How to set up teamwork collaboration with best security practices

<< Click to Display Table of Contents >>

Navigation:  Bizagi Studio > How To´s > Useful how-to's >

How to set up teamwork collaboration with best security practices

applies_NetXpress

 

Overview

Bizagi Studio provides a collaborative environment where a team can work simultaneously on the implementation of processes.

This section illustrates how to set up a teamwork collaboration environment for the authoring/development, so that users work together on a project hosted at a central server, directly from their workstations.

 

Architecture

The teamwork collaboration system architecture in this setup, relies on Bizagi Studio connectivity features, and follows best security practices (applies when using SQL Server).

For this setup, it is required that the network presents a low latency in order to accomplish a best user experience for Bizagi Studio users (a low latency being usually covered by having workstations connected in the same network segment as the one for the central servers, the common setup involved for on-premise corporate topologies).

 

Development_using_Bizagi_Studio

 

For this setup consider the following:

Bizagi Studio will be installed both at the central server hosting the project (referred to as the Development project host), and at each of the connecting workstations.

Bizagi Studio workstations will connect via TCP/IP to the Development project host and to the database. The primary port used is TCP 5679.

Bizagi Studio workstations will connect to the database by using a SQL Server login account that has the strictly required rights. The Bizagi Studio at the Development project host will use a SQL Server login account with higher privileges in order to setup the project and manage it.

Though it is not mandatory but a best practice, it is recommended to use a dedicated server to host the database (separate from the Development project host).

 

For more information about this setup and Bizagi Studio's connectivity features, refer to Teamwork collaboration using Bizagi Studio.

 

Profiles involved

There are two main profiles involved in the setup: Bizagi Studio users, and the Development project administrator.

 

Bizagi Studio users

Team members working on a Bizagi project simultaneously at the authoring/development stages from their workstations, are referred to as Bizagi Studio users.

 

Project_Bizagiusers

 

Each user falls under this category regardless of his/her role within a Bizagi project (be it a process analyst documenting the workflow, a developer for application integration, or a process automation professional designing UI, among others), and each user will connect through Bizagi Studio while using their own Windows account.

 

Development project administrator

There will be one user who will need to be responsible of managing the project and have granted rights at the development project host (remote desktop access, being a local admin).

This profile is referred to as the Development project administrator, and its main tasks are to create the project, deploy it, upgrade its version or perform other admin tasks when needed.

 

Project_Admin

 

note_pin

If the development environment's database server is run exclusively by a database administrator, then he/she may interfere by creating 2 SQL Server logins to be used by the different profiles: one for the Development project administrator (used only at the development project host), and another one for all other Bizagi Studio users (used at the workstations).

 

 

Prerequisites

Before moving on, it is required to ensure that the following prerequisites are met at the servers.

 

IIS Web server

The Development project host requires at this point:

A supported Windows operating system and IIS version (e.g, as offered by Windows Server 2012 R2, 2012, 2008 R2, 2008).

The IIS configured by explicitly having enabled the following features:

 

IIS FEATURE GROUP

IIS FEATURE

APPLIES FOR...

Web Management Tools

IIS 6 Metabase compatibility

IIS versions 7 or above.

IIS Metabase and IIS 6 configuration compatibility

IIS versions 7 or above.

IIS Management Console

IIS versions 7 or above.

World Wide Web Services

.NET Extensibility

IIS versions 7 or 7.5.

.NET Extensibility 4.5

IIS versions 8 or above.

ASP.NET

IIS versions 7 or 7.5.

ASP.NET 4.5

IIS versions 8 or above.

Common HTTP Features

Static Content

IIS versions 7 or above.

Performance Features

Static Content Compression

IIS versions 7 or above, for performance enhancements.

Dynamic Content Compression

IIS versions 7 or above, for performance enhancements.

Security

Basic authentication

IIS versions 7 or above, recommended especially for an enhanced security setup of Bizagi's SOA web services.

Windows authentication

IIS versions 7 or above, when using Windows authentication.

IP and Domain restrictions

IIS versions 7 or above, recommended especially for an enhanced security setup of Bizagi's SOA web services.

 

For more information about enabling the IIS and its components, refer to IIS configuration.

 

Database server: SQL Server logins

The Database server requires at this point:

A supported SQL Server version (e.g, 2012, 2008 R2, 2008).

SQL Server authentication mode enabled, and having the following SQL Server logins already created:

 

LOGIN ACCOUNT / PROFILE

RIGHTS

DESCRIPTION

Login for the Development project administrator (SQL Server authentication mode)

Server role: public

Master database rights:

Create database, backup database, grant view any definition.

Tempdb database rights:

Create table, select table, drop table, grant view any definition.

To be used when the project administrator creates the project.

To be used afterward when upgrading the project's version.

Login for all Bizagi Studio users

(SQL Server authentication mode)

Server role: public

DB Owner of the specific database of the Bizagi project.

Bizagi Studio users will not need to input this login, though it will be used by default for any member connecting to the project.

 

Note that to create these login accounts, an account having the sysadmin server role is needed.

If the development environment's database server is run by a database administrator, he/she may use his account for this purpose.

For more information about creating these SQL Server logins, refer to Advanced configuration of SQL Server login accounts.

 

What you need to do

The overall outline of what the Development project administrator needs to do for the teamwork collaboration setup, is:

 

1. Installing Bizagi Studio at the Development project host.

A simple installation step done by using Bizagi Studio installer and its assisted steps.

2. Verifying Bizagi rights for the Development project administrator.

For any user to be able to create projects or connect to them in Bizagi, authorization must be granted to that user.

3. Creating the Bizagi project.

A wizard will assist the project creation and automatically set its database repository and IIS components.

4. Configuring the database login account for connecting Bizagi Studio users.

After creating the project, configuration is needed to set the database login account used when Bizagi Studio users connect to the project.

 

 

Procedure

The following procedure as noted above, is encouraged to be carried out by the Development project administrator.

 

1. Installing Bizagi Studio at the Development project host.

Login to the Development project host with local admin rights (i.e, connecting via remote desktop) and run the Bizagi Studio installer.

Reboot when finished if prompted to.

 

install10

 

For more information about this step, refer to Install Bizagi Studio.

 

2. Verifying Bizagi rights for the Development project administrator

The Bizagi Studio installer will create a local group called Bizagi, and will automatically include the user who installed it within that group.

Verify that the Development project administrator belongs to the Bizagi group explicitly (it is listed as an user, not within another group), in addition to belonging to the Administrators group as well (local admin).

 

WorkingRemote02_BizagiGroup

 

note_pin

If any changes are made to the above groups, it is recommended to restart the local Windows service called Bizagi Server Operations Service (for instance, likely to happen when the Development project administrator was not the user installing Bizagi Studio).

 

 

3. Creating the Bizagi Project

Create a new Bizagi project in the Development project host (by using local admin rights).

When configuring the database connection for this new project, ensure you input the SQL Server login for the Development project administrator:

 

Create_newproject_DB

 

For information about this step, refer to Create a Bizagi Project.

 

 

4. Configuring the database login account for connecting Bizagi Studio users

Once the project has been created, reconfigure the database login account used by the connection in order to set the login for all Bizagi Studio users.

To do this, use the Change database option found at the projects list.

Note that right away after the project has been created, you may find the project list by clicking the upper left corner:

 

ProjectListFromBAS

 

If opening Bizagi Studio, the project list is shown by clicking on All Projects:

 

Teamwork_01

 

Click the recently created project and click Change database:

 

12Teamwork_02

 

Change the login account to set the one to be used for connecting Bizagi Studio users:

 

Create_newproject_DB

 

Confirm when prompted and click Finish.

You may restart Bizagi Studio and reopen your project, in order to verify that the database login account was set properly.

 

 

What is next?

At this point, the Bizagi project is set.

To allow Bizagi Studio users to connect remotely to this project, these steps will be needed:
 

1. Add an authorization entry at the Development project host

For that connecting user, ensure an entry is added in the Bizagi group of the Development project host:

 

WorkingRemote02_BizagiGroup

 

2. Install Bizagi Studio in the workstation of the connecting user

Installation will require local admin rights, but this does not necessarily needs to be done by the Bizagi Studio user.

Ensure the version of Bizagi Studio matches the one installed at the Development project host.

 

install01

 

3. Verify that each user is included in his/her local Bizagi group

After installation is finished, and especially if that installation was not done by the Bizagi Studio user but another user instead (for example, a domain admin), verify that the user is explicitly included in the Bizagi group of his/her local machine.

 

4. Use the open existing project option

Now the workstation is set to connect remotely to the Bizagi project.

The first time only, the workstation will need to register that project by using the Recent project option directly from Bizagi Studio's splash menu:

 

Working in Bizagi with your team1

 

To browse for the Bizagi project, select the server name of the Development project host (or input its IP if the name is not listed).

The list of projects hosted by the Development project host will be displayed in the second drop-down list.

Select the specific Bizagi project and click on Finish.

 

 

Working in Bizagi with your team2

 

The project will immediately load up (you may verify that it opens correctly).

At this point, teamwork collaboration is set up. And from this point on, Bizagi Studio users may connect to the project by just using the shortcut at the splash menu:

 

PreferencesShortcut

 

note_pin

At this point, and while explicitly knowing which users are connecting to the Bizagi project, the team leader is encouraged to configure Bizagi Studio security in order to restrict which users may connect to the different resources in the project.

For instance, users and groups may be authorized (to view or modify) separately for the different processes, applications, entities or rules. For more information, refer to Bizagi Studio security.