Applications
Definition of an application
An application in the Intelligent Application Manager is a combination of a branch, a server and a database that will appear as a standalone application in the user interfaces. A branch can therefore result in several applications on different servers and/or for different databases. Each application has its own authorization and user preferences.
Applications are created by the application administrator. The application owner is responsible for granting users access to those applications, by creating users and user groups and assigning roles for specific applications to those user groups.
Authorization overview
View all applications
main administrator application administratorTo show all applications:
menu Authorization > Applications > tab List
- Disable the prefilter Active or new
.
Now, all applications are displayed in the list.
Create an application
main administrator application administratorTo create an application from a model:
menu Authorization > Applications > tab Form
- Select a Model and a Branch.
- Select a Server and a Database.
- Enter the Sequence no. This is the order in which the application is listed in the user interfaces.
- Optional. Enter an icon for the application.
- For more information about the Status field, see Application availability.
- Optional. For more information about Limited module access, see Module authorization.
- Optional. For more information about Personal access tokens, see Personal access tokens.
- Optional. Enter the Application alias (used by the Indicium OData API).
- Optional. Enter the Claim timeout (min). This is the number of minutes before a claim is automatically released when the application is not in use. See Provisioning.
- Optional. Enter the Max. # sessions per account. This is the maximum number of sessions that a user can have concurrent access to. To exclude a service account from this restriction, see Exclude from maximum number of sessions.
- If an application is ready for use, you can make it available to users. See Bring an application online.
- The Clean-up date is only relevant if you no longer want to use the application. See Take an application offline.
Create an application
Application theme
main administrator application administratorTo distinguish between multiple applications for the same branch, for instance in DTAP environments, you can set a different theme for every application.
menu Authorization > Applications > tab List
- Execute the task Set theme
.
Application and splash screen title
main administrator application administratormenu Settings > Global settings
The following rules apply to the Title field:
- Newly installed environments initially get 'Thinkwise Platform' as splash- and application title.
- Upgrades will not override manual changes to the Title field.
- When installing the Software Factory in an IAM environment, the title is set to 'Thinkwise Software Factory'. This may override a manually configured title.
Hide columns and parameters
main administrator application administratorIt is possible to hide columns, task parameters and report parameters application-wide in the application preferences. This therefore applies to all the users in all the user groups.
menu Authorization > Applications > tab Preferences > tab Application preferences
Application tags
main administrator application administratormenu Authorization > Applications > tab General settings > tab Application tags
On the tab Application tags, you can maintain information about applications that is not already available in the Intelligent Application Manager.
When copying an application, it is optional to copy the tags. By default, they will be included.
Copy an application
main administratormenu Authorization > Applications > tab List
To copy an existing application, including its translations, general settings, user preferences, and authorization settings,
execute the task Copy application 
.
Copy application task
Application availability
Bring an application online
main administrator application administratorWhen you bring an application online, it becomes available to users.
To bring a new application online:
menu Authorization > Applications > tab List/Form
- Select the task Bring application online
. - Select the application you want to bring online.
- Select Execute.
Take an application offline
main administratorWhen you take an application offline, it is no longer available to users. If necessary, you can bring it back online as long as it has not been deleted as scheduled for the Clean-up date and the Application retention period.
A deleted application cannot be restored. Its model and branch can be synchronized to IAM again, if they still exist in the Software Factory. In that case, you can create a new application. However, application-specific settings, such as authorization and OAuth server settings, will be lost.
You can take an application offline immediately or schedule a Clean-up date. When scheduled, the application will be removed automatically at the specified date. To take an application offline:
menu Authorization > Applications > tab List/Form
-
Select the task Take application offline
. -
Select the application you want to take offline.
-
Optional. Enter a Clean-up date. If you do not set a clean-up date, the application remains offline without being removed. See Application retention period.
-
Select Execute.
Every Sunday, a system flow checks which offline applications have a clean-up date in the past and deletes them automatically.
-
Optional. Create a custom schedule for this system flow. See Scheduled system flows for your applications.
Application retention period
main administratorA system flow runs every Sunday to automatically delete applications that fall within the set Application retention period. Applications are deleted when:
- They are offline.
- A clean-up date is set
A deleted application cannot be restored. Its model and branch can be synchronized to IAM again, if they still exist in the Software Factory. In that case, you can create a new application. However, application-specific settings, such as authorization and OAuth server settings, will be lost.
If the Application retention period is smaller than Indefinitely, a system flow also removes the models and branches automatically:
- If all applications of a branch are removed, the branch is also removed.
- If all branches of a model are removed, the model is also removed.
To set the Application retention period:
menu Settings > Global settings > tab Form
- Select a Application retention period: 30, 60, 90, 365 days, or indefinitely. The default is 60 days.
