Applications
Definition of an application
An application in the Intelligent Application Manager is a combination of a branch, a server and a database that will appear as a standalone application in the user interfaces. A branch can therefore result in several applications on different servers and/or for different databases. Each application has its own authorization and user preferences.
Applications are created by the application administrator. The application owner is responsible for granting users access to those applications, by creating users and user groups and assigning roles for specific applications to those user groups.
Authorization overview
Create an application
main administrator application administratorTo create an application from a model:
menu Authorization > Applications > tab Form
- Select a Model and a Branch.
- Select a Server and a Database.
| Field | Description |
|---|---|
| Sequence no | The order in which the application is listed in the user interfaces. |
| Active | Specifies whether the application is shown. Only activate an application after it has been set up completely. |
| Platform | The platforms for which the application is available. |
| Application alias | The alias used for the Indicium OData API. |
| Max. # sessions per account | The maximum number of sessions that a user can have concurrent access to. To exclude an account from this restriction, see the Exclude from max. # sessions option. |
| Claim timeout (min) | The number of minutes before a claim is automatically released when the application is not in use. |
Create an application
Application theme
main administrator application administratorTo distinguish between multiple applications for the same branch, for instance in DTAP environments, you can set a different theme for every application.
menu Authorization > Applications > tab List
- Execute the task Set theme
.
Application and splash screen title
main administrator application administratormenu Settings > Global settings
The following rules apply to the Title field:
- Newly installed environments initially get 'Thinkwise Platform' as splash- and application title.
- Upgrades will not override manual changes to the Title field.
- When installing the Software Factory in an IAM environment, the title is set to 'Thinkwise Software Factory'. This may override a manually configured title.
Hide columns and parameters
main administrator application administratorIt is possible to hide columns, task parameters and report parameters application-wide in the application preferences. This therefore applies to all the users in all the user groups.
menu Authorization > Applications > tab Preferences > tab Application preferences
Application tags
main administrator application administratormenu Authorization > Applications > tab Application tags
On the tab Application tags, you can maintain information about applications that is not already available in the Intelligent Application Manager.
When copying an application, it is optional to copy the tags. By default, they will be included.
Copy an application
main administrator application administratormenu Authorization > Applications > tab List
To copy an existing application, including its translations, settings, user preferences, and authorization, execute the task Copy application 
.
Copy application task
Language and translations
Application translations
main administrator application administratormenu Authorization > Applications > tab Translations
On the tab Translations, it is possible to provide a translation and a tooltip for every application language.
Login language for web applications
main administrator application administratorWhen logging in to a web application, a user's identity and application language are not yet known. In that case, Global translations are used to provide the correct language.
These translations are not used by the Universal GUI's login screen. Login-related processes in the Universal GUI are often relegated to Indicium (for example, OpenID, 2FA, password changes, etc.).
Some language tags will be available by default during the installation or upgrade of IAM.
menu Settings > Global translations
You can can:
- Change the translations on the tab Global translations.
Add new language tags.
Delete existing language tags.
View all untranslated objects with filter To be translated.
The language tags used here do not correspond with
application languages used everywhere else in the Thinkwise Platform.
Browsers provide the web application with the desired language for the login process via the Accept-Language header.
The values are also known as 'Locale identifiers'. For instance: Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5
The values and weights provided by the browser in this request header will be used by Indicium or the Web GUI
to determine the proper translations for the login process.
Global translations for login with web applications
Apply roles to the application database
main administrator application administratorTo assign roles to a branch:
menu Models > Model overview > tab Branches > tab Roles
Tab List contains an overview of the available roles. Check out the tab Role rights for a more detailed view of a role's granted rights.
To apply the selected role to a database, execute the task Apply roles
.This task is also available in the menu Models > Model overview > tab Branches > tab Applications > tab List.
Apply a role to a databaseOnly when roles are assigned to a user group, users can access an application. To assign a role to a user group:
Select a role in tab List.
Open the User groups tab, select a user group and execute the task Assign role
.
Assign a role to a user group
Inactive roles
main administrator application administratorWhen roles or modules are no longer available due to changes in modules, module authorization, or due to synchronization, the existing role assignments and module assignments will become inactive. This allows you to fix mistakes in the configuration, either in IAM or during synchronization. In the example below, a role assignment is highlighted because its role is no longer available:
menu Authorization > Applications > tab Authorization > tab Roles
The highlighted role is assigned but no longer available
Application authorization
Grant a user group access to the application
main administrator application administrator application ownerRoles are distinct tasks or activities within an application. They are often named after the corresponding activity, like Approve hours or Report a ticket.
