AgilePoint System Permission Overview and Basic Permission Setup Guidelines
AgilePoint system is quite wide and deep. It allows granular control/permission management with flexibility at multiple levels. This post is an attempt to provide big picture of the permission and recommend basic permission guidelines, which can be and needs to be extended based on individual organization’s needs.
Lets start with big picture….literally a picture…
Common System Permissions – Another title for these permissions can be “Role Based Permissions“. AgilePoint has a concept of Role and each role can have various privileges/rights associated. Navigation to these roles and privileges is through “Manage -> Access Control -> Roles“. These roles can directly be assigned Groups or individuals. In short, a collection of rights/permissions/privileges makes a role, which defines what user is allowed to see and perform irrespective of application. Ex. if a role allows to reassign a task then an individual or a group possessing this role can always be able to reassign the task irrespective of what application the task is associated with.
The role permissions touches all sections/features of the AgilePoint system. This includes user/role/group management, access token management, workflow management (reassign task, cancel task, initiate process, cancel process, etc.), Module Management (enable/disable various modules in the system. Ex. App Builder, Analytics, Manage Center, etc.), App Builder Management (Check-in, check-out, publish app, etc.), System Settings Management (enable/disable settings associated with various modules) and Analytics Management (this is related to the reporting and it allows basic permissions like administrator, report creator, report viewer. Advanced and granular permissions of Analytics are allowed to manage from the Analytics Module).
Page Builder Permission – These permissions are completely separate from the role based permissions under the Common System Permissions. Navigation to these permisssions is Manage -> App Management -> Permissions -> Page Builder Permissions. There are two levels of permissions. 1. Page Admin and 2. Page Designer. When the AgilePoint system is setup at the beginning, only the service account possesses the permission of Page Admin. This permission gives full control of the Page Builder module as well as allows to manage users/groups for Page Builder permission. As the name indicates, its an administrative permission.
Pre-requisites – There is a environment/tenant level switch, which allows to turn on/off the visibility of the permission screen. This switch is accessible to tenant admin or service account through Settings -> Tenant Settings.
Who should possess Page Admin permission – Typically and from the governance perspective, I have seen this permission restricted to system admins.
Page Designer – This permission allows to create, check-in, check-out, publish pages in the Page Builder module. You may have a group of users who will do page administration.
Who should possess Page Designer permission – As the name indicates, this permission is slated for a page developer/designer. You may have a group of users who will be doing page development. You might want to restrict this permission in non-development environment (QA, UAT, Stage, etc.) to admin group as there would not be any developer doing page development.
Note – Deletion of pages be controlled through a switch, which is accessible at Settings -> App Builder -> Page Builder.
Data Entity Permission – Similar to Page Builder Permission, this permission is completely separate from the role based permission. The navigation to this permission is Manage -> App Management Permission -> Data Entity Permissions. It has two levels of permissions. 1. Global Data Entities Permission Manager 2. Entity Designers. When the AgilePoint is system is setup, the service account is the only account has permission to the Global Entities Permission Manager. This is administrative permission where it provides full control over the Data Entity module. Also, it allows to manage users and groups who needs to have access to Entities as a developer/designer as well as administrator. You may want to create a group to grant this permission.
Who should possess Global Entities Permission Manager permission – From the AgilePoint system governance perspective, this permission needs to be restricted to admin group/users only.
Entity Designers – This permission allows to manage (create, delete, change, etc.) entities. This permission is meant for designer/developer group/users who needs to deal with entities at the time app development. Take a note that there is granular permission management at the individual entity level.
Who should possess Entity Designer Permission – A group/users who needs to create/delete entities should possess this permission. Typically it is a group of developers.
Note – Deletion of custom entities can be controlled through a switch, which is accessible at Settings -> App Builder -> Data Entities.
App Permission – As the name indicates, these permissions are associated with an app. It is partially driven by role based permission where users with a role that has “Manage App Permissions” can access these app permissions. These permissions allow managing who needs to access the app as an initiator, as an owner, as a Designer, and as a Report Viewer.
App Initiator – This permission is required for anyone who needs to initiate a request on the app/workflow. If I need to submit a request for my vacation then I should be an initiator on the Vacation Management app. This permission can be assigned to a group or/and user. Navigation to this group is available through App Builder (select individual app and corresponding Permission option become available) as well as Manage Center -> App Management -> Permissions -> App Permissions.
App Owner – This permission allows to define who owns the app, who can manage app permissions. Also, check-in/check-out app on behalf of others, rollback app version, delete app are the other permissions granted to App Owner. This permission allows seeing a special Work Center View called “Applications I own”. This enables a holistic view of all tasks assigned to various users.
Who should possess App Owner permission – Typically a user from the business side who takes ownership of this app. In some cases where the business group may not be in a position to look after the administrative part of the app then the App Owner permission can be shared between the business and AgilePoint governance (typically IT) group.
App Designer – This permission allows to access the app through the App Builder module. As an app designer, a user can open the app in the App Builder, make changes, check-in, check-out, etc.
Who should possess App Designer permission – this permission is required for a developer group/user. From the permission perspective, you might want to create an app-specific designer group. In a small organization, members of the groups might be the same across the apps. In a large organization where there are dedicated app-specific development teams, they can control access to a designated group.
Report Viewer – AgilePoint system has a feature called Report View, which is nothing but a read-only view of application data through a pre-defined screen (developers define the Report View in each app). This Report View option is available through Work Center.
Who should possess Report Viewer permission – this is an app level permission. This is for business users who needs to look at the application data through read-only screen.