Microsoft’s Windows Operating System (OS) by far has been the most popular operating system since it was launched in 1985. However, this popularity is two sided. On one hand, users benefit from its simplicity, robust worldwide support ecosystem and near-universal user acceptance. On the other hand, it remains the target of choice for attacker’s who craft sophisticated exploits to gain access into the system. Show
One of the features in Windows OS that has been a prominent target by attackers is the built-in user accounts. These accounts are created automatically during the Windows installation process and cannot be removed or deleted after it is installed. Built-in local user accounts are used to manage access to the local resources based on the rights and permissions that are assigned to the account. By default, three accounts will be provided in “Users group” during the installation process. These accounts are known as Administrator, Guest and HelpAssistant. Administrator AccountThe default local Administrator account is the user account for the System Administrator and it gives the user full control of all files, directories, services, and other resources that are under the control of the local server. This account can also be used to create additional local users and assign rights and access control permissions. The sheer number of privileges given to the Administrator makes this account a prime target for attackers. By default, the Administrator account cannot be deleted or locked out – no matter how many times passwords are incorrectly inputted. This makes brute force and password guessing attacks a popular form of attack by malicious actors. Guest AccountThe Windows built-in Guest account is usually used to allow occasional users who do not have an account on the computer to temporarily log in on and gain limited access to the local resources. The Guest account has a blank password by design, allowing unauthenticated users to log in. This presents a security risk as it provides unauthorised users with access to any shared folders that the Guest account has permission to view, which could ultimately lead to data theft and corruption. HelpAssistant AccountThe HelpAssistant is the primary account used to establish a Windows Remote Assistance session. This account is created automatically when a user requests a Remote Assistance session and has limited access to the computer. This HelpAssistant account will be automatically deleted if no remote assistance request is pending. Best PracticesKnowing that their operating system has become an irresistible target for hackers, Microsoft has however, come a long way with its efforts to secure its products. Starting with Windows 7, the Administrator and Guest account are disabled by default. None of these accounts will be able to provide access to network resources. Ultimately, Users are also responsible for keeping their computing environment safe and sound. The Center for Internet Security (CIS) Benchmarks provide useful guidelines on how to secure the built-in user accounts and keep the risk of exploitation to a minimum. Following the guidelines, default user accounts should be renamed so that it would be hard to guess its functionality. For Windows Administrator accounts, the password is not supposed to be shared with others and should always be long and complex. Users are also advised not to log on using the administrative account unless necessary. For the Guest account, passwords that meet set complexity requirements should be set to replace the default blank password. In addition, the account should be enabled only in low-security networks. ConclusionFor Windows Operating System, built-in accounts are features that cannot be removed. Despite having some security issues, with the precaution taken by Microsoft and good practices by users, risk associated can be minimised.
OverviewThis page provides guidance on how to configure your system, authentication, and integration settings and monitor system activity in the Appian Administration Console (the Admin Console). The Admin Console is where system administrators can update certain configuration properties through the web interface. Users must be system administrators to make changes in the Admin Console. Access the Admin ConsoleTo access the Admin Console in your Appian environment, open the navigation menu , then select Admin Console. Only system administrators can access the Admin Console and make changes to the configurations. The Administrator user is specifically prohibited from accessing the Admin Console in order to ensure that all changes can be traced to a specific named user rather than a shared account. All changes made through the Admin Console are logged to an audit log. The log captures the username of the user that made the change, along with the previous and new values of the changed property. See also: Appian Admin Console Logging SystemThe following pages relate to system administration. BrandingThe Branding page allows you to manage the name, logos, and colors that appear throughout the Tempo interface. The branding settings only apply to the web interface. For branding of the mobile interfaces see the Custom Mobile Applications documentation. Clicking the SAVE CHANGES button will cause the updated values to become live in the system. As a best practice, experiment with various color configurations in a development environment before applying them to a production system. All branding modifications result in an audit log message with the username of the user who made the change, the previous values, and the new values. Note that the Branding configurations only apply to Tempo. To learn about custom styling for embedded interfaces, see Themes. Identity
Colors
Data retentionThe Data Retention page allows you to manage the following settings:
File uploadThe File Upload page allows customers to manage the following settings:
Using file type verification effectivelyFile type verification can be toggled on and off through the checkbox labeled "Block any file with an extension that does not match the underlying file type". To fully leverage this powerful feature, we recommend enabling it in coordination with a list of extensions to allow rather than a list of extensions to block. We recommend this for two reasons:
InternationalizationThe Internationalization page allows you to set the primary locale and time zone displayed to users. This page also controls the calendar types and locales that are enabled for the environment. Locale settingsThe locale settings affect the language of Appian-generated text and the format of dates, times, and numbers. It does not affect text that is configured by developers in design objects. The table below lists the default locales available for selection. Text is only translated in the interfaces listed below, as supported. When a new version of Appian adds support for a new locale, the translated interfaces may only include support for the Tempo and Mobile interfaces.
