Appian Group Security Configuration and Policies

Posted on Feb 9, 2024 in Computers

• Types of Packages

  A package is a collection of Appian application changes that a developer can deploy to another environment. Preparing a package is an important step in the deployment process and involves understanding what changes you need to deploy and how these changes will affect your target environment.

  There are three different types of packages that you can deploy in Appian. In most cases, your packages will contain application objects, but can also include environment-specific information, such as import customization files or database scripts.

  • Applications contain a set of objects that make up a business solution. Applications should be used to introduce a new set of objects that do not exist in the target environment.

  • Patches contain new or updated objects, which a developer deploys when introducing an update to an existing application in the target environment. Patches are helpful for deploying bug fixes or enhancements.

  • Administration Console Settings contain updates to your Administration settings, such as site branding or third-party credentials in the target environment.

• Groups Hierarchy                                                
• Configuring Security for Groups

  Overview

  Appian allows you to tailor user rights to the needs of your groups and your overall organization by configuring security settings for groups.

  These group settings impact all users, whether or not they are members of the group.

  Types of group membership

  Four types of membership determine the user rights available for a group—Administrator, Group Creator, Member, and Viewer.

  • Administrators can modify group properties, add and remove administrators and members, create and modify membership rules, and delete the group.
  • Group Creators have administrator rights.
  • Members have been added as members either by the group creator or group administrators, or added as part of a rule. The rights given to members depend on the group’s Visibility.
    • See below: Group Membership Policy and Group Visibility

  Group Types

  Group types allow you to organize your groups in different categories and associate certain metadata with a group.

  Properties

  Each group type has the following properties:

  Property	Description
  Name	The name that is used when referencing the group type. This name can also be returned when querying the groupTypeName property using the group() function. Follow the recommended naming standard when creating this name.
  Description	(Optional) Information about the group type that is displayed in the application contents grid.
  Attributes	Additional metadata that can be configured about the groups of this type.

  Group type attributes

  Attributes are custom fields that provide additional information about groups of that type. This allows you to further differentiate groups from each other and use the associated metadata throughout your application.

  Some types of attributes require each group within the group type to have a value. Attributes of that type require a default value to be set when adding the attribute.

  Attribute data types

  Group type attributes can be of the following types:

  Type	Value Required
  Boolean	Yes
  Date	Yes
  Group	No
  Number (Decimal)	Yes
  Number (Integer)	Yes
  Text	Yes
  User	No

  Configuring attributes

  Once an attribute has been added to a group type, its configuration cannot be edited. Attributes can be removed by the creator of the group type or by a system administrator.

  Group visibility

  Appian defines three Visibility settings—Public, Personal, and Restricted. These settings have implications in group directory lists, group searches, group membership, and group administration.

  All users can create groups of each setting, and the settings can be modified from the group’s Properties dialog.

  Public

  Public groups appear when browsing groups and in group search results.

  When Public groups are added to the Tempo Message Audience Groups system group, all users can select and send messages to those groups.

  See also: Tempo Message Audience Groups

  Personal

  All users can create a group with Personal security, but only the Group Creator can work with and modify the group. They can add other users as administrators and members, but members cannot see this group.

  These groups are useful when organizing contact lists or assigning tasks. This security feature allows the members in your group to be aware of the group’s existence, yet they cannot use the group or view other members.

  Users, including group administrators, cannot send Tempo messages to a Personal group, even if the group is added to the Tempo Message Audience Groups system group.

  Restricted

  This setting exposes the group to its members and administrators only, who can view the group when browsing. The group appears for these users within group search results.

  If a Restricted group is added to the Tempo Message Audience Groups system group, and a member sends an open message to that group, non-members may still see the message, but the Restricted group’s name will display as [Group Name Not Available]. To avoid confusion for your users, you may want to limit the number of Restricted groups added to the Tempo Message Audience Groups system group.

  • This also applies if the message is sent to multiple Restricted groups and a user is a member of one group, but not all. The user will see the message, but the groups the user is not a part of will be listed as [Group Name Not Available].

  See also: Send a Message

  Group membership policy

  The Group Membership Policy selected for a group determines whether or not users are free to join a group and whether or not approval is required before the user can be added to the group.

  The possible policies are discussed below:

  • Closed: Only Group Administrators can add or remove members to the group.
  • Automatic: This option exists only for Public groups, and users who can see these groups do not need the Group Administrator’s permission to join.
  • [Deprecated] Exclusive: Users can only join the group with approval from a Group Administrator.

  There is no option in Appian Designer to automatically join or request to join a group, and setting a group as Automatic or Exclusive no longer exposes these options. If needed, this functionality can be built into your application. Newly created groups default to Closed, and should remain as such.

  Group privacy policy

  The group privacy policy determines whether group members can see who else is a member of the group. There are two settings for viewing policy:

  • Low: All members can see each other.
  • High: The members cannot see each other. Only the Group Creator, Group Administrators, or system administrators can see all the members. Personal groups always have a ‘High’ privacy policy.

  Groups in Appian Designer

  By default, new groups in Appian Designer default to the following configuration:

  • Visibility: Public
  • Membership Policy: Closed
  • Privacy Policy: Low

  Designers cannot set another Membership Policy during group creation, but can modify it in the group’s properties. Visibility and Privacy Policy are available to edit both during group creation and in the group’s properties.

  The following table summarizes the various options and consequences for configuring group security.

  Group Visibility	Membership Policy	Privacy Policy	Searchability	Member Visibility
  Restricted	Closed	High	Seen in directory and search results by Members and Administrators	Only Administrators may see members of the group
  Restricted	Closed	Low	Seen in directory and search results by Members and Administrators	Anyone can view members
  Personal	Closed	High	Never seen in directory and search results by all	Only Administrators may see members of the group
  Public	Automatic	High	Seen in directory and search results by all	Only Administrators may see members of the group
  Public	Automatic	Low	Seen in directory and search results by all	Anyone may view members
  Public	Exclusive [Deprecated]	High	Seen in directory and search results by all	Only Administrators may see members of the group
  Public	Exclusive [Deprecated]	Low	Seen in directory and search results by all	Anyone may view group members
  Public	Closed	High	Seen in directory and search results by all	Only Administrators may see members of the group
  Public	Closed	Low	Seen in directory and search results by all	Anyone may view group member