跳转至

In-platform consumer applications(平台内消费者应用程序)

Workshop, Slate, and Carbon applications can all be configured as consumer applications with restricted platform access. These applications enable fast iteration on custom applications, allowing you to deploy to customers with minimal maintenance burden.

This guide will focus on Workshop applications that are ideal for the following use cases:

  • Rapid application development with a low-code building experience.
  • Interactive data applications requiring rich user interfaces.
  • Dashboards and analytics with complex visualizations.
  • Decision support tools that combine data analysis with actions.

All in-platform applications use the interactive login flow, which can be configured to automatically redirect to configured identity providers. This provides a seamless authentication experience for consumer users. See the default authentication provider setup for configuration details.

Prerequisites

This guide requires experience with building applications in Workshop. Before publishing a in-platform application for consumer mode, ensure that you have completed the configuration of consumer mode in Foundry.

Setup

There are two approaches for deploying consumer products:

  1. [Recommended] Use Marketplace, and create separate environments to isolate building and testing from production.
  2. Build and edit products directly in the consumer space.

In this, guide we will buld and edit products directly in the consumer space. However, we recommend using release management for a more robust release management process. Review our DevOps release management documentation for more information.

Step 1: Build a consumer application

  1. Create a project from a template: Use the consumer project template to create a new project. Ensure that proper role assignments are applied automatically.
  2. Configure object types and actions:
  3. Create object types with consumer-appropriate properties.
  4. Configure actions with minimal required permissions.
  5. Set up data sources with proper consumer access controls.
  6. Develop a Workshop application: Create a new Workshop application in the project using the configured objects and actions.

Step 2: Configure a consumer home page

  1. Navigate to Control Panel > Platform experience.
  2. Select your consumer organization.
  3. View the Default application for your consumer.
  4. Configure the Home page URL to direct users to the application.

Step 3: Configure permissions

  1. Add a consumer organization to the project: Navigate to your consumer project. From the Access tab of the right side panel, add a consumer organization with the Consumer role.
  2. Configure backing dataset permissions: For each backing dataset of the object types used in your consumer application, perform the following:
  3. Add the consumer organization to the dataset's project permissions.
  4. If the backing dataset is not located in the consumer space, move it to a project in the consumer space.
  5. Configure row-level security using restricted views if needed, then update the object configuration to use the restricted view.
  6. Configure ontology permissions: Wrap functions in actions to make them easier to permission. For all actions used in the application, add the consumer organization group to the action submission criteria.

Validate consumer user experience

After deploying your application, validate the consumer user experience with the following steps.

  1. Test consumer user login: Log in using a test consumer account.
  2. Verify automatic redirect: Confirm that users are directed to the correct application after login.
  3. Check application functionality: Ensure that all features work correctly.
  4. Test permission boundaries: Verify that consumer users cannot access internal resources.
  5. Validate data access: Confirm that users can only see the appropriate data through configured restrictions.

Verify project access

From the file view of the consumer project, open the Access tab from the right side panel. Then, select Check access to verify the following:

  • Consumer users have the necessary permissions to access the application.
  • Consumer users cannot access internal projects or datasets.
  • Role assignments are working as expected.

Security best practices

Follow these recommendations to help protect users and data:

  • Separate users into a different organization for strict isolation.
  • Enable private organizations to prevent user discovery.
  • Use separate roles for consumers, builders, and administrators.
  • Regularly review organization and application permissions.

Troubleshooting

A user cannot access the application

Verify that the user was assigned to the correct consumer organization and confirm that the consumer user has the appropriate roles in the project.

Application features are not working

Ensure that the consumer organization has access to all required object types. Verify that consumer users can submit the required actions, and that backing datasets are accessible to consumer user groups.

Platform access is not restricted

Review platform access restrictions in Control Panel and ensure that the home page URL is configured correctly. Verify custom domain settings if you are using external domains.


