Free cookie consent management tool by TermsFeed Appian Cloud Database Administration [admincontent-cloud]
Appian Cloud Database Administration

Overview

Appian allows you to configure and connect to your own supported relational databases. However, maintaining your own database requires certain expertise, which isn't desirable for all organizations. The Appian Cloud database is pre-configured so that you can focus on building low-code applications without any database set up.

This page provides guidance on how to use the database provided with your Appian Cloud environment.

Cloud database

Your Appian Cloud database is a MariaDB database server. To determine the database version, run a SELECT version() query in phpMyAdmin.

Tip:  MariaDB is a widely adopted solution with abundant online documentation. Because of this, Appian Technical Support does not provide general assistance or training for using these databases.

Accessing the Appian Cloud database

The interface used for the Appian Cloud database is phpMyAdmin. phpMyAdmin is an open source tool written in PHP, intended for use with MySQL and MariaDB.

Tip:  phpMyAdmin is a widely adopted solution with abundant online documentation. Because of this, Appian Technical Support does not provide general assistance or training for using phpMyAdmin.

To access the relational database for your Appian Cloud site:

  1. Go to your Appian environment.
  2. In the header bar, open the navigation menu .
  3. Choose Cloud Database to see all schemas available to you.

The schemas visible to you will depend on how your access is configured:

Cloud database access roles

  • Members of the Database Adminstrators system group will be redirected to phpMyAdmin, where they can see all schemas in the database.
  • Members of the Database Viewers and Database Editors system groups will see the specific schemas they have access to, along with the default Appian schema.

Schema-specific cloud database access

  • Users that are granted separate read or write access to at least 1 schema using group types and user-created groups will see the specific schemas they have access to, along with the default Appian schema.

cloud_schema_view.png

Tip:  To help distinguish between the phpMyAdmin interfaces for different environments, the phpMyAdmin header has a different default color and label for development, testing, staging, and production environments. If you want to change this label or color, open a support case.

Using schemas to configure access to data

Information in databases is often sensitive. While developers need access to certain information, it may be unnecessary to grant them access to all data in a database. For example, a developer who is only working on applications for HR wouldn't need access to data that is specific to Finance.

In your Appian cloud database, you can use schemas to control access to certain data. All Appian Cloud databases ship with a default "Appian" schema which has broad access. However, database administrators can create additional schemas and use system groups and object security to secure access to them.

schemas

This section describes best practices for creating schemas, how to grant access to schemas, and how to create schemas.

Best practices for creating additional schemas

The majority of your data should be stored in the default "Appian" schema. We recommend that you only create additional schemas when your applications need data segregation and isolation.

We also recommend that when you create tables for an application, you only use one schema for that application in addition to the default "Appian" schema. If there are tables that are common to applications in your environment that use different data sources, create those tables in the "Appian" schema. For example, an Employee table that needs to be used in both Finance and HR applications should be created in the "Appian" schema.

We do not recommend migrating data from existing schemas into new schemas. We recommend only creating schemas for new applications.

Granting access to schemas

If needed, you can now configure read or write access on a per-schema basis. This means that the same user can have access to a specific schema without requiring that user to have the same level of access to the remaining schemas.

Site administrators can configure schema specific access using user-created groups and system-created group types.

Alternatively, if you do not need this level of access granularity for your applications, then you can can utilize the existing system groups to assign a user role that will provide the same permissions across all schemas that the user has access to.

The schema-specific access configuration option does not replace the existing database access configuration process. Instead, it provides site administrators with additional flexibility to meet more specialized access needs and requirements. This will help promote better data separation across schemas and ensure that users do not have heightened access to database schemas when not required.

The following sections outline both methods in more detail. If you plan to use both access methods, review compatibility between the two access methods.

User role-based access to the cloud database

With this method, access to schemas is granted through system groups and the object security for the data source connected system of a schema.

System groups

System groups determine what users can do in the Appian Cloud database through phpMyAdmin.

Putting a user in the Database Administrators, Database Editors, or Database Viewers system group will give them the access assigned to that group in phpMyAdmin. See User Roles for more information on what access users in these groups have.

Tip:  The above system groups have been nested under a new group, Database Users. This system group provides a single focal point for site administrators to determine who can access the cloud database.

Tip:  Users in the Database Administrators group have access to all schemas, whether or not they are given access to the data source connected system object for the schema.

Object security

While the type of phpMyAdmin access a user gets is determined by which system group they are in, the schemas they have access to are determined by object security. In order to give users access to a certain schema, you must give them at least viewer permission on the data source connected system object for the schema.