- Optional. Create a custom schedule for the removal process. See Scheduled system flows for your applications.
Delete an application
main administratorA deleted application cannot be restored. Its model and branch can be synchronized to IAM again, if they still exist in the Software Factory. In that case, you can create a new application. However, application-specific settings, such as authorization and OAuth server settings, will be lost.
To delete an application:
menu Authorization > Applications > tab List
- Make sure that you are viewing all applications.
- Select the application(s) you want to remove.
- Delete the application(s).
Language and translations
Application translations
main administrator application administratormenu Authorization > Applications > tab General settings > tab Translations
On the tab Translations, it is possible to provide a translation and a tooltip for every application language.
Universal GUI The user can choose the language used in their application from the list of languages that are available in the applications they can access.
For example, a user has access to two applications.
The first application has Dutch and German translations available.
The second language has German and Spanish translations available.
The user can choose from the combined available languages in both applications.
If the chosen language is not available in the application, the fallback translations are used.
See also Application languages in the Software Factory manual.
Login language for web applications
main administrator application administratorWhen logging in to a web application, a user's identity and application language are not yet known. In that case, Global translations are used to provide the correct language.
These translations are not used by the Universal GUI's login screen. Login-related processes in the Universal GUI are often relegated to Indicium (for example, OpenID, 2FA, password changes, etc.).
Some language tags will be available by default during the installation or upgrade of IAM.
menu Settings > Global translations
Here, you can:
- Change the translations on the tab Global translations.
Add new language tags.
Deletes the language tag and all global translations linked to it.
The standard delete button 
, however, only deletes individual translations.
View all untranslated objects with filter To be translated.- Search for translation objects and translations.
The language tags used here do not correspond with
application languages used everywhere else in the Thinkwise Platform.
Browsers provide the web application with the desired language for the login process via the Accept-Language header.
The values are also known as 'Locale identifiers'. For instance: Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5
The values and weights provided by the browser in this request header will be used by Indicium or the Web GUI
to determine the proper translations for the login process.
Global translations for login with web applications
Apply roles to the application database
main administrator application administratorTo assign roles to the application database:
menu Optimization > Models > tab Roles
-
Tab List contains an overview of the available roles. Go to the tab Role rights for a more detailed view of a role's granted rights.
-
To apply the selected role to a database, select the task Apply roles to database
. -
Select a Model, Branch, and Application.
-
Upload a file with the SQL script that contains the role assignments for the database.
Apply a role to a database
Assign a role to a user group
Users can only access an application when roles are assigned to a user group.. To assign a role to a user group:
menu Optimization > Models > tab Roles
-
Select a role in tab List.
-
Go to the tab User groups and select a user group.
-
Execute the task Assign role
.
Assign a role to a user group
Inactive roles
main administrator application administratorWhen roles or modules are no longer available due to changes in modules, module authorization, or due to synchronization, the existing role assignments and module assignments will become inactive. This allows you to fix mistakes in the configuration, either in IAM or during synchronization. In the example below, a role assignment is highlighted because its role is no longer available:
menu Authorization > Applications > tab Authorization settings > tab Authorization > tab Roles
The highlighted role is assigned but no longer available
Application authorization
Grant a user group access to the application
main administrator application administrator application ownerRoles are distinct tasks or activities within an application. They are often named after the corresponding activity, like Approve hours or Report a ticket.
To grant a user group access to the application, roles need to be assigned to the user group:
menu Authorization > Applications > tab List
-
Select an application.
-
Go to the tab Authorization settings > tab Authorization.
-
Select a user group from the list (left).
A checkbox next to a user group indicates if any roles are assigned to the user group.
-
In tab Roles > List, execute the task Assign role
for the roles to which this user group needs access.Or: execute the task Apply default authorization
to add the default user groups and role assignments to this application.Detailed information about granted role rights is available in the tab Role rights.
For an example of a default user group using a default role, see Grant access to a translator.
Linking roles to user groups
Apply default user groups to the application
main administrator application administrator application ownerIn the Software Factory, you can configure default user groups. See Default user groups.
To apply the default user groups to an application for a provided tenant:
menu Authorization > Applications > tab List
-
Select an application.
-
Open tab Authorization.
-
Select one or more tenants and user groups, and use the Apply default authorization
task to add the default user groups and role assignments to this application.- A user group that does not yet exist for the tenant will be created, and new role assignments will be added. Existing role assignments will not be removed.
- A role that is not available due to module authorization will not be assigned.
For more information on this subject in IAM, see the Grant a user group access to the application.