中文翻译

平台内消费者应用程序

Workshop、Slate 和 Carbon 应用程序均可配置为具有受限平台访问权限的消费者应用程序(consumer applications)。这些应用程序支持对自定义应用进行快速迭代,使您能够以最小的维护负担将应用部署给客户。

本指南将重点介绍 Workshop 应用程序,它非常适合以下使用场景:

  • 快速应用开发:提供低代码构建体验。
  • 交互式数据应用:需要丰富的用户界面。
  • 仪表盘与分析:包含复杂的可视化效果。
  • 决策支持工具:将数据分析与操作相结合。

所有平台内应用程序均使用交互式登录流程(interactive login flow),该流程可配置为自动重定向到已配置的身份提供商(identity providers)。这为消费者用户提供了无缝的身份验证体验。有关配置详情,请参阅默认身份验证提供商设置

前提条件

本指南要求具备在 Workshop 中构建应用程序的经验。在发布用于消费者模式(consumer mode)的平台内应用程序之前,请确保您已完成 Foundry 中消费者模式的配置

设置

部署消费者产品有两种方法:

  1. [推荐] 使用 Marketplace,并创建独立的环境来隔离构建、测试与生产环境。
  2. 直接在消费者空间中构建和编辑产品。

在本指南中,我们将直接在消费者空间中构建和编辑产品。不过,我们建议使用发布管理(release management)以获得更稳健的发布管理流程。有关更多信息,请查阅我们的 DevOps 发布管理文档

步骤 1:构建消费者应用程序

  1. 从模板创建项目: 使用消费者项目模板创建一个新项目。确保自动应用正确的角色分配。
  2. 配置对象类型和操作:
  3. 创建具有适合消费者属性的对象类型(object types)。
  4. 配置具有最低所需权限的操作(actions)。
  5. 设置具有适当消费者访问控制的数据源(data sources)。
  6. 开发 Workshop 应用程序: 在项目中使用已配置的对象和操作创建一个新的 Workshop 应用程序。

步骤 2:配置消费者主页

  1. 导航至 控制面板 > 平台体验
  2. 选择您的消费者组织(consumer organization)。
  3. 查看您消费者的默认应用程序
  4. 配置主页 URL,将用户引导至该应用程序。

步骤 3:配置权限

  1. 向项目添加消费者组织: 导航至您的消费者项目。从右侧面板的访问选项卡中,添加一个具有 Consumer 角色的消费者组织。
  2. 配置后端数据集权限: 对于消费者应用程序中使用的对象类型的每个后端数据集(backing dataset),执行以下操作:
  3. 将消费者组织添加到数据集的项目权限中。
  4. 如果后端数据集不在消费者空间中,则将其移动到消费者空间中的某个项目。
  5. 如有需要,使用受限视图配置行级安全性(row-level security),然后更新对象配置以使用该受限视图。
  6. 配置本体权限: 将函数封装在操作中,以便更轻松地进行权限管理。对于应用程序中使用的所有操作,将消费者组织组添加到操作提交条件(action submission criteria)中。

验证消费者用户体验

部署应用程序后,请按照以下步骤验证消费者用户体验。

  1. 测试消费者用户登录: 使用测试消费者账户登录。
  2. 验证自动重定向: 确认用户在登录后被引导至正确的应用程序。
  3. 检查应用程序功能: 确保所有功能正常工作。
  4. 测试权限边界: 验证消费者用户无法访问内部资源。
  5. 验证数据访问: 确认用户只能通过已配置的限制看到相应的数据。

验证项目访问权限

从消费者项目的文件视图中,打开右侧面板的访问选项卡。然后选择检查访问权限,以验证以下内容:

  • 消费者用户拥有访问应用程序所需的权限。
  • 消费者用户无法访问内部项目或数据集。
  • 角色分配按预期工作。

安全最佳实践

请遵循以下建议以保护用户和数据:

  • 将用户分配到不同的组织以实现严格隔离。
  • 启用私有组织(private organizations)以防止用户被发现。
  • 为消费者、构建者和管理员使用不同的角色。
  • 定期审查组织和应用程序权限。

故障排除

用户无法访问应用程序

验证用户是否已分配到正确的消费者组织,并确认消费者用户在项目中拥有适当的角色。

应用程序功能无法正常工作

确保消费者组织有权访问所有必需的对象类型。验证消费者用户能否提交所需的操作,并且消费者用户组可以访问后端数据集。

平台访问未受到限制

在控制面板中审查平台访问限制,并确保主页 URL 配置正确。如果您使用外部域名,请验证自定义域名设置。