Access Token for Anonymous End User

Configure an access token to connect to an anonymous form or anonymous page. This type of access token provides credentials that let non-authenticated users complete an eForm or view a custom page in AgilePoint NX.

Anonymous Forms Access Token Configuration screen — Figure: Anonymous End User Access Token Configuration screen

Background and Setup

Examples

(Example) Use Anonymous Authentication in a Form-Based App
(Example) Use Anonymous Authentication in a Process-Based App
(Example) Anonymous Page in Page Builder
(External) AgilePoint NX Page Builder Pages Now Available To External Users
Examples - Step-by-step use case examples, information about what types of examples are provided in the AgilePoint NX Product Documentation, and other resources where you can find more examples.

Prerequisites

For anonymous forms:
- Account credentials for anonymous authentication. This is the account the eForm uses to connect to AgilePoint NX, and get and submit data in the app. You can use an AgilePoint NX account or an account in Active Directory.
  If you do not use any of these authentication methods in your organization, you can create an AgilePoint NX account to use for anonymous authentication.
  
  Active Directory authentication is not available for AgilePoint NX OnDemand.
- As a security best practice, in your access token for anonymous forms, AgilePoint recommends user credentials with minimum access rights. This is a user with the Users role with the default access rights.
  It is not recommended to use an Administrator, Application Designer, or Developer account of any kind for anonymous access.
  
  In AgilePoint NX OnPremises and AgilePoint NX PrivateCloud, anonymous forms can use the AgilePoint Service Account for authentication if you select User System Account when you configure an access token for anonymous forms. However, this practice carries extreme security risks. This is not recommended unless you have a specific business requirement for Service Account access, and the security risks are mitigated.
  
  If you use the AgilePoint Service Account, the credentials are not stored in the database.
- An app designer who configures an eForm to use anonymous authentication (used with anonymous forms) must have a role with the Allow Enabling Anonymous Access access right.
  The Allow Enabling Anonymous Access access right lets the application designer create an anonymous form in App Builder at design time. It does not control the security for the anonymous form or the anonymous form user at runtime. The user credentials used for the anonymous authentication access token do not require this access right.
For anonymous pages:
- As a security best practice, in your access token for anonymous pages, AgilePoint recommends user credentials with minimum access rights. This is a user with the Page Viwers permission group with the default access rights.
  It is not recommended to use an Administrator, Application Designer, or Developer account of any kind for anonymous access.
- A page designer who configures a custom page to use anonymous authentication must have a role with the Allow Enabling Anonymous Access access right.
  The Allow Enabling Anonymous Access access right lets the page designer create an anonymous page in Page Builder at design time. It does not control the security for the anonymous page or the anonymous page user at runtime. The user credentials used for the anonymous authentication access token do not require this access right.
  
  At minimum, the user account associated with the Anonymous End User access token must be a member of the Page Viewers permission groups for the custom page.

Good to Know

For anonymous forms:
- To enforce strict security, AgilePoint highly recommends you use anonymous forms for data entry only, and avoid using lookups that connect to your backend systems.
  However, the decision whether to use lookups in anonymous forms is based on your business requirements. If your requires you to use a lookup to backend system, make that design choice as necessary.
- To make sure only APIs specific to run through the eForm are allowed to avoid security risks, such as code injection attacks, AgilePoint recommends you select Enable API Whitelisting on the Security tab on the Anonymous eForm Access Configuration screen.
- If you have questions about the security impacts or best practices for anonymous forms, contact AgilePoint Professional Services.
For anonymous pages:
- To make sure only APIs specific to run through custom pages are allowed to avoid security risks, such as code injection attacks, AgilePoint recommends you add only the required APIs.
  To add an API, click Add Whitlisted API on the Anonymous Access Settings tab on the Settings screen.
- If you have questions about the security impacts or best practices for anonymous pages, contact AgilePoint Professional Services.
In most cases, you can use a global access token or an app level access token:
- Global access tokens are shared across all users and apps. If you want all process designers and runtime app users in your AgilePoint NX tenant to be able to connect to an external data source, use a global access token. An example is a SharePoint site on an intranet that all employees in a company can access.
- Application level access tokens are shared with all processes in a process-based app, or restricted to use within a form-based app. Use application level access tokens if only process designers or runtime app users for a particular application should access an external system — for example, a Box account that is only used to share files within a small team.
Access tokens are collections of credentials that are used to authenticate communication directly between AgilePoint NX and an external system. Because it is the AgilePoint NX system that uses these credentials, rather than an app, there is no difference between design time and runtime access tokens. Access tokens are never checked in or published, and they do not use version control. If you change an access token in App Builder or Manage Center, the access token changes immediately everywhere the access token is used. Changes to app level access tokens apply to all versions of an app, including running application instances. Changes to global access tokens apply everywhere they are used in AgilePoint NX. You can not roll back an access token to a previous version.
For more information, refer to What Data Is Deleted When I Delete an App or Application Resource?
This screen may look different in different places. The UI varies for this screen depending upon how you open it. However, the fields for this screen are the same in all places.

How to Start

There are several ways to create an access token for anonymous forms and anonymous pages. How to create the access token depends on where you want to use it.

Global (Manage Center)

You can use a global access token in any app in your AgilePoint NX tenant. Use a global access token if you want any user in your environment to be able to connect to the same external system.

Click Manage.
In Manage Center, click App Builder > Global Access Tokens.
On the Global Access Tokens screen, click Add Token.
On the Add Global Access Tokens screen, select Anonymous End User.
Click Next.

App Level (Modern Add an App Experience)

Create an access token to use in any process activity or form control in an app you create in the Modern Add an App Experience.

In App Builder, in the Modern Add an App Experience, create an app.
For more information, refer to:
- Modern Add An App Experience (Process-Based App)
- Modern Add An App Experience (Form-Based App)
On the Anything else right now? screen, in the Access Tokens field, click Create.
On the What service do you want your app to access? screen, select Anonymous Forms.
Click Next.

App Level (App Builder)

Create an access token to use in any process activity or form control in a specified app.

Click App Builder.
On the App Builder Home screen, click All Apps.
On the All Apps screen, on an app, click Edit .
On the App Details screen, click Add New > Access Token.
On the What service do you want your app to access? screen, select Anonymous Forms.
Click Next.

Process Activities and Form Controls

Different access token types can be created in context and used in different process activities, form controls, or apps. The App Builder shows shortcut buttons in any place you can create an access token.

You can create an app level access token for Anonymous End User here:

Process Builder
- These activities on the eForms tab:
  - Anonymous Start Task activity
  - Anonymous Standard Task activity
  - Start Task activity
  - Standard Task activity

Fields

Field Name	Definition
Token Name	Description: Specifies the unique name for your connection to AgilePoint. Allowed Values: One line of text (a string). Accepted: Letters Numbers Spaces Default Value: None Example: This is a common configuration field that is used in many examples. Refer to: Examples - Step-by-step use case examples, information about what types of examples are provided in the AgilePoint NX Product Documentation, and other resources where you can find more examples.
Description	Description: A description for your access token. Allowed Values: More than one line of text. Default Value: None Example: This is a common configuration field that is used in many examples. Refer to: Examples - Step-by-step use case examples, information about what types of examples are provided in the AgilePoint NX Product Documentation, and other resources where you can find more examples.
Domain	Description: The authentication domain. Allowed Values: A valid domain. Default Value: None Example: Refer to: (Example) Use Anonymous Authentication in a Form-Based App (Example) Use Anonymous Authentication in a Process-Based App (Example) Anonymous Page in Page Builder
User Name	Description: Specifies the user name of the user in Active Directory or AgilePoint NX. Allowed Values: A valid user name. Default Value: None Accepts Variables: No Example: Refer to: (Example) Use Anonymous Authentication in a Form-Based App (Example) Use Anonymous Authentication in a Process-Based App (Example) Anonymous Page in Page Builder
Password	Description: Specifies a password for the user. Allowed Values: A valid password. Default Value: None Accepts Variables: No Example: Refer to: (Example) Use Anonymous Authentication in a Form-Based App (Example) Use Anonymous Authentication in a Process-Based App (Example) Anonymous Page in Page Builder
User System Account	Description: Specifies to use the AgilePoint Service Account for anonymous authentication. (This is sometimes also called the AgilePoint System Account.) Allowed Values: Selected - Uses the AgilePoint Service Account as the credentials for anonymous authentication. Deselected - Does not use the AgilePoint Service Account for anonymous authentication. Default Value: Deselected Limitations: This field is available only in AgilePoint NX OnPremises or AgilePoint NX PrivateCloud. To select this field, use of the AgilePoint Service Account must be enabled on your tenant. For more information, refer to, How Do I Let a Role Use the AgilePoint Service Account?. For anonymous forms: As a security best practice, in your access token for anonymous forms, AgilePoint recommends user credentials with minimum access rights. This is a user with the Users role with the default access rights. It is not recommended to use an Administrator, Application Designer, or Developer account of any kind for anonymous access. In AgilePoint NX OnPremises and AgilePoint NX PrivateCloud, anonymous forms can use the AgilePoint Service Account for authentication if you select User System Account when you configure an access token for anonymous forms. However, this practice carries extreme security risks. This is not recommended unless you have a specific business requirement for Service Account access, and the security risks are mitigated. If you use the AgilePoint Service Account, the credentials are not stored in the database. For anonymous pages: As a security best practice, in your access token for anonymous pages, AgilePoint recommends user credentials with minimum access rights. This is a user with the Page Viwers permission group with the default access rights. It is not recommended to use an Administrator, Application Designer, or Developer account of any kind for anonymous access.
Validate	Function: Makes sure the specified Active Directory or AgilePoint NX account is correct. Example: Refer to: (Example) Use Anonymous Authentication in a Form-Based App (Example) Use Anonymous Authentication in a Process-Based App (Example) Anonymous Page in Page Builder
Enable Password Expiry Notification	Description: Specifies whether to send an email notification when the password is due to expire. Allowed Values: Selected - Sends an email notification before the password expires. By default, this notification is sent 15 days before expiration. Deselected - Does not send an email notification for the password expiration. Default Value: Deselected Limitations: This field is available in these releases: AgilePoint NX OnDemand (public cloud) AgilePoint NX PrivateCloud, or AgilePoint NX OnPremises v9.0 or higher
Date	Description: Specifies the date the authentication credentials for the access token expire. AgilePoint NX sends the notification 15 days before the date specified in the Date field. Allowed Values: A date from the calendar. MM/dd/yyyy - Shows the date in the format Month/day/year. Default Value: None Limitations: This field is available in these releases: AgilePoint NX OnDemand (public cloud) AgilePoint NX PrivateCloud, or AgilePoint NX OnPremises v9.0 or higher
Email	Description: Specifies the email address of the user to whom to send the notification about the password expiration. Allowed Values: One line of text (a string) in email address format. Default Value: None Limitations: This field is available in these releases: AgilePoint NX OnDemand (public cloud) AgilePoint NX PrivateCloud, or AgilePoint NX OnPremises v9.0 or higher
Encrypt	Description: Stores the access token in the AgilePoint database as encrypted data. Note: AgilePoint recommends you to store this access token in the database in encrypted format. Allowed Values: Deselected - The access token is in plain text in the database. Selected - The access token is encrypted in the database. Default Value: Selected Limitations: This field was removed from the UI in AgilePoint NX OnPremises and Private Cloud v7.0 Software Update 2. Access token credentials are encrypted by default. If you want to store credentials in unencrypted format, contact AgilePoint Customer Support.