User roles give a user specific privileges to access certain areas of Appian. The areas include access to Tempo, Appian Designer, the Process Modeler, the Quick Apps Designer, the Administration Console and the phpMyAdmin interface for the Appian Cloud database.
Each role is represented by a system group and thus works similarly to other system groups in that when you add users to the role, they automatically receive the associated privileges without need for further setup.
User roles differ from system groups in that by adding a user to a role, you actually restrict them from accessing any areas of Appian not part of that role. Other system groups don't actually restrict users by virtue of their rules; they only add privileges.
This restriction is beneficial in creating secure applications. For example, you may want to create users that can interact and complete processes in the Tempo in order to increase collaboration around the company without allowing them access to Appian Designer where they could accidentally modify a process model. In this case, you can add these users to the Application User Role.
The following User Roles are available.
The Application User Role gives a user access to Tempo, sites, and embedded interfaces. Users can complete any tasks and start processes they have access to here, but they do not have access to the Designer interface, including the Process Modeler or the Administration Console.
Users are added to the Application User Role when you add them to the Application User System Group.
The Tempo User Role gives a user access to Tempo specifically. Use this role when you need finer access control than the Application User Role allows. Typically this role is used to prevent sites-only users from accessing Tempo while maintaining the other aspects of the Application User Role, such as completing tasks they have access to in sites.
Users are added to the Tempo User Role when you add them to the Tempo User System Group.
The Quick App Creator Role allows users to access the Quick Apps Designer, and create and modify Quick Apps. Users in this role will also often be Application Users, as well as having the Basic User user type.
Note: Designer users have access to an application builder in Appian Designer, and do not need to be configured into this role to generate applications quickly.
Users are added to the Quick App Creators Role when you add them to the Quick App Creators System Group.
The Designer Role allows users to work within the Designer Interface and any applications exposed through an end user environment. They can design applications and complete tasks within an end user environment, but they do not have access to the Administration Console.
Users are added to the Designers Role when you add them to the Designers System Group.
The Service Account Role allows administrators to designate service accounts that can use API keys and the OAuth 2.0 Client Credentials Grant to invoke Appian web APIs. Service accounts are unable to log into Appian and cannot be automatically deactivated due to inactivity.
Service accounts can be created from the Admin Console when creating an API Key or OAuth 2.0 client. Existing users are added to the Service Account Role when you add them to the Service Accounts system group.
These roles apply to Appian Cloud environments only.
Appian Cloud database user roles control what users can do and see in the Appian Cloud database through phpMyAdmin. Users can be assigned any of the following roles to provide them access to phpMyAdmin user interface. To learn more about how to use system groups to grant access certain schemas, see Appian Cloud Database Administration.
The Database Administrator Role has the highest level of access to the database through phpMyAdmin. Only database administrators can perform the following activities in the Appian Cloud environment:
Users are added to the Database Administrator Role when you add them to the Database Administrators System Group.
Since the database administrator role has elevated privileges, make sure that only the required users are given this role. Keep the following in mind when determining who has this role:
The Database Editor Role can read, write, update, and delete data and database objects in the Appian Cloud database through phpMyAdmin.
All database editors have access to the default Appian schema. However, they only have access to other schemas if they have at least viewer permissions on the data source connected system for the schema.
Users are added to the Database Editor Role when you add them to the Database Editors System Group.
Note that by default the Designers group is automatically added to the Database Editors group. However, you can remove the Designer group from the Database Editors group.
The Database Viewer Role has read-only access to the Appian Cloud database through phpMyAdmin.
All database viewers have access to the default Appian schema. However, they only have access to other schemas if they have at least viewer permissions on the data source connected system for the schema.
Users are added to the Database Viewer Role when you add them to the Database Viewers System Group.
The user role for a user overrides the user type.
The user role for a user works in union with other system groups.
By default, new users are not assigned to any user role and cannot access any areas of Appian. However, also by default, the following rules are defined for user roles:
These defaults are configured by rules within the Application Users System Group and Designers System Group. In order to change them, you need to modify the associated system group rule.
Since assigning a user to a user type is required when creating the user account, this is a necessary step if you want new users to not have any access to Appian, by default.
Since User Roles are represented by a system group, adding a user to a user role is the same as adding a user to a system group. Only System Administrators can add a user to a user role.
For instructions on doing so, refer to Add Users to Groups.
If the user is currently logged into the system, the new role privileges may not take affect until the user logs out of Appian and then logs back in.
Removing a user from a role is as easy as removing them from the role's system group.
If you are removing a user from a role in an effort to change their role (for example, from an Application User to a Designer), add them to the new role first to prevent temporarily removing their access entirely. Users who are not in any roles will not be able to sign-in.
For instructions on doing so, refer to Managing Groups.
When removing users from a role, keep the following in mind:
On This Page