out. IMHO this is not a high security concern since it only affects your Dev environment.
I apologize in advance for my ignorance.
I only deploy applications and updates to applications through the deployment process under the Application Admin account. So after deployment, Application Admin becomes the Developer?
Yes, in higher environments, when automated deployment has been used, the service account handling deployments automatically becomes "publisher" of every process model imported under it - which is what we want, as it circumvents lots of issues we had back in the old days with deployments done under personal accounts (back when that was the only option).
Thanks for the lesson!!