Citizen Development Program: Establishing Guardrails

Content By Devops .com

Citizen development is as easy as one, two, three.

  1. Select the right use cases
  2. Enable the citizen developer(s)
  3. And establish the guardrails, which I will cover here.

Of course, there is a little more to it than this. Success requires focus, planning and patience. We previously discussed, in parts one and two of the series, the discipline required around use cases and citizen developers (CDs). This third and final post covers how to establish the appropriate technical and process guardrails to ensure the wider enterprise, platform and developers are protected.

Establishing the Guardrails

Guardrails exist for two primary purposes: alignment and independence. Clear and concise guardrails ensure alignment across organizational objectives, company policies and disparate teams. Those same guardrails provide CDