Applications

Definition of an application

An application in the Intelligent Application Manager is a combination of a branch, a server and a database that will appear as a standalone application in the user interfaces. A branch can therefore result in several applications on different servers and/or for different databases. Each application has its own authorization and user preferences.

Applications are created by the application administrator. The application owner is responsible for granting users access to those applications, by creating users and user groups and assigning roles for specific applications to those user groups.

Authorization overview

Create an application

main administrator application administrator

To create an application from a model:

menu Authorization > Applications > tab Form

1. Select a Model and a Branch.
2. Select a Server and a Database.

Field	Description
Sequence no	The order in which the application is listed in the user interfaces.
Active	Specifies whether the application is shown. Only activate an application after it has been set up completely.
Platform	The platforms for which the application is available.
Application alias	The alias used for the Indicium OData API.
Max. # sessions per account	The maximum number of sessions that a user can have concurrent access to. To exclude an account from this restriction, see the Exclude from max. # sessions option.
Claim timeout (min)	The number of minutes before a claim is automatically released when the application is not in use.

Create an application

Application theme

main administrator application administrator

To distinguish between multiple applications for the same branch, for instance in DTAP environments, you can set a different theme for every application.

menu Authorization > Applications > tab List

1. Execute the task Set theme .

Application and splash screen title

main administrator application administrator

menu Settings > Global settings

The following rules apply to the Title field:

• Newly installed environments initially get 'Thinkwise Platform' as splash- and application title.
• Upgrades will not override manual changes to the Title field.
• When installing the Software Factory in an IAM environment, the title is set to 'Thinkwise Software Factory'. This may override a manually configured title.

Hide columns and parameters

main administrator application administrator

It is possible to hide columns, task parameters and report parameters application-wide in the application preferences. This therefore applies to all the users in all the user groups.

menu Authorization > Applications > tab Preferences > tab Application preferences

Application tags

main administrator application administrator

menu Authorization > Applications > tab Application tags

On the tab Application tags, you can maintain information about applications that is not already available in the Intelligent Application Manager.

When copying an application, it is optional to copy the tags. By default, they will be included.

View all applications

main administrator application administrator

To show all applications:

menu Authorization > Applications > tab List

Universal GUI

1. Click on .

Windows GUI

1. Click on the overflow menu in the column Active. A pop-up appears. Active prefilter
2. Select Extended filter.
3. Select the checkbox Clear prefilters and click Ok.

Now, all applications are displayed in the list.

Copy an application

main administrator

menu Authorization > Applications > tab List

To copy an existing application, including its translations, settings, user preferences, and authorization, execute the task Copy application .

Copy application task

Delete an application

main administrator

To delete an application:

menu Authorization > Applications > tab List

1. Make sure that you are viewing all applications.
2. Select the application(s) you want to remove.
3. Delete the application(s).

Language and translations

Application translations

main administrator application administrator

menu Authorization > Applications > tab Translations

On the tab Translations, it is possible to provide a translation and a tooltip for every application language.

Login language for web applications

main administrator application administrator

When logging in to a web application, a user's identity and application language are not yet known. In that case, Global translations are used to provide the correct language.

note

These translations are not used by the Universal GUI's login screen. Login-related processes in the Universal GUI are often relegated to Indicium (for example, OpenID, 2FA, password changes, etc.).

Some language tags will be available by default during the installation or upgrade of IAM.

menu Settings > Global translations

You can can:

• Change the translations on the tab Global translations.
• Add new language tags.
• Delete existing language tags.
• View all untranslated objects with filter To be translated.

The language tags used here do not correspond with application languages used everywhere else in the Thinkwise Platform. Browsers provide the web application with the desired language for the login process via the Accept-Language header. The values are also known as 'Locale identifiers'. For instance: Accept-Language: fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5 The values and weights provided by the browser in this request header will be used by Indicium or the Web GUI to determine the proper translations for the login process.

Global translations for login with web applications

Apply roles to the application database

main administrator application administrator

To assign roles to a branch:

menu Models > Model overview > tab Branches > tab Roles

1. Tab List contains an overview of the available roles. Check out the tab Role rights for a more detailed view of a role's granted rights.

2. To apply the selected role to a database, execute the task Apply roles .

   This task is also available in the menu Models > Model overview > tab Branches > tab Applications > tab List.

   Apply a role to a database

   Only when roles are assigned to a user group, users can access an application. To assign a role to a user group:

3. Select a role in tab List.

4. Open the User groups tab, select a user group and execute the task Assign role .

   Assign a role to a user group

Inactive roles

main administrator application administrator

When roles or modules are no longer available due to changes in modules, module authorization, or due to synchronization, the existing role assignments and module assignments will become inactive. This allows you to fix mistakes in the configuration, either in IAM or during synchronization. In the example below, a role assignment is highlighted because its role is no longer available:

menu Authorization > Applications > tab Authorization > tab Roles

The highlighted role is assigned but no longer available

Application authorization

Grant a user group access to the application

main administrator application administrator application owner

Roles are distinct tasks or activities within an application. They are often named after the corresponding activity, like Approve hours or Report a ticket.

To grant a user group access to the application, roles need to be assigned to the user group:

menu Authorization > Applications > tab List

1. Select an application.

2. Go to the tab Authorization.

3. Select a user group from the list (left).

   A checkbox next to a user group indicates if any roles are assigned to the user group.

4. In tab Roles > List, execute the task Assign role for the roles to which this user group needs access.

   Or: execute the task Apply default authorization to add the default user groups and role assignments to this application.