Enabling localesEnabling a locale makes it available for users to select as their locale setting. To enable a locale, select it from the Enabled Locales dropdown, then click SAVE CHANGES. When enabling locale settings, consider:
Disabling localesTo disable a locale, remove the check from the corresponding entry in the Enabled Locales dropdown list. If a user's preferred locale is set to a locale you have disabled, the primary locale for the environment displays to the user instead. Users then can select a new preferred locale from one of the remaining locales that are enabled for your environment. Selecting a primary localeTo specify a primary locale for your environment, select a locale from the Primary Locale dropdown list. The primary locale is used for users who have not selected their own preferred locale. Note that only enabled locales are listed here. Setting a system-wide localeTo use the primary locale for all users regardless of their preferred locale, select the Always override users' selected locale checkbox. Selecting the Always override users' selected locale checkbox ensures that user preferences are never enforced. Irrespective of user preferences, the primary setting is then always applied. Date and time settingsThe preferred locale setting governs the format of dates and numbers that are displayed by the system. For example, if the preferred locale is set to English (US) [en_US], the date is displayed with the month preceding the day. The same date, when the preferred locale is set to Spanish [es], is displayed with the day preceding the month. Display formats used by default localesThe following table lists the date and time formats used when a certain default locale is selected (or is the only enabled locale).
Hours displayed in US English use a 12-hour clock with an AM or PM designation. Number formatsThe separators between digits in a number change based on the preferred locale. For example, if the preferred locale is English (US) [en_US], a comma (,) is used as a separator (1,000). If however, the preferred locale is set to German [de]), a full stop (.) is used as the separator (1.000). Calendar settingsAccording to the US Naval Observatory, the Gregorian calendar is the internationally accepted civil calendar. This is the default calendar used in Appian. Selecting a primary calendarTo change the default Gregorian calendar to a different calendar, select a calendar from the Primary Calendar dropdown list. Options include the calendars listed below. Islamic calendars You can select from three Islamic calendars, which use slightly different leap year patterns and different means for calculation.
The leap year patterns are based on the following logic:
The difference between calendar type 1 and type 2 centers on when the leap day is added.
The difference between the Type 1 and Type 2 leap-year schemes are shown in the following table, which lists the remainder for each year in the 30-year cycle.
Islamic calendar epoch The epoch defines the starting point of the Calendar (the first day of year one). The following epochs can be selected for Islamic Type 1 and 2 calendars.
Setting a system-wide calendarTo override all users' preferred calendar settings with the primary calendar, select the Always override users' selected calendar checkbox when selecting the primary calendar. Selecting the Always override users' selected calendar checkbox ensures that user preferences are never enforced. Irrespective of user preferences, the primary setting is then always applied. Selecting a primary time zoneLocale preferences and time zone preferences affect how dates and times may be displayed. For example, a process start time of Oct 12, 2011 at 5:00 pm Eastern is displayed differently for a user with Spanish locale and Central time zone preferences.
As with locales, system administrators must also specify a primary time zone for the environment. At installation, the primary time zone is set to Greenwich Mean Time (GMT). To specify another primary time zone for the environment, select a time zone from the Primary Time Zone dropdown list. This recommended list is based on the selected locale. System adminstrators can override the default list of recommended time zones or add a list for a new locale by
modifying the To override all users' preferred time zone settings with the primary time zone, select the Always override users' selected time zone checkbox. When selecting a Continental US time zone, we recommend using the following settings.
A process model can take a specific time zone, which is used by each process spawned from the model. Alternatively, models can be configured to use the time zone preference of the user who starts the process model. This is set in the process model's properties. Selecting the Always override users' selected time zones checkbox ensures that user preferences are never enforced. Irrespective of user preferences, the primary setting is then always applied. MobileThe Mobile page allows you to manage settings for your organization's mobile devices:
PermissionsThe Permissions page allows you to control user actions to various actions on Tempo. User profileThe User Profile section allows you to specify what information users are allowed to update from their user profiles, and whether users will be able to see the profile details of other users. Editable fieldsThe fields that are set to be not editable here are displayed but disabled to users in their user profiles. Each checkbox on the page corresponds to a set of user profile fields as follows:
Default user profile visibilityIf this option is selected (the default) users will be able to see the profile details of a user if that user's role map has no viewers configured and notification emails sent by Appian will include users' display names. If unselected, no users will see that user's details unless they are explicitly added in the viewers role of that user and notification emails sent by Appian will only include users' usernames, not their display names. Regardless of the value given for this property, if the viewers role is non-empty, only those users set in the viewers role will be able to see that user's profile details. Quick appsUpdate Quick Apps settings on the Permissions page in the Admin Console. This section contains the configurations to enable Quick App creation. Add users to the quick app creators roleThis link opens the Quick App Creators group. Adding users to this role gives them access to the Quick Apps Designer. Quick apps data sourceThe data source chosen in this dropdown is the location where tables will be generated and updated for new Quick Apps. No Quick Apps can be created until a value is selected here. Changing this value will only affect new Quick Apps. Any existing Quick Apps will remain connected to the data source selected at the time they were created, even when the Quick App is updated from the Quick Apps Designer. The Appian user must have the