Apply default authorization in IAM
Apply user rights to the application database
main administrator application administrator application ownerTasks are available to apply the required rights to the databases:
menu Authorization > Applications > tab List
| Task | |
|---|---|
 Apply user rights | Creates the users and user groups on the application database |
 Apply user rights to IAM | Creates the users on the IAM database |
To be able to apply the rights to an SQL Server database, an application administrator or owner who is not a database system administrator needs additional database rights. This can be done using the following code snippet:
use [iam_database]
go
grant alter any user to [login_name]
go
use [application_database]
go
grant alter any user to [login_name]
go
use master
go
grant alter any login to [login_name]
go
Store pool user credentials
Universal GUImain administrator application administrator
When using the Software Factory in the Universal GUI, you can store the pool user credentials in IAM or the Software Factory.
These credentials will be safely encrypted and used instead of the credentials stored in Indicium's appsettings.json file.
See Store pool user credentials encrypted in the Indicium deployment manual.
Configure a public API role
main administrator application administratorIn the Software Factory, a developer can mark a role as Allow as public API. For more information, see Public API roles in the Software Factory guide.
In IAM, you can continue the configuration. To activate or deactivate a potential public API role:
menu Authorization > Applications > tab Authorization settings > tab Public API roles
-
Select a role that has been marked in the Software Factory as Allow as public API.
-
Activate or deactivate the role as a public API role with the task Set as public role
or Revoke as public role 
.
If a role is set as a public API in IAM but no longer allowed as a public API in the Software Factory, it gets a red and bold font.
Public API configuration in IAM
Make a role available for personal access tokens
menu Authorization > Applications > tab Authorization settings > tab Personal access token roles
For more information, see Personal access tokens.
Notify all users in an application
See User notifications.
Environment interaction logs
main administrator application administratorIn the environment interaction logs for your production environments your can detect:
- Malfunctioning external services, disks, and printers
- Application landscape connectivity problems
- Misconfiguration of providers
Log creation
Logs are created when the Indicium service tier interacts with the application environment. The interaction performed by the 2-tier Windows GUI does not generate any logs.
Available logs
main administrator application administratormenu Authorization > Applications > Environment monitoring
You can access the following log sources for each application:
- General logs
- Application database logs (used to detect connectivity problems, not all actions)
- Provider-related logs
- Web connection logs
- Email provider logs
- File storage provider logs
- OAuth server logs
- Generative AI provider logs
- Printer logs
- Miscellaneous environment-related process-action logs
- HTTP connector logs
- SMTP connector logs
- Disk file logs (non-file storage)
- FTP connector logs (non-file storage)
- Application connector logs
- Database connector logs
Error handling
main administrator application administrator- A log item is considered an error when the resulting status code is negative.
- If a negative status code is expected behavior, you can Dismiss
the error.
This changes the status code to success for the log item and any related log items with the same process action and status code, both previous and future, in analyses. - You can also Restore
errors if they were dismissed by accident.
Settings
main administratorThe following settings are available for environment interaction logs:
- Application log retention - By default, logs are retained for 60 days. You can change this in the menu Settings > Global settings > tab Form > group Logging.
- Deactivate logs - You can deactivate logs per application, per log source, in the menu Authorization > Applications > tab Environment monitoring > tab Settings.
Log analyses
main administrator application administratorLog analyses are available in the following locations:
- Globally - Go to the menu Analysis > Environment Interaction
- Per application - Go to the menu Authorization > Applications > tab Environment monitoring > tab Analysis
Analyses are based on the last 30 days, as this is the minimum log retention time.
Custom report for an application
main administrator application administratorThe default file for a report is configured in the Software Factory, see Reports.
To create a custom report for an application, you can override this default file in IAM. You can use this, for example, to use a different logo in the report for a specific application.
You can only override the default file if the report has the same type and parameters as the original. For example, if the original report is a DevExpress report, you can only use another DevExpress report.
To override the default file for a report:
menu Authorization > Applications > tab General settings > tab Reports
- In field File, select the file you want to use for the report.
Web connection for an application
main administrator application administratorYou can configure the default web connection in the Software Factory (menu Integration & AI > Web connections). See Web connections for more information.
In IAM, you can override the default web connection for an application.
To set up a different web connection for an application:menu Authorization > Applications > tab General settings > tab Web connections
Here, you can:
Switch authentication type - Select another authentication type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again.
Edit - Edit the settings of the current web connection type.
Reset web connection configuration - Reset to the default as configured for your branch in the menu menu Integration & AI in the Software Factory.
If a web connection is used in a process flow that has been set up in the Software Factory and synchronized to IAM, updating the credentials in IAM will result in the process flow using these IAM credentials instead.
Encryption of web connection key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
When you are working in a 3-tier environment, we advise you to encrypt the key values of your web connections in the database. The default for your web connections is set in the Software Factory. See Encryption for a branch.
