User Roles

Overview

User roles give a user specific privileges to access certain areas of Appian. The areas include access to Tempo, Appian Designer, the Process Modeler, the Quick Apps Designer, and the Administration Console.

Each role is represented by a system group and thus works similarly to other system groups in that when you add users to the role, they automatically receive the associated privileges without need for further setup.

User roles differ from system groups in that by adding a user to a role, you actually restrict them from accessing any areas of Appian not part of that role. Other system groups don’t actually restrict users by virtue of their rules; they only add privileges.

This restriction is beneficial in creating secure applications. For example, you may want to create users that can interact and complete processes in the Tempo in order to increase collaboration around the company without allowing them access to Appian Designer where they could accidentally modify a process model. In this case, you can add these users to the Application User Role.

The following User Roles are available.

Application User Role

The Application User Role gives a user access to Tempo, sites, and embedded interfaces. Users can complete any tasks and start processes they have access to here, but they do not have access to the Designer interface, including the Process Modeler or the Administration Console.

  • Links to the Designer interface and Administration Console do not display for the user. They also are not accessible when the environment URLs are typed in a browser.
  • Role maps for objects are still honored and determine what a user can view, edit, and manage.

Users are added to the Application User Role when you add them to the Application User System Group.

Tempo User Role

The Tempo User Role gives a user access to Tempo specifically. Use this role when you need finer access control than the Application User Role allows. Typically this role is used to prevent sites-only users from accessing Tempo while maintaining the other aspects of the Application User Role, such as completing tasks they have access to in sites.

  • Links to the Designer interface and Administration Console do not display for the user. They also are not accessible when the environment URLs are typed in a browser.
  • Role maps for objects are still honored and determine what a user can view, edit, and manage.

Users are added to the Tempo User Role when you add them to the Tempo User System Group.

Quick App Creator Role

The Quick App Creator Role allows users to access the Quick Apps Designer, and create and modify Quick Apps. Users in this role will also often be Application Users, as well as having the Basic User user type.

Note: Designer users have access to an application builder in Appian Designer, and do not need to be configured into this role to generate applications quickly.

  • Links to the Designer interface and Administration Console do not display for the user. They also are not accessible when the environment URLs are typed in a browser.
  • Role maps for objects are still honored and determine what a user can view, edit, and manage.
  • In order to design/modify process models, users still need to be in the Process Model Creators Group. This does not include process models that are part of Quick Apps, which are generated automatically but not designed by the user.

Users are added to the Quick App Creators Role when you add them to the Quick App Creators System Group.

Designer Role

The Designer Role allows users to work within the Designer Interface and any applications exposed through an end user environment. They can design applications and complete tasks within an end user environment, but they do not have access to the Administration Console.

  • Links to the Administration Console do not appear on the user’s screen, nor can they access it by specifying the environments through the URL.
  • In order to access the Administration Console, you need to make them a System Administrator User Type.
  • In order to design/modify process models, users still need to be in the Process Model Creators Group.

Users are added to the Designers Role when you add them to the Designers System Group.

Service Account Role

The Service Account Role allows administrators to designate service accounts that can use API keys and the OAuth 2.0 Client Credentials Grant to invoke Appian web APIs. Service accounts are unable to log into Appian and cannot be automatically deactivated due to inactivity.

Service accounts can be created from the Admin Console when creating an API Key or OAuth 2.0 client. Existing users are added to the Service Account Role when you add them to the Service Accounts system group.

Relation to User Type and System Groups

The user role for a user overrides the user type.

  • For example, if you assign a user to both the Application User Role and the System Administrator User Type, the user role’s permission settings override the user type’s and the user is restricted from the Designer and Administration Console.

The user role for a user works in union with other system groups.

  • For example, a user can have the Application User Role, but in order to post a Tempo message to everyone, you still need to add them to the Tempo Global Message Authors Group. If a user is in a system group, but is not assigned a role, he/she can still perform the actions of the system group.

Default Setup

By default, new users are not assigned to any user role and cannot access any areas of Appian. However, also by default, the following rules are defined for user roles:

  • Users automatically join the Application User Role when added to the Basic User - User Type.
  • Users automatically join the Designer User Role when added to the System Administrator - User Type.
  • Users automatically join the Designer User Role when added to the Process Model Creators Group.

These defaults are configured by rules within the Application Users System Group and Designers System Group. In order to change them, you need to modify the associated system group rule.

Since assigning a user to a user type is required when creating the user account, this is a necessary step if you want new users to not have any access to Appian, by default.

Adding a User to a Role

Since User Roles are represented by a system group, adding a user to a user role is the same as adding a user to a system group. Only System Administrators can add a user to a user role.

For instructions on doing so, refer to Add Users to Groups.

If the user is currently logged into the system, the new role privileges may not take affect until the user logs out of Appian and then logs back in.

Removing a User from a Role

Removing a user from a role is as easy as removing them from the role’s system group.

If you are removing a user from a role in an effort to change their role (for example, from an Application User to a Designer), add them to the new role first to prevent temporarily removing their access entirely. Users who are not in any roles will not be able to sign-in.

For instructions on doing so, refer to Managing Groups.

When removing users from a role, keep the following in mind:

  • If the user is currently logged into the system, the new role privileges may not take affect until the user logs out of Appian and then logs back in.

  • If you want to prevent a user from accessing Appian all together, do so by deactivating the user account. Do not simply remove them from all user roles.

Open in Github Built: Tue, May 23, 2023 (06:12:33 PM)

On This Page

FEEDBACK