Why Can Appian Tasks Be Opened from Any Application/Site/Page URL?

Question

Hello everyone,

I have a question regarding how Appian handles task URLs and their accessibility across different applications and sites.

I've noticed that a task in Appian can be opened regardless of which application, site, or page you're currently viewing. For example, the same task ID can be accessed through multiple different URL patterns:

https://<myenv>.appiancloud.com/suite/sites/any-application-1/page/<any-page-3>/task/<some-id>

https://<myenv>.appiancloud.com/suite/sites/any-application-2/page/<any-page-3>/task/<some-id>

https://<myenv>.appiancloud.com/suite/sites/any-application-3/page/<any-page-3>/task/<some-id>

Let's suppose <some-id>=GgE4eQDCj1OX711111

All of these URLs successfully open the same task, even though they reference different applications and pages in the path.

My questions are:

Why does Appian allow tasks to be accessible from any site/application URL path?
Is this the expected behavior, or is there a way to restrict task access to specific applications/sites?
Does the application/site/page portion of the URL serve any functional purpose when accessing tasks, or is it purely cosmetic/contextual?
Are there any security implications I should be aware of with this behavior?

I'm trying to understand the underlying architecture and whether this is by design for user convenience or if there are configuration options I might be missing.

Mike Schmitt · Accepted Answer

Silas. B. Ferreira said: Why does Appian allow tasks to be accessible from any site/application URL path? 
 Tasks do not care even the slightest bit about what apparent site/application they're opened from. The fact that they're apparently opened from a site is basically a retrofit to not make the user think they've been bounced to the "Tempo" side. Security of a particular task (process security, assignment, etc) is not affected by the site the user is accessing it from - and likewise I would assume that the user couldn't arbitrarily view a task from a site they wouldn't have access to. And almost no end users are going to dissect URLs to mix-and-match like this, nor would they care. 
 Silas. B. Ferreira said: is there a way to restrict task access to specific applications/sites 
 no. task security is controlled strictly from process instance security and task assignment, since (as previously stated) the "source site" makes zero difference. 
 Silas. B. Ferreira said: Does the application/site/page portion of the URL serve any functional purpose when accessing tasks, or is it purely cosmetic/contextual? 
 the latter. 
 Silas. B. Ferreira said: any security implications 
 none that I know of. if a user has access to X Y and Z sites, and A B and C tasks, they'll technically be able to see any A B or C as if from X Y or Z, in any permutation, if they mess with the URL the right way.

Stefan Helzle · Answer

Think of a user using multiple applications. He will need some overarching dashboard to have access to all tasks and data from all the applications. This is not a bug, but a feature.

Why Can Appian Tasks Be Opened from Any Application/Site/Page URL?

Top Replies