For example, if you want to give editor access to an HRData schema in phpMyAdmin, you would first put the user in the Database Editors group. But they wouldn't have access to the HRData schema until you give them viewer permission on the HRData data source connected system object.

Configuring access to schemas

To grant different access in phpMyAdmin to different types of users for additional schemas, do the following:

  • To grant Administrator access to all schemas, put the user in the Database Administrators system group.
  • To grant Editor access to the default "Appian" schema, put the user in the Database Editors system group.
  • To grant Viewer access to the default "Appian" schema, put the user in the Database Viewers system group.
  • To grant Editor access to additional schemas, put the user in the Database Editors system group and give the user at least Viewer permission on the data source connected system object for the schema.
  • To grant Viewer access to additional schemas, put the user in the Database Viewers system group and give the user at least Viewer permission on the data source connected system object for the schema.

Schema-specific access to the cloud database

You can also choose to assign read or write privileges on a per-schema basis. This is an alternative to the role-based access controls defined above that rely on system groups and object security.

This configuration relies on system-created group types and user-created groups. As such, providing cloud database access using this method will not require Viewer or Editor permissions in the data source connected system object security. This allows administrators to provide access to the database without also granting access to those schemas in the application layer.

Group type assignment for read or write privileges

Group type assignments are made during initial group creation by selecting a value in the drop-down selection. For schema-specific configurations, the group type will determine whether group membership will have read or write permissions on the cloud database.

Group Types

  • Select Database Schema Editors to configure a group for write access.
  • Select Database Schema Viewers to configure a group for read access.

Group type attributes to define schema name

Since schema-specific access does not rely on the object security of the data source connected system, the specific schema name must be referenced as a group type attribute to access that schema on phpMyAdmin.

Group type attributes are used to extend the properties and metadata of a group. In this case, the group type is used to assign the cloud database schema name to the group. Once configured, members in that group will have access to that schema.

Configuring separate read or write access to a specific schema

To configure access to a specific schema, a site administrator must configure a user-created group with the following conditions:

  • The group is a precedent (subgroup) of the Database Users system group.
  • It is of group type Database Schema Viewer or Database Schema Editor.
  • It includes the schemaName attribute value to match the database schema name. The value is case sensitive and must be an exact match to the schema name.

Tip:  For security purposes, the Database Users group is only visible to site administrators.

Access to the database will not be granted unless the user-created group meets all three of the above conditions.

The below example configures write access to the schema "SchemaOne":

schema-access-group-configuration.png

To edit the group type attributes:

  1. Go to the user-created group.
  2. Click and select Properties.
  3. Expand the Attributes section.
  4. In Value, update the group type attribute as needed.

schema-access-group-type.png

Compatibility between the two access methods

You can grant database access using both system groups (access role-based) and schema-specific configurations. However, this could result in heightened and/or undesired levels of access. In this event, user access to the cloud database will be derived based upon both methods, as they function independently. When permissions conflict for the same schema, access will not be lessened or subtracted automatically.

If you have further questions, please contact support.

Creating new schemas

To create a new schema:

  1. Create separate schemas for each application or suite of applications that you want to secure using the AppianProcess.createNewSchema() stored procedure.
  2. Copy the credentials and connection URL.
  3. Create a MariaDB Data Source connected system for each schema using the credentials.
  4. For each connected system object, give at least viewer permissions to the users that you want to give schema access to.
  5. To allow users to make changes to the database through phpMyAdmin, put them in the Database Editors group. To give users read-only permissions in phpMyAdmin, put them in the Database Viewers group.

By default, you can create up to fifty schemas in your environment.

Note:  The credentials created by the stored procedure can only be used to connect to the data source from Appian. The password is encoded and can only be decoded by the application. Therefore, these credentials cannot be used to connect to the database from any other client.

Note:  The Enhanced Data Pipeline allows access to the new schemas. To request access to these schemas, you will need to open a support case.

Before deploying, create any additional Appian Cloud database schemas in the target environment

After you create a new schema, before deploying the associated data source connected system, manually create the schema in the target environment. See Data Source Connected System for more information on deploying data sources.

Creating stored procedures

If you find yourself frequently executing sets of SQL statements, stored procedures are the solution to streamline your processes. You can create a stored procedure in the Appian Cloud database using phpMyAdmin and execute it seamlessly using the Execute Stored Procedure smart service in your process model. These procedures allow you to reuse SQL logic across diverse segments of your application, reducing maintenance overhead. By centralizing execution logic, you can easily modify your databases, sparing you from the intricacies of altering queries in multiple locations. Moreover, stored procedures act as security gatekeepers, limiting direct access to critical database tables.

