Security

This page describes how permissions are used to secure users, resources, and robotic processes in Appian RPA. It also covers how to set up security between Appian and Appian RPA. To learn how to protect the data that flows through Appian RPA, check out Securing Data in a Robotic Process.

Looking for a refresher on these components? Check out key terms in Appian RPA.

Permissioning through tags

Appian RPA uses a flexible permissions mechanism based on tags that can be used to:

  • Allow users to access resources
  • Allow users to access robotic processes
  • Define which robotic processes can be executed on each resource
  • Define which credentials can be used with a robotic process

The tag-based permissions system enables you to assign a combination of resources and robotic processes to one or more users, as well as use credentials with them. Different users can access the same robotic process, resource, or credential no matter what their role is – they just need to share a tag with that component.

It is very important to keep in mind that any permission changes, on any component in the console, can make a user lose access to a robotic process they've created, or prevent that user from executing or editing a robotic process. For this reason, it is important that you carefully consider any permission changes you perform from the console.

Types of permissions

To make a user, robotic process, resource, or credential visible to another component, both must share at least one permission. If a component has more than one permission tag ending in an exclamation mark, the components must share all mandatory permissions with this mark.

There are two types of permissions:

  • Regular permission: permission that does not end with an exclamation mark. All components sharing a permission will be able to see each other.
  • Mandatory permission: permission that ends with an exclamation mark. To make a component with one or more mandatory permissions visible to another component, they must share all the of the same mandatory permissions.

Assign or edit permissions

Required role: Developer or Administrator

Only administrators can create permissions in Appian RPA.

When you want a user to have access to a robotic process or a resource, they must have at least one permission in common. You can assign permissions to users, robotic processes, and resources in similar ways.

Based on your role, you can assign permissions as follows:

Assign Permissions To Role: Operations Manager Role: Developer Role: Administrator
Users No No Yes
Resources No Yes (if permissions in common) Yes
Robotic processes No Yes (if permissions in common) Yes

When you import a robotic process, the associated permissions are imported as well. Permissions are not carried during the import and export process for users and resources. Appian recommends first importing a robotic process and then assigning permissions to users and resources. This approach ensures that your process is appropriately permissioned and ensure consistency.

To assign or edit permissions:

  1. Go to the tab where you want to assign or edit permissions. For example, the Users, Resources, or Robotic Processes tabs.
  2. In the table on that tab, locate the user, process, or resource you want to edit.
  3. In the Actions column for that row, click the lock icon 2229048.png. The Permissions window displays.

    rpa-permission-tags.png

  4. In this window, select or deselect permission tags. If your role is Developer, the list of selectable tags contains only tags assigned to you. If your role is Administrator, the list contains all tags in your system.
  5. (Administrators only) Type the name of a new permission, and press Enter.
  6. Click OK to save your edits.

Modify user permissions in bulk

Required role: Administrator

As more people access the Appian RPA Console, security is important to consider. Administrators can add or remove permissions for multiple users at once:

  1. Go to the Users tab in the Appian RPA Console.
  2. Find the users whose permissions you want to edit. For each user, check the box in the Sel. column.
  3. Click the Permissions icon at the top of the list. In the Permissions window, two fields appear:
    • In all selected users: The permissions in this field are present for all selected users. You can add or remove permissions in this field.
    • In some selected users: The permissions in this field are present for some, but not all, selected users. You can remove permissions in this field.
  4. Type a tag in the In all selected users field and press Enter to add the permission to all selected users. If the permission already exists, Appian RPA shows it as a suggestion as you type. Click a suggested permission to add it.
  5. You can also remove permissions in either field. Click the X for any tag to remove it from the users who have it.

rpa-bulk-permissions.png

Modify resource permissions in bulk

Required role: Developer or Administrator

You can also add or remove permissions for multiple resources at one time:

  1. Go to the Resources tab in the Appian RPA Console.
  2. Find the resources where you want to edit permissions. For each resource, check the box in the Sel. column.
  3. Click the Permissions icon at the top of the list. In the Permissions window, two fields appear:
    • In all selected resources: The permissions in this field are present for all selected resources. You can add or remove permissions in this field.
    • In some selected resources: The permissions in this field are present for some, but not all, selected resources. You can remove permissions in this field.
  4. Type a tag in the In all selected resources field and press Enter to add the permission to all selected resources. If the permission already exists, Appian RPA shows it as a suggestion as you type. Click a suggested permission to add it.
  5. You can also remove permissions in either field. Click the X for any tag to remove it from those resources.

rpa-bulk-resource.png

Credentials

If a robotic process is tasked with logging into another program or a website, it should use credentials to input the username and password. Appian RPA credentials store this information securely and retrieve it from the server when needed.

You can use Appian RPA's low-code modules to add credentials to your robotic process. Use the Interact with Element method in a robotic process to input credentials in a web browser, or use the Type text method when the robotic process logs into an application.

See an example of credentials in a low-code robotic process.

Never store usernames, passwords, or other sensitive information as plain text.

Assign permissions to login credentials

When you want a robotic process to have access to a login credential, the credentials must have at least one permission in common with that component.

To assign or modify permissions to credentials:

  1. Go to the Robotic processes page.
  2. Click on the Credentials icon in the toolbar.
  3. In the List of credentials, click the Permissions icon 2229048.png in the Actions column.
  4. In the window, assign new permissions or remove existing ones in the Permissions field. rpa-permission-tags.png
  5. Click OK.

Securing Appian objects and robotic processes

If your robotic process interacts with Appian objects, you'll need to set up permissions so the Appian objects can be accessed as needed. Permissions apply only to service accounts set up to use Appian RPA, since ordinary Appian users don't have access to the robotic processes.

Currently, Appian and Appian RPA have different security mechanisms. You'll maintain security through permissions you grant to the service account that connects the two. Appian recommends that you document your security settings to more easily reproduce in the future. For example, you may need to recreate permissions in a target environment when you deploy a robotic process.

To set up common security between Appian and Appian RPA:

  1. Create a service account to communicate with Appian RPA and make sure it has either administrator or developer permissions in Appian.
  2. Once the connected system is set up, the service account will be automatically added to the user list in Appian RPA.
  3. An Appian RPA administrator should apply permissions to the service account as needed to access the intended robotic processes and resources. Alternatively, a service account can be designated as an Administrator so it has universal permissions.
  4. In Appian, the service account can be added to the appropriate security groups so it can interact with Appian objects as needed.

Example

To demonstrate how permissions work between Appian and Appian RPA, we'll use an example.

Suppose your first robotic process fits within an Appian process model that processes internal transfer requests. The process model is in an Appian application called "Company Transfers." The process will interact with the PeopleSoft user interface to gather data about the employee who requests a transfer and write it into an Appian database. The app has three security groups: Administrators (with admin privileges), HR Managers (with editor privileges), and All HR Users (with view privileges).

Let's suppose you create a service account to set up the Appian RPA connected system. You want this service account to be able to write data to your datastore. The datastore's security currently lists HR Managers as editors, so you could add the service account to the HR Manager group to inherit this security, as well as the security of other objects configured for this group.

In Appian RPA, you'll set up permissions so the service account can access the robotic process that gathers the data from PeopleSoft. The service account needs to share a permission with the same process. Alternatively, if you make the service account an Administrator, it will have universal access.


This version of the Appian RPA documentation was written for Appian 20.4, and does not represent the interfaces or functionality of other Appian versions.
Open in Github

On This Page

FEEDBACK