To grant a user group access to the application, roles need to be assigned to the user group:
menu Authorization > Applications > tab List
Select an application.
Go to the tab Authorization.
Select a user group from the list (left).
A checkbox next to a user group indicates if any roles are assigned to the user group.
In tab Roles > List, execute the task Assign role
for the roles to which this user group needs access.Or: execute the task Apply default authorization
to add the default user groups and role assignments to this application.Detailed information about granted role rights is available in the tab Role rights.
For an example of a default user group using a default role, see Grant access to a translator.
Linking roles to user groups
Apply user rights to the application database
main administrator application administrator application ownerTasks are available to apply the required rights to the databases:
menu Authorization > Applications > tab List
| Task | |
|---|---|
 Apply user rights | Creates the users and user groups on the application database |
 Apply user rights to IAM | Creates the users on the IAM database |
To be able to apply the rights to an SQL Server database, an application administrator or owner who is not a database system administrator needs additional database rights. This can be done using the following code snippet:
use [iam_database]
go
grant alter any user to [login_name]
go
use [application_database]
go
grant alter any user to [login_name]
go
use master
go
grant alter any login to [login_name]
go
Store pool user credentials
Universal GUImain administrator application administratorWhen using the Software Factory in the Universal GUI, you can store the pool user credentials in IAM or the Software Factory.
These credentials will be safely encrypted and used instead of the credentials stored in Indicium's appsettings.json file.
See Store pool user credentials encrypted in the Indicium deployment manual.
Configure a public API role
main administrator application administratorIn the Software Factory, a developer can mark a role as Allow as public API. For more information, see Public API roles in the Software Factory guide.
In IAM, you can continue the configuration. To activate or deactivate a potential public API role:
menu Authorization > Applications > tab Public API roles
Select a role that has been marked in the Software Factory as Allow as public API.
Activate or deactivate the role as a public API role with the task Set as public role
or Revoke as public role 
.
If a role is set as a public API in IAM but no longer allowed as a public API in the Software Factory, it gets a red and bold font.
Public API configuration in IAM
Notify all users in an application
See User notifications.
Email provider for an application
main administrator application administratorYou can configure the default email provider in the Software Factory (menu Model overview > tab Branches > tab Email providers). See Email providers for more information.
In IAM, you can override the default email provider for an application.
To set up a different email provider for an application:menu Authorization > Applications > tab Email providers
Here, you can:
Switch email provider type - Select another email provider type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again.
Edit - Edit the settings of the current email provider type.
Reset email provider configuration - Reset to the default as configured in the Model overview of the Software Factory.
If an email provider is used in a process flow that has been set up in the Software Factory and synchronized to IAM, updating the credentials in IAM will result in the process flow using these IAM credentials instead.
Encryption of email provider key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
To configure the email provider encryption:
menu Authorization > Applications > tab Email providers
Here you can:
Set email provider key values (encrypted) - Set encrypted key values for your email provider.
Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the email provider keeps working.
File storage location for an application
main administrator application administratorYou can configure the default file storage location in the Software Factory (menu Model overview > tab Branches > tab File storage locations). See File storage locations for more information.
In IAM, you can override the default file storage location for an application.
To set up a different file storage location for an application:menu Authorization > Applications > tab File storage locations
Here, you can:- Switch file storage location type - Select another file storage location type, and edit its settings.
3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again. - Edit - Edit the settings of the current file storage location type.
- Reset file storage location configuration - Reset to the default as configured in the Model overview of the Software Factory.
To set the file storage location for the system flows that are used in several deployment processes, see: Configure the file storage location in the Creation guide.
Encryption of file storage location key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
To configure the file storage location encryption:
menu Authorization > Applications > tab File storage locations
Here you can:
- Set file storage key values (encrypted) - Set encrypted key values for your file storage.
- Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the file storage location keeps working.
OAuth server for an application
main administrator application administratorFor OAuth process actions, you can configure the default OAuth server in the Software Factory (menu Model overview > tab Branches > tab OAuth servers). See OAuth servers for more information.
In IAM, you can override the default OAuth server for an application.
To set up a different OAuth server for an application:menu Authorization > Applications > tab OAuth servers
Here, you can:- Edit - Edit the settings of the current OAuth server.
- Reset OAuth server configuration - Reset to the default as configured in the Model overview of the Software Factory.
Encryption of OAuth server key values
3-tier IAM in the Universal GUI main administrator application administratorEncryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.
To configure the OAuth server encryption:
menu Authorization > Applications > tab OAuth servers
Here you can:
- Set OAuth server key values (encrypted) - Set encrypted key values for your OAuth server.
- Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the OAuth server keeps working.
OAuth server for an application