   Detailed information about granted role rights is available in the tab Role rights.

tip

For an example of a default user group using a default role, see Grant access to a translator.

Linking roles to user groups

Apply user rights to the application database

main administrator application administrator application owner

Tasks are available to apply the required rights to the databases:

menu Authorization > Applications > tab List

Task
Apply user rights	Creates the users and user groups on the application database
Apply user rights to IAM	Creates the users on the IAM database

To be able to apply the rights to an SQL Server database, an application administrator or owner who is not a database system administrator needs additional database rights. This can be done using the following code snippet:

use [iam_database]
go

grant alter any user to [login_name]
go

use [application_database]
go

grant alter any user to [login_name]
go

use master
go

grant alter any login to [login_name]
go

Store pool user credentials

Universal GUI main administrator application administrator

When using the Software Factory in the Universal GUI, you can store the pool user credentials in IAM or the Software Factory. These credentials will be safely encrypted and used instead of the credentials stored in Indicium's appsettings.json file.

See Store pool user credentials encrypted in the Indicium deployment manual.

Configure a public API role

main administrator application administrator

In the Software Factory, a developer can mark a role as Allow as public API. For more information, see Public API roles in the Software Factory guide.

In IAM, you can continue the configuration. To activate or deactivate a potential public API role:

menu Authorization > Applications > tab Public API roles

1. Select a role that has been marked in the Software Factory as Allow as public API.

2. Activate or deactivate the role as a public API role with the task Set as public role or Revoke as public role .

If a role is set as a public API in IAM but no longer allowed as a public API in the Software Factory, it gets a red and bold font.

Public API configuration in IAM

Notify all users in an application

See User notifications.

Email provider for an application

main administrator application administrator

You can configure the default email provider in the Software Factory (menu Model overview > tab Branches > tab Email providers). See Email providers for more information.

In IAM, you can override the default email provider for an application.

To set up a different email provider for an application:

menu Authorization > Applications > tab Email providers

Here, you can:

• Switch email provider type - Select another email provider type, and edit its settings.
  3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again.
• Edit - Edit the settings of the current email provider type.
• Reset email provider configuration - Reset to the default as configured in the Model overview of the Software Factory.

note

If an email provider is used in a process flow that has been set up in the Software Factory and synchronized to IAM, updating the credentials in IAM will result in the process flow using these IAM credentials instead.

Encryption of email provider key values

3-tier IAM in the Universal GUI main administrator application administrator

3-TIER ONLY

Encryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.

When you are working in a 3-tier environment, we advise you to encrypt the key values of your email providers in the database. The default for your email providers is set in the Software Factory. See Encryption for a branch.

To configure the email provider encryption:

menu Authorization > Applications > tab Email providers

Here you can:

• Set email provider key values (encrypted) - Set encrypted key values for your email provider.
• Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the email provider keeps working.

File storage location for an application

main administrator application administrator

You can configure the default file storage location in the Software Factory (menu Model overview > tab Branches > tab File storage locations). See File storage locations for more information.

In IAM, you can override the default file storage location for an application.

To set up a different file storage location for an application:

menu Authorization > Applications > tab File storage locations

Here, you can:

• Switch file storage location type - Select another file storage location type, and edit its settings.
  3-tier IAM in the Universal GUI Select the checkbox Use encryption to execute the task to enter key values that must be encrypted. If you clear this checkbox, the unencrypted key value fields will be available again.
• Edit - Edit the settings of the current file storage location type.
• Reset file storage location configuration - Reset to the default as configured in the Model overview of the Software Factory.

note

To set the file storage location for the system flows that are used in several deployment processes, see: Configure the file storage location in the Creation guide.

Encryption of file storage location key values

3-tier IAM in the Universal GUI main administrator application administrator

3-TIER ONLY

Encryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.

When you are working in a 3-tier environment, we advise you to encrypt the key values of your file storage locations in the database. The default for your file storage locations is set in the Software Factory. See Encryption for a branch.

To configure the file storage location encryption:

menu Authorization > Applications > tab File storage locations

Here you can:

• Set file storage key values (encrypted) - Set encrypted key values for your file storage.
• Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the file storage location keeps working.

OAuth server for an application

main administrator application administrator

For OAuth process actions, you can configure the default OAuth server in the Software Factory (menu Model overview > tab Branches > tab OAuth servers). See OAuth servers for more information.

In IAM, you can override the default OAuth server for an application.

To set up a different OAuth server for an application:

menu Authorization > Applications > tab OAuth servers

Here, you can:

• Edit - Edit the settings of the current OAuth server.
• Reset OAuth server configuration - Reset to the default as configured in the Model overview of the Software Factory.

Encryption of OAuth server key values

3-tier IAM in the Universal GUI main administrator application administrator

3-TIER ONLY

Encryption is only available in a 3-tier setup, where the Software Factory and IAM are used in the Universal GUI. It is not available for the Software Factory and IAM for the 2-tier Windows or Web GUIs because it requires Indicium support and configuration.

When you are working in a 3-tier environment, we advise you to encrypt the key values of your OAuth servers in the database. The default for your OAuth servers is set in the Software Factory. See Encryption for a branch.

To configure the OAuth server encryption:

menu Authorization > Applications > tab OAuth servers

Here you can:

• Set OAuth server key values (encrypted) - Set encrypted key values for your OAuth server.
• Reset encrypted values - Reset the encrypted key values. You may need to add unencrypted key values here afterward to ensure that the OAuth server keeps working.

OAuth server for an application