To configure the web connection encryption:
menu Authorization > Applications > tab Web connections
Here you can:
Set web connection key values (encrypted) -
Set encrypted key values for your web connection.
Reset encrypted key values -
Reset the encrypted key values.
You may need to add unencrypted key values here afterward
to ensure that the web connection keeps working.
Email provider for an application
main administrator application administratorYou can configure the default email provider in the Software Factory (menu Integration & AI > Email providers). See Email providers for more information.
In IAM, you can override the default email provider for an application.
To set up a different email provider for an application:menu Authorization > Applications > tab General settings > tab Email providers
Here, you can:
- Switch email provider type - Select another email provider type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again. - Edit - Edit the settings of the current email provider type.
- Reset email provider configuration - Reset to the default as configured for your branch in the menu menu Integration & AI in the Software Factory.
If an email provider is used in a process flow that has been set up in the Software Factory and synchronized to IAM, updating the credentials in IAM will result in the process flow using these IAM credentials instead.
Encryption of email provider key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
When you are working in a 3-tier environment, we advise you to encrypt the key values of your email providers in the database. The default for your email providers is set in the Software Factory. See Encryption for a branch.
To configure the email provider encryption:
menu Authorization > Applications > tab Email providers
Here you can:
- Set email provider key values (encrypted) -
Set encrypted key values for your email provider.
- Reset encrypted key values -
Reset the encrypted key values.
You may need to add unencrypted key values here afterward
to ensure that the email provider keeps working.
File storage location for an application
main administrator application administratorYou can configure the default file storage location in the Software Factory (menu Integration & AI > File storage locations). See File storage locations for more information.
In IAM, you can override the default file storage location for an application.
To set up a different file storage location for an application:menu Authorization > Applications > tab General settings > tab File storage locations
Here, you can:
- Switch file storage location type - Select another file storage location type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again. - Edit - Edit the settings of the current file storage location type.
- Reset file storage location configuration - Reset to the default as configured for your branch in the menu menu Integration & AI in the Software Factory.
To set the file storage location for the system flows that are used in several deployment processes, see: Configure the file storage location in the Creation guide.
Encryption of file storage location key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
When you are working in a 3-tier environment, we advise you to encrypt the key values of your file storage locations in the database. The default for your file storage locations is set in the Software Factory. See Encryption for a branch.
To configure the file storage location encryption:
menu Authorization > Applications > tab File storage locations
Here you can:
- Set file storage key values (encrypted) -
Set encrypted key values for your file storage.
- Reset encrypted key values -
Reset the encrypted key values.
You may need to add unencrypted key values here afterward
to ensure that the file storage location keeps working.
OAuth server for an application
main administrator application administratorIn the Software Factory, the default OAuth server is configured for OAuth process actions.
In IAM, you can override the default OAuth server for an application.
To set up a different OAuth server for an application:menu Authorization > Applications > tab General settings > tab OAuth servers
Here, you can:
- Edit - Edit the settings of the current OAuth server.
- Reset OAuth server configuration - Reset to the default as configured for your branch in the menu menu Integration & AI in the Software Factory.
See OAuth servers for more information about the settings.
Encryption of OAuth server key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
When you are working in a 3-tier environment, we advise you to encrypt the key values of your OAuth servers in the database. The default for your OAuth servers is set in the Software Factory. See Encryption for a branch.
To configure the OAuth server encryption:
menu Authorization > Applications > tab OAuth servers
Here you can:
- Set OAuth server key values (encrypted) -
Set encrypted key values for your OAuth server.
- Reset encrypted key values -
Reset the encrypted key values.
You may need to add unencrypted key values here afterward
to ensure that the OAuth server keeps working.
OAuth server for an application
Generative AI provider
main administrator application administratorYou can configure the default generative AI provider in the Software Factory (menu Integration & AI > Generative AI).
In IAM, you can override the default generative AI provider for an application.
To set up a different generative AI provider for an application:menu Authorization > Applications > tab General settings > tab Generative AI providers
Here, you can:
- Switch generative AI provider type - Select another generative AI provider type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again. - Edit - Edit the settings of the current generative AI provider type.
- Reset generative AI provider configuration configuration - Reset to the default as configured for your branch in the menu Integration & AI in the Software Factory.
Encryption of generative AI provider key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
When you are working in a 3-tier environment, we advise you to encrypt the key values of your generative AI providers in the database. The default for your generative AI providers is set in the Software Factory. See Encryption for a branch.
To configure the generative AI provider encryption:
menu Authorization > Applications > tab General settings > tab Generative AI providers
Here you can:
- Set generative AI provider key values (encrypted) -
Set encrypted key values for your generative AI provider.
- Reset encrypted key values -
Reset the encrypted key values.
You may need to add unencrypted key values here afterward
to ensure that the generative AI provider keeps working.