When managing the simultaneous execution of numerous stored procedures, Appian recommends implementing simple logging to capture errors and warnings. This will allow you to take quick action to fix any issues and preserve data integrity.

Built-in stored procedures

The following stored procedures are available in the Appian Cloud database:

AppianProcess.getMyProcessList()

This stored procedure produces a list of running threads started by the user executing the stored procedure. A problematic long-running query can be identified and killed using the information generated.

Required role: Database Administrator, Database Editor, or Database Viewer

Inputs: None

Example syntax: call AppianProcess.getMyProcessList()

AppianProcess.getFullProcessList()

This stored procedure produces a list of running threads started by any database user in your environment. A problematic long-running query can be identified and killed using the information generated.

Required role: Database Administrator

Inputs: None

Example syntax: call AppianProcess.getFullProcessList()

AppianProcess.killProcess()

This stored procedure allows database administrator to kill any thread started by any database user in your environment. A problematic long-running query can be killed using this stored procedure.

Required role: Database Administrator

Inputs: Thread ID

Example syntax: call AppianProcess.killProcess(6342)

AppianProcess.metadataLocks()

This stored procedure shows data about current locks in the database. This information can be used to identify the exact process that is locking a database object in order to take any required action.

Required role: Database Administrator, Database Editor, or Database Viewer

Inputs: None

Example syntax: call AppianProcess.metadataLocks()

AppianProcess.viewRoutineDefinition()

This stored procedure outputs the definition of a procedure or function that the database user is not the DEFINER for.

By default in phpMyAdmin, if a routine was created by a different database user, database editors might not be able to view the definition of a stored procedure or a function. if you have access to the schema in which the routine exists, this stored procedure can be used to retrieve the definition of the routine. You can then proceed to update or recreate the routine as required.

Required role: Database Administrator or Database Editor

Inputs:

  • Whether it is a 'procedure' or 'function'
  • Schema name
  • Routine name

Example syntax: call AppianProcess.viewRoutineDefinition('procedure','InventoryApp','GetItems')

AppianProcess.createNewSchema()

This stored procedure creates a schema. It outputs the required credentials that you can use to create a data source connected system for the schema that was created. Copy the credentials immediately after they are displayed and save them for use in your application.

If you forget to copy the credentials and navigate away from the screen, use the AppianProcess.updateSchemaPassword() stored procedure to create new credentials. This creates new credentials which you may need to update in the data source connected system.

Note:  Users may get an Unexpected token error. This is safe, your schema will still be created.

Required role: Database Administrator

Inputs: Schema name

Example syntax: call AppianProcess.createNewSchema('InventoryApp')

AppianProcess.dropSchema()

This stored procedure drops a schema.

Required role: Database Administrator

Inputs: Schema name

Example syntax: call AppianProcess.dropSchema('InventoryApp')

AppianProcess.updateSchemaPassword()

This stored procedure updates the password for the database user of the schema. The updated password is output along with the other credentials required for the data source connection.

Required role: Database Administrator

Inputs: Schema name

Example syntax: call AppianProcess.updateSchemaPassword('InventoryApp')

AppianProcess.rotateEncryptionKey()

This stored procedure rotates the data encryption key (DEK) that is used for encryption of database tables. To change all the keys, use -1 for the input. If tables were created with specific key IDs, to rotate that specific key use the key ID for the input.

Required role: Database Administrator

Inputs: -1 or specific Key ID

Example syntax: call AppianProcess.rotateEncryptionKey(-1)

AppianProcess.showEncryptedTables()

This stored procedure lists all the tables in your database that have been encrypted.

Required role: Database Administrator

Inputs: None

Example syntax: call AppianProcess.showEncryptedTables()

AppianProcess.changeEDPUserPassword()

This stored procedure generates a new password for the Enhanced Data Pipeline database user.

Required role: Database Administrator

Inputs: Database user name

Example syntax: call AppianProcess.changeEDPUserPassword('AppianViewer1')

AppianProcess.showEngineInnodbStatus()

This stored procedure generates the output of the SHOW ENGINE INNODB STATUS command. The output is useful in diagnosing problems such as deadlocks in the database. More information about how to use the output can be found on the MariaDB page about SHOW ENGINE INNODB STATUS command.