following permissions to the connected data source for Quick Apps to work correctly: CREATE, ALTER, DROP, INSERT, UPDATE, and DELETE. Error messagesThe Error Messages setting allows you to control the level of technical detail that you want to include in error messages that your basic users may encounter when working with expressions, interfaces, views, or actions. System administrators, and basic users in the (system) Designer group, will always see detailed error messages when working with these objects and components. Setting options are enabled or disabled; the default setting is enabled. Detailed error messagesEnabling this setting provides basic users with detailed error messages that may include system information and object-specific information, like object references and details about why the expression error occurred. For example, the detailed error message below includes information about the expression error, the error type ID, the affected expression rule and parameter, and the code line where the error occurred. Simplified error messagesDisabling this setting prevents basic users from having access to unwanted technical information. Instead, they will see a simplified error message that includes an identifier and instructions to contact the application administrator as shown below. The application administrator should provide the system administrator with the Error Message Identifier so they can use it to view further details about the error in the Design Error log. Detailed error messages are always logged in the TempoThis section contains the configurations to control Tempo access. Edit the tempo users groupThis link opens the Tempo Users group. By default, all users can access Tempo. Removing members or membership rules from this group will prevent those users from accessing Tempo. PortalsOn the Portals page, you can choose whether to add a UUID to all portal URLs created in your environment. Adding UUIDs to portal URLs allows you to restrict access to portals that are intended for development and testing. Only users that you share the URL with will be able to easily find the portal, allowing you to test and develop your portals with a selective audience. This setting is selected by default on all development and testing environments, but not selected for production environments. We recommend keeping the default selection for your environment. When you deploy to a different environment, the portal automatically uses the URL settings for the new environment. For example, when you deploy a portal from a testing to a production environment, the portal in the testing environment will have a UUID but the portal in the production environment will not. Below is a comparison of two portal URLs with and without UUIDs: To preview your portal URL, check out Configurations in your portal object. Plug-insAll plug-ins are use-at-your-own-risk, and their functionality is not guaranteed by Appian. All plug-ins should be tested thoroughly. For more details about individual plug-ins, visit the Appian AppMarket. The Plug-ins page lists all plug-ins that are available in the environment. In the Plug-ins page, you can:
This plug-in information is provided by the plug-in manifest file when you install a plug-in. If a user changes the access to a plug-in, then there will be an audit log message that will track the username of the user making the change, the previous value, and the new value. You can also view the plug-in list and compare plug-ins across environments in the Objects view in Appian Designer. Add an approved plug-inFor Appian Cloud customers, system administrators can add plug-ins that are approved for Appian Cloud and supported in your environment's version of Appian. To add a plug-in:
When you add a plug-in this way, it deploys immediately to your environment. If the plug-in fails to deploy, check the Application Server logs for more information. View version statusFor Appian Cloud customers, the system automatically verifies your installed plug-ins against the applications listed in the AppMarket. The system then displays the results of this verification as version status indicators in the Version column of the plug-ins list. Version statuses include:
To filter the plug-ins list by version status, use the VERSION STATUS filter in the toolbar. Enable or disable the Encryption ServiceThe Encryption Service allows the plug-in to encrypt or decrypt values of type By default, no plug-ins are allowed to access the Encryption Service. An administrator must explicitly grant access to each plug-in. To enable Encryption Service for a plug-in:
Once access is granted, a shield icon displays next to the plug-in name, and all modules within the plug-in may use the Encryption Service. To learn more about encryption, see Encrypted Text. Compare a plug-in across environmentsThis option is only available if you have enabled connected environments. To compare a plug-in across environments:
Learn more about comparing objects across environments. Manage your plug-insWe reccommend managing your plug-ins carefully to take advantage of the latest enhancements, address security concerns, and keep your applications running smoothly. This can mean updating plug-ins to the latest AppMarket version, reverting plug-ins, or deleting plug-ins that are no longer used or supported. To determine which the actions are needed to manage your plug-ins:
Update a plug-inTo update the plug-in to the latest AppMarket version:
Make sure to regression test the updated plug-in with your application and environment. If you need to revert your plug-in for any reason, you can do so within three months of the update. Revert a plug-inYou can only revert to the previously installed version of the plug-in, and you can only revert within three months of updating the plug-in. To revert the plug-in to the previous version installed in this environment:
Delete a plug-inTo delete a plug-in:
You can track deleted plug-ins in the deletions log. Sign-in page linksThe Sign-in Page Links page allows you to add custom links to the sign-in page. The links will appear on the sign-in page in the same order in which they are arranged in the Admin Console. The maximum number of links is five and only links that use the TypefacesThe Typefaces page allows you to configure a custom typeface to be used for sites and portals on both web and mobile. The default typeface is Open Sans. Site objects use the active typeface in the branding preview, but you will always see the default typeface when editing interface objects. Up to nine typefaces can be added, but only one can be active at a time. To add a custom typeface:
To select an active typeface:
Sites update automatically after a refresh. A portal updates after it is republished. To view the typeface in the Appian Mobile application, sign out and back in to the application. See Custom Typefaces for more information. User start pagesThe User Start Pages page allows you to configure which pages users start on when they first log into Appian or if they navigate to the base Appian URL with or without the application context (for example acme.appian.com or acme.appian.com/suite). Note that if a user navigates to a specific environment (for example Tempo) or page (for example a record view), they will not be redirected to their configured start page. You can add rows to the grid to configure different groups of users to have different start pages. Only public and restricted groups can be selected, not personal groups. If a user belongs to multiple groups that have different start pages configured, his start page will be the highest one in the grid that corresponds to a group that he belongs to. You can also configure the Default Start Page, which is the start page for all users who don't belong to any of the groups configured in the grid. To minimize data entry errors, copy and paste start page URLs directly instead of typing them in manually. Clicking the SAVE CHANGES button will cause the configured start pages to take effect in the system. An audit log captures all historical values in this page. See also: Appian Admin Console Logging AuthenticationThe following pages relate to authentication administration. Unless otherwise indicated in the setting section, these settings do not apply to users who authenticate through SAML. See also: Authentication. Appian authenticationThe Appian Authentication page allows you to control password strength requirements and password expiration policies. Password storageAppian hashes passwords using an industry standard hashing algorithm and only stores the hashed values of passwords. When passwords are entered, they are similarly hashed using the same algorithm, and the result is compared against the stored value. Password FormatThe Password Format section allows setting the following:
The configurations in this section apply only to passwords managed by Appian and do not apply to accounts that authenticate with LDAP or SAML. For information and details regarding the configuration of the Remember Me Authentication, see also: Remember Me Authentication Appian Cloud installations have different default settings than self-managed installations. The following default password policies are in place for Appian Cloud users:
Remember MeThe Remember Me section allows you to toggle the Remember Me password setting on or off. Toggling this setting on allows you to configure the length of time that a user will remain signed in without having to enter their username and password. By default, this setting is configured so that users must provide their username and password once every two weeks for each browser on which they access Appian. This setting does not apply to Administrators. Administrators are automatically logged out when their session expires, which is based on the Session Timeout period. This setting only applies to users who authenticate via Appian authentication or LDAP. For more information about enabling Remember Me for SAML, see SAML for Single Sign-On. See also: Remember Me on the Authentication page. Session Timeout
This setting also applies to user's sessions who authenticate through SAML. Password ExpirationThe Password Expiration section allows setting the following:
When a password expires, the user must change the password before they are allowed to proceed past the Appian log-in page. The configurations in this section apply only to passwords managed by Appian and do not apply to accounts that authenticate with LDAP or SAML. Appian Cloud installations have different default settings than self-managed installations. The following default password policies are in place for Appian Cloud users:
Initial passwords for Appian Cloud are temporary passwords. The system prompts users to reset their password immediately after logging into Appian Cloud. Forgot passwordThe Forgot Password section allows setting the following:
When this feature is enabled, only users that meet the following requirements will be able to reset their passwords:
If either SAML or LDAP are enabled for all users, the Enable Forgot Password from Sign-In Page checkbox will disabled and unchecked because when these authentication features are enabled, Appian does not have control over users' credentials. If, however, only some users authenticate through LDAP or SAML, the feature can be enabled, and the "Forgot your password?" link will appear on the sign-in page for all users. Use import customization files to change the value between environments with different authentication configurations. Use of this feature can be audited through the Forgot Password Requests and Password Resets audit logs. Account lockingUser accounts that have difficulty supplying the proper credentials are temporarily locked (prevented from making a login attempt) when the user (or someone attempting to log in as the user) tries too many incorrect passwords. The system does this by keeping track of the number of failed login attempts for each account. The failed login count is reset automatically after some time has passed from the last failed attempt. This prevents the user from accumulating a large number of failed login attempts over a long period of time. The Account Locking section allows setting the following:
The failed login count is reset if the account is unlocked by an administrator. When you specify a deactivation interval, that same interval must elapse before user accounts begin to be deactivated. For example, if you specify an inactivity deactivation interval of 90 (90 days) on April 1st, a user account that does not successfully log in between April 1st and June 30th is deactivated. In this scenario, a user account that has not logged in since January 1st also remains active until June 30th, as you did not activate the policy until 90 days after the user account became inactive User accounts that are deactivated due to inactivity are listed at the INFO level in The system user Administrator is never automatically deactivated. Appian Cloud installations have different default settings than self-managed installations. The following default password policies are in place for Appian Cloud users:
Activity from the Appian Mobile applications does not count towards the number of active sessions a user has and the number of requests from the mobile applications. See also:
Terms of serviceThe Terms of Service Agreement section allows you to set a message on the sign-in page that users must click to accept before entering the system.
When you change the terms of service, all remember me authentication sessions will be invalidated and users will need to input their username and password the next time they sign-in to Appian. LDAP authenticationThe LDAP Authentication page allows you to configure Appian to authenticate users against an external directory server, like Microsoft Active Directory, via LDAP rather than its native authentication.
