Application Authorization

Appian Objects Security Rolemaps

Application authorization defines what artifacts, features, and user interfaces users can access. In Appian, every object has a security rolemap that specifies the different roles and actions that apply to the object. Adding users to an object rolemap allow them to perform the different actions allowed by the specified role on this object.

For example, adding a user to the viewer role of a datastore object will allow the user to read and write data from and to all the entities (and underlying database tables) declared in the datastore.

For more information, refer to Object Security.

Using Groups and Group Memberships

Users should not directly be assigned to object security rolemaps because changing what a user can see would require modifying the object configuration. It is not a dynamic setup and it would require deploying a new version of the application for every change.

Instead, users should be members of groups which in turn are assigned to the object security rolemaps. This provides the most flexibility and allows runtime configuration of what users have access to. By adding or removing users from groups, one can change what applications or features users can access and what operations users can perform.

What Groups to Create to Secure Objects

When thinking about securing an application, there are 2 categories of groups to consider:

  • Application groups - These groups are used to grant high level access to applications and their underlying components. Each application should have at least 2 groups:
    • One viewer group which members have access to view and use the application.
    • One administrator group which members have access to configure and manage the application.
  • Feature/action specific groups - These groups are used to grant access to specific features or actions in the case where access is more or less restricted than the overall application itself. For example:
    • A global record type for Customers may need to be accessible by all users. In this case, a group specific to viewing the record type needs to be created.
    • An action to update the customer data may need to be restricted to a subset of users that have access to the application. As such, a group specific to this use case needs to be created.

In majority of cases you should not have to replicate your entire organizational structure using group hierarchies in Appian. Instead create (and/or synchronize) groups only as they are needed for configuring specific application roles or security. Similarly, there is often no need to replicate Appian application group structures in LDAP or other external directory systems.