Required role: Database Administrator

Inputs: None

Example syntax: call AppianProcess.showEngineInnodbStatus()

Built-in views

AppianProcess.slow_log

This view contains data from MariaDB slow query log. The SQL statements that take more than two seconds to run in the database are captured in the view. The default threshold of two seconds can be changed by opening a case with Appian Support. The slow query data is not available if database encryption is enabled on Appian Cloud.

Required role: Database Administrator

Example syntax: SELECT * FROM AppianProcess.slow_log

Best practices

Use Appian features to manage your Appian Cloud database

You can use phpMyAdmin for debugging or advanced database manipulation when necessary. However, it is a best practice to use Appian applications to change tables or data in the Appian Cloud database.

For example, you can execute database scripts using compare and deploy. You can also create tables by generating them from custom data types.

Making these changes through Appian means that your database will remain compatible with newer versions of Appian.

Follow industry and Appian best practices

Appian strongly recommends following industry best practices to manage the data stored in the Appian Cloud database.

These include but are not limited to using:

  • A normalized schema.
  • Proper indexes on the data.
  • Optimized queries and views.
  • Database performance testing in lower environments.

When designing and using your database, we recommend that you follow the best practices outlined in Relational Database Guidance.

Properly design the schema to avoid decreased query performance

Even though there may be no predefined limits (besides disk) to the amount of process data that can be stored in the Appian Cloud database, it is important to keep in mind that you might experience decreased query performance as disk footprint increases, unless you properly design the schema.

To help analyze the performance of the database, use the following tables in the Appian Cloud database performance schema:

  • performance_schema.events_statements_history
  • performance_schema.events_statements_current
  • performance_schema.events_statements_history_long
  • performance_schema.events_stages_history
  • performance_schema.events_stages_current
  • performance_schema.events_stages_history_long
  • performance_schema.events_statements_summary_by_digest
  • performance_schema.table_io_waits_summary_by_table
  • performance_schema.table_io_waits_summary_by_index_usage

Note that Appian Support doesn't help interpret or make use of the information in these tables.

Do not use the DEFINER clause in SQL scripts when creating objects

When running SQL scripts to create objects in the Appian Cloud database, don't use the DEFINER clause. If you don't specify the DEFINER, the database will use the default user to create the objects. This means that if the default database user ever changes, you won't have to worry about updating your scripts.

See troubleshooting section if you have issues related to editing objects in phpMyAdmin.

Only store data for your Appian applications in the database

Appian provides the Appian Cloud database to store data for your applications. We strongly discourage using the database to store other types of data. Doing so is outside of the scope of the Appian Cloud service.

Considerations and limitations

Advanced database configurations are not available in Appian Cloud databases

Because we want the Appian Cloud database to be easy to use, it is not a full-featured database solution. Many advanced features would require a dedicated database administrator for support. In order to avoid that, Appian Cloud customers don't have access to advanced database configurations.

If you want a full-featured database solution with advanced database features, you can host your own relational database and connect to it over the Internet or through VPN.

Limitations of responsibilities

Appian maintains performance for tables supplied by Appian. You are responsible for performance for the tables you create.

Appian Technical Support is not responsible for the administration of any customer data you may store in your database, beyond performing regular backups.

Maximum storage space limitations

There is a limit to your maximum allocated storage space, which is specified in your service agreement. Consider this limitation when designing your database or estimating the amount of data that will be stored in your database.

Additional features

The following features are available for Appian Cloud databases:

  • Advanced or Enterprise Support Appian Cloud customers can use the Enhanced Data Pipeline to connect directly to their business data source. It also allows them to utilize their data management tools such as:
    • Extract Transform Load (ETL) processes
    • Business intelligence
    • Data warehousing
    • Reporting
  • Appian Cloud databases that use MariaDB can enable data-at-rest encryption.

Troubleshooting

Editing stored procedures or function fails

If you are editing a stored procedure or function as a database administrator in phpMyAdmin, make sure that the value in the definer field is either empty or dbadmin. In general, it is a best practice not to use the DEFINER clause when running scripts in phpMyAdmin.

What to do if you get locked out of a stored procedure or function

If you try to edit the view without updating the DEFINER field, you may get locked out of the stored procedure or function. Use the AppianProcess.viewRoutineDefinition() to get the definition of the object and recreate it with dbadmin as the DEFINER or without the DEFINER specified.

Editing a view fails

When editing views in phpMyAdmin as a database administrator, if there is a value such as appian in the DEFINER field, update it to dbadmin. Do not leave it blank.

Appian Cloud Database Administration

FEEDBACK