In order to prevent you from locking yourself out of Appian, if your configuration requires that the user you are currently logged in as must authenticate via LDAP then you must successfully test your configuration using the "Test" button before saving it. It is not possible to configure Appian such that a given user may authenticate with either LDAP or native Appian authentication. Each account may only authenticate against one or the other. LDAP authentication settings cannot be imported or exported from the Admin Console. Maintenance windowThe Maintenance Window page allows you to set a period of time to deploy application updates to your environment and write a message to display in a banner at the top of your site. During maintenance windows, all users except for system administrators will be logged out of the site, and a banner will display at the top of your site's login page for web and mobile. PIEE authenticationPIEE user authentication is a preview feature. It is disabled by default. To enable the feature, you will need to open a support case and get permission from Engineering. The PIEE Authentication page allows you to configure Appian to authenticate users against the Procurement Integrated Enterprise Environment (PIEE). PIEE is the primary enterprise procure-to-pay (P2P) application for the Department of Defense and its supporting agencies. PIEE user authentication can be used for single sign-on to procurement-related systems. See PIEE User Authentication for an explanation of how to configure PIEE authentication. SAML authenticationThe SAML Authentication page allows you to configure Appian to authenticate users against external SAML identity providers (IdP), like Microsoft ADFS or Shibboleth, rather than against Appian authentication. Configuring SAML settingsSee SAML for Single Sign-On for an explanation of the global and per-IdP settings, as well as instructions for how to add a SAML identity provider for users to authenticate against. Verify My AccessThe Verify My Access button only appears when you use SAML authentication to sign in to Appian. When it is visible, before you can save your changes, you must verify that you can still sign in. Clicking this button will attempt SP-initiated sign-in to your identity provider in a new tab. If you successfully sign-in, you will be able to save your changes. Additional configuration details and notes
Security
UsersThe Users page allows you to:
Users cannot be imported or exported from the Admin Console. See also: User Management Web API AuthenticationThis page allows you to manage API keys and OAuth 2.0 clients, which can be used to invoke Appian Web APIs. API keysThe API Keys tab allows you to create and manage API keys and Service Accounts, which can be used to invoke Appian Web APIs. This page allows you to:
Creating an API keyTo create a new API Key:
When creating an API key, the API key should be tied to a service account with the same username and given the same description in each environment. API keys can only be used for the environment they're created in. Managing API keysThere are three ways to invalidate an API key:
OAuth 2.0 ClientsThe OAuth 2.0 Clients tab allows you to create and manage OAuth 2.0 Clients and Service Accounts, which can be used to invoke Appian web APIs with the OAuth 2.0 Client Credentials grant. This page allows you to:
Creating an OAuth 2.0 ClientTo create a new OAuth 2.0 client:
When creating an OAuth 2.0 client, the client should be tied to a service account with the same username and given the same description in each environment. OAuth 2.0 clients can only be used for the environment they're created in. Managing OAuth 2.0 ClientsThere are three ways to invalidate an OAuth 2.0 client:
Service AccountsIf you need to create a new service account, you can easily do so by clicking the plus icon to the right of the Service Account picker on the API key creation modal or the OAuth 2.0 client creation modal. This prompts you to provide a username. Service accounts should be created in each environment with the same username and placed in the same groups so that permissions can be promoted to higher environments. The created service account will have its first name set to the selected username and its last name set to "Service Account". It will be automatically assigned the Service Account role. Existing users can be converted to service accounts by placing them in the Service Accounts system group. When a service account is removed from the system group or deactivated, all API keys and OAuth 2.0 clients associated with that service account cease to work. Although they won't work, these credentials will continue to exist until they are manually deleted. Your service account will need to be added to the proper groups in order to successfully call a web API with an API key or OAuth 2.0 client. DevOpsThe following pages relate to features that support DevOps. DeploymentThe Deployment page allows you to manage the following settings: Allow test values to be imported with design objectsWhen enabled, test values saved in interface and expression rules are imported along with those objects. When not selected, interfaces and expression rules have their test values removed on import. Allow database schema changes through data storesWhen enabled, automatic database schema updates will occur on data type update and data store import for appropriately configured data stores. When disabled, data stores' automatic database schema update configurations will be ignored, and automatic updates will never occur. Warning: Before enabling this setting, check with your database administrator to see if it is acceptable for Appian to automatically run DDL statements in this environment. If Appian does not have DDL privileges on the database level, automatic schema updates will fail, even if this feature is enabled. Health checkThe Health Check page allows you to set up, schedule, and run Health Checks on your Appian environment. Switching from the Plug-in to the Admin Console Health Check If you are using the Appian Health Check plug-in, Appian will automatically uninstall the Health Check plug-in when you set up Health Check in the Admin Console. If you want to run Health Check using a Continuous Integration (CI) tool, such as Jenkins, you will need to create a web API that uses a!latestHealthCheck(). SettingsHealth Check Settings are grouped into three sections: A. General B. Automatic Upload C. Scheduling A - General To help Health Check establish the correct risk level for various findings, specify whether your environment is a production environment. The Health Check Viewers system group allows users to access the Health Check report from a News post and via email notifications. System administrators will always have access to the report from the Admin Console. Health Check reports generated when automatic upload is disabled will not be available from the Admin Console and News. Instead, the report will be emailed directly to the system administrator who uploaded the Health Check data to Community. For more information, see the Automatic Upload section below. B - Automatic upload Appian recommends enabling automatic upload to make your Health Check process more efficient. Automatic upload allows your environment to directly submit the data collection ZIP file to Appian Community when it is ready for analysis. To enable automatic upload, Health Check credentials for Appian Community are required. The same credentials can be used across multiple environments within your organization. You can request credentials from Appian Technical Support by opening a support case. Once you have your Health Check credentials, enter them in the Automatic Upload section. If you previously configured third-party credentials for the Health Check plug-in, they are automatically detected and transferred over as Health Check credentials for the Settings page. If you enable automatic upload, a data review will be required for the first Health Check run in each environment. During that review step, you will have the option to select Autoapprove this step for future runs and skip data reviews for future runs. System administrators can disable autoapprove from the Automatic Upload section at any time after their first Health Check run. If automatic upload is not enabled, a system administrator will need to manually download the data collection ZIP file, and upload it to Community for analysis during each run. C - Scheduling After enabling scheduling, you will be asked to provide the date and time of your first run, as well as how frequently you would like Health Check to run. Appian recommends regularly scheduling Health Check, and running it during non-business hours in a production or active environment, as it may increase system load and degrade performance. You should also take into consideration the time zones of your primary Appian users when scheduling Health Check. Health Check will run within a 10 minute window of the scheduled time. For example, if you schedule Health Check to run at 12:00 AM, it could start as late as 12:09 AM. Landing page
InfrastructureThe Infrastructure page displays all the Appian environments in your organization and lets you control how those environments interact with each other. For example, you can let developers in your development environment compare and directly deploy application changes to their test environment. EnvironmentsThe section displays all connected environments, their name, URL, direct deployment status, and connection status. You can also select an environment to view the last action, modifier, and modified date. System administrators can enable and disable the connection with each environment. Both environments must have their connections enabled to leverage infrastructure capabilities, such as compare and deploy. If either environment disables their connection, all infrastructure capabilities between the two environments are disabled. For example, the dev environment must be added to the infrastructure of the test environment and vice versa for the connection to be fully enabled.
Managing environmentsTo add an environment:
Outgoing connection requests can be withdrawn at any time. Once the request is sent, system administrators will receive an email that links them to the Infrastructure page. They can view the incoming connection requests and take action on them. Incoming connection requests will time out after 7 days if no action is taken on them. When Cloud customers upgrade to 19.1, their environments will be pre-configured. To allow connection from Appian:
To enable direct deployments from Appian:
When enabled, this environment will receive deployment requests from the selected environment in this infrastructure. A deployment can include object, database, and plug-in changes, which will be tracked in the Deploy view on both environments. Appian recommends configuring which specific environments can deploy to higher environments, such as Production. For example, you should allow application administrators on the Test environment to deploy to Production. But you wouldn't necessarily allow application administrators on the Development environment to deploy to Production. Disabling direct deployments will block direct deployments without affecting the ability to monitor performance metrics or compare applications. Removing an environment from the current infrastructure will remove the environment from the remote environment's infrastructure as well. To remove an environment:
Using mutual authenticationIf your environment leverages mutual authentication, you will need to upload your current environment's SSL certificate to each of its connected environments. In addition, you'll also need to ensure that your current environment has the SSL certificate from each of its connected environments. To do this, upload the trusted server certificates in the Admin Console. For troubleshooting information, refer to the Knowledge Base. If your environment leverages Trusted IP Addresses, please be aware that Appian Cloud outbound IP addresses will need to be allowed in order for the infrastructure to work. External deploymentsWhen external deployments are enabled, incoming deployments to the current environment can be triggered programmatically via the deployment APIs. When disabled, any calls to these endpoints will fail with an HTTP 403 status code, indicating that the environment is not accepting deployments via these APIs. In order to authenticate an external deployment request, you must have an API key and corresponding service account. These can be created and managed from the Web API Authentication page. The appropriate service account should be selected in the Authenticate As field, which will result in its associated API key being passed as part of the API request Deployment settingsThis section displays settings that apply to incoming direct and external deployments from all environments that have been added to this environment's infrastructure. After enabling direct or external deployments from other environments, you are required to select a system administrator user in the service account role to act as the deployer in the Deploy As picker. This user will appear as the Last Modifier for all objects in the deployment. You can also allow users to directly deploy plug-in and database changes. Select Allow deployments with plug-ins to allow the current environment to receive plug-in changes through direct deployments. Select Allow deployments with database scripts to allow this environment to receive database changes through direct deployments. The Plug-in Changes section does not apply to external deployments since you cannot deploy plug-ins via the deployment API. To add deployment approval for your deployment process, select the Require Review option and specify a reviewer group. In addition to system and application administrators, this group can approve or reject deployments. IntegrationThe following pages relate to integration administration. CertificatesThere are two types of SSL certificates that can be managed in the Admin Console: Client Certificates and Trusted Server Certificates. Client certificatesSome web services require transport-level client certificate authentication when setting up an SSL connection. The Client Certificates tab of the Certificates page allows you to expose certificates for use by the HTTP integration and HTTP connected system objects, the Call Web Service smart service, the webservicequery() expression function, and the webervicewrite() expression function. Pre-built connected systems do not support SSL. These client certificates currently only apply to integrations that use an HTTP connected system, an OpenAPI connected system, or no connected system at all. The main view of the Client Certificates page is a grid view of all of the client certificates in the system. Initially the grid will be empty. Click New Client Certificate to upload a new certificate. The certificate must be formatted as a PEM file. If the certificate is protected by a password you should enter the password in the password field. This password will not be stored. The certificate will be stored in an encrypted format in the Appian data source. There is no way to download a certificate from this page. Store a copy outside of Appian as well as uploading one here. All modifications result in an audit log message with the username of the user who made the change, the previous values, and the new values. Client certificates cannot be imported or exported from the Admin Console. Trusted server certificatesSome web services, such as those that utilize self-signed or internal SSL certificates, require an administrator to explicitly trust certain server certificates for authentication. The Trusted Server Certificates tab of the Certificates page allows administrators to upload a server certificates that should be trusted by HTTP integrations, connected systems, the Call Web Service smart service, the webservicequery() expression function, and the webervicewrite() expression function. Trusted server certificates are only applied to integrations that use HTTP or OpenAPI connected systems. The main view of the Trusted Server Certificates page is a grid view of all of the trusted certificates that have been added through Trusted Server Certificates grid. Initially the grid will be empty. Click New Trusted Server Certificate to upload a new certificate. The certificate must be formatted as a PEM file. The certificate will be stored in an encrypted format in the Appian data source. There is no way to download a certificate from this page. Store a copy outside of Appian as well as uploading one here. All modifications result in an audit log message with the username of the user who made the change, the previous values, and the new values. Trusted server certificates cannot be imported or exported from the Admin Console. Data sourcesNew way to connect data sources. If you want to deploy data sources to other environments and restrict who can access data sources during development, you can create connected systems for data sources instead. Learn more about data source connected systems. The data sources page lets you integrate Appian with external databases using a JDBC connection by adding, updating, and removing named connection configurations called data sources. These data sources are available for designers to use in their applications through data stores and the Query Database smart service. A data source consists of the following fields:
You cannot create a data source with the same name as the
Appian data source, as specified in the See also: Business Data Sources Configure options in this section of the Admin Console to control which document extraction vendors are enabled on your environment. Currently, Appian offers document extraction powered both by Appian built-in services and by Google Document AI. Using Appian servicesAvailability of Appian's built-in document extraction capabilities varies based on your site's compliance requirements:
You can review Appian Cloud services compliance statements to ensure that it aligns with your organization's security requirements. Optical character recognitionAppian has a built-in service to perform optical character recognition (OCR) to extract data from documents. All customers have access to OCR. Additional capabilities are also available, such as:
Customers who are in supported regions get these enhancements automatically when Appian is selected as the vendor when using the Start Doc Extraction smart service. Customers in unsupported regions can access these enhancements by enabling the options and choosing a supported region to process their documents. This option is disabled by default. If you don't enable the enhancements, you'll still be able to use the OCR capabilities available in your region. Regional support for additional built-in OCR capabilities:
1 Customers who wish to use additonal OCR capabilities will need to enable this option in Admin Console. To enable additional OCR capabilities in an unsupported region:
Using Google servicesIn order to use certain Document Extraction features, you need to enter your Google Service Account key information in the Admin Console > Document Extraction page. The required information is in the Google Service Account Key file, which is generated when the service account key is created. These keys will be used for all instances of the Doc Extraction smart services. How to get a Google service account key fileIf you are using Appian AI, contact your Appian administrator for the Google Service Account Key JSON file from the License Management section of Appian Community. Otherwise, to create the Service Account Key file:
The following Google Cloud Document AI keys are in the Google Service Account key JSON file that is generated when the service account key is created.
See also:
This page allows you to manage email settings for the environment. Outbound Email ToggleThe Outbound Email Toggle tab allows you to enable or disable the ability for Appian to send email. Email Sender AuthenticationThe Email Sender Authentication tab allows you to authenticate email sending domains using DomainKeys Identified Mail (DKIM). DKIM is a standard email authentication method that adds a digital signature to outgoing messages. Receiving mail servers that receive messages signed with DKIM can verify messages actually came from the intended sender, and not another party impersonating the sender. To authenticate an email sending domain using DKIM:
Embedded InterfacesThe Embedded Interfaces page allows you to manage origins and themes for embedding interfaces on external web sites. OriginsThe Origins section allows you to add and remove from the list of hosts that are allowed to make cross-origin resource sharing requests
to your Appian site. If an Appian interface is embedded on a web site that uses a different host than Appian, that host must be added to the allowed origins list. Origins should be entered using the host as it is typed in the browser address bar with the port (if it's different than the protocol default) but without the protocol, like By default, the list is empty. The prevention of unauthorized cross-origin requests is an important part of web application security, so only trusted hosts should be added to this list. Adding or removing a host results in an audit log message with the username of the user who made the change, the previous list of allowed hosts, and the new list. See also: Embedded Interfaces ThemesThe Themes section allows you to configure any number of themes with custom font and color styling. A theme can be optionally applied to the interfaces that are embedded in an external web page. This allows custom styling of embedded interfaces in order to make them more consistent with the host web page. Note that themes can only be applied to embedded interfaces. Learn more about Tempo branding and sites branding. All modifications to themes result in an audit log message with the username of the user who made the change, the previous values, and the new values. See also: Themes for Embedded Interfaces HTTP proxyThe HTTP Proxy page allows you to configure a proxy server for outgoing HTTP and HTTPS connections. The proxy is used by following integration features:
HTTP, OpenAPI, and pre-built connected systems shipped with Appian have been developed to respect the configured proxy. Connected system plug-ins only support using the configured proxy if the developer specifically developed them to do so. For an example, see Configuring HttpClient when a proxy is enabled.
Legacy web servicesThe Legacy Web Services page allows you to manage processes exposed as web services. The interface for configuring legacy web services opens in a new browser tab. Legacy web services cannot be imported or exported from the Admin Console. LoggingThis page allows you to configure logging for integrations to facilitate troubleshooting. Trace LoggingThis section controls the
See the integration and web API sections on the Logging page for the fields that are captured. The only potentially sensitive data that is captured in the trace log is the username of the user who called the integration. HTTP Request/Response LoggingThis section controls the See the Logging page for more information on the HTTP request/response logs. The HTTP request/response logs may contain sensitive data or credentials. Before enabling HTTP request/response logs for integrations, it's important to understand the integration logging guidelines. Microsoft OfficeThis page allows you to configure Appian's Task Viewer Add-in for Microsoft Outlook.
Third-party credentialsThe Third-Party Credentials page allows you to manage credentials for connecting to external systems. These credentials are stored in the Secure Credentials Store. The following entities can use these credentials:
The Third-Party Credentials page contains a grid view of all configured sets of credentials. Initially, the grid will be empty. To create a set of third-party credentials:
Deleting individual credentials fields will cause all site-wide and per-user values for that field to be deleted. Deleting a set of third-party credentials from the grid on the Third-Party Credentials page will cause all site-wide and per-user values for the entire set of credentials fields to be deleted. All credential changes result in a audit log message with the username of the user who made the change, the previous values, and the new values. See also:
MonitoringThe following pages relate to monitoring your Appian installation. Monitoring information cannot be imported or exported from the Admin Console. Current user activityThe Current User Activity page allows you to see which users are currently active on your site. User activity is stored for 1 hour and only the most recent 1000 entries are displayed. When a user logs out of the system, they are removed from the list of recent activity. It is possible for the same user to appear in the list twice if they are connected from two different browsers or mobile clients. Document reportsThe Document Reports page shows the following usage information about documents in the system:
Note that user avatars are stored as documents, so views of user images are counted as downloads. Import historyThe Import History page allows you to see all the imports that have occurred on the system during the last 30 days. This includes imports from:
Clicking the document icon on the last column of the grid will download the import log for the corresponding import. Rule performanceThe Rule Performance page allows you to see the historical performance of all of the rules in the system. It contains a table of rule name, the number of times that rule has been executed, the average execution time, the minimum execution time, and the maximum execution time. A moving window of thirty days of performance metrics are gathered and stored as end users execute the rules. The evaluation times recorded do not include the evaluation of the rules when they are executed in Appian Designer. Clicking on the name of a rule will bring up more details on the performance of that rule, including graphs of the performance over time. These graphs are the same as the ones found in the historical performance trends in the performance view. This page contains performance data for rule objects, including expression rules, interfaces, query rules, integrations, and decisions. Import and export your settingsMost Admin Console settings can be imported and exported, except for settings on the following pages:
In addition, you can export the Encryption Service setting associated with plug-ins, but you cannot import or export plug-ins in the Admin Console. Instead, deploy plug-ins using a direct deployment. For security reasons, you cannot export credential values. Instead, you can provide these values during deployment using an import customization file</a>. ExportTo export Admin Console settings:
The files download according to your browser settings. ImportIn the Admin Console, you can import the following individually or in combination:
To import in the Admin Console:
Import considerationsAdmin Console settings and application objects can be tightly coupled. Because of this, Appian allows you to import an application package and an Admin Console package together. These packages will be included in a single import, so any dependencies between them are identified and properly resolved. Dependencies include:
Setting-specific behaviorData SourcesDuring import, Appian tests the connection of the data source. If a connection cannot be established successfully, the data source will fail to import. This connection test also happens during inspection. Health checkHealth Check must be set up and enabled on an environment before any imported Health Check configurations can take effect. You can import and export all Health Check Setting properties except the following:
When Health Check Settings are exported, the Service Account credential fields are left blank. These fields can be edited in the Health Check properties file and imported into a target environment. Note that on import:
PermissionsTo export and import Quick App Creator permissions, export the Quick App Creators group. Member groups are included when exporting a group, but individual user members are not. See also: Groups Plug-insThe list of Encryption Service public API permissions for all plug-ins shown on the Plug-ins page can be exported as one item. For example, if you have plug-in X that has permission to use the Encryption Service and plug-in Y that doesn't, both permissions would be set during import if the setting was included in your import package. On import into the target environment, only the plug-ins that are listed in the package are updated. You may have more plug-ins in the target environment, and their Encryption Service configurations are not updated. Appian recommends that if you are sharing an admin console package with environments where you have no knowledge of the deployed plug-ins, you should not include this setting as it might overwrite a plug-in's permissions. Third-party credentialsWhen importing a set of third-party credentials onto a target environment for the first time, the credentials field values can be configured in one of two ways:
Updating the set of third-party credentials via import will not reset any per-user credentials that a user has stored. These will only be removed if that specific credential field has been deleted from the third-party credentials. Third-party credentials may reference plug-ins. The referenced plug-ins may be deployed before or after the third-party credentials, and the reference to the plug-in name will be preserved. Appian recommends that plug-ins are deployed before importing your applications and admin console settings. User start pagesIf one of your start pages points to a specific record or action, this URL will not be the same across environments. Be sure to confirm the URL is correct for these pages after import. Which user accounts are created automatically and disabled by default when Windows is installed?The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
Which of the following user accounts are disabled by default?The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password.
Which type of user account is created automatically?Guest user account
In Windows, this account is automatically created during the installation.
What are the 2 types of user account?Standard User accounts are for everyday computing. Administrator accounts provide the most control over a computer, and should only be used when necessary. Guest accounts are intended primarily for people who need temporary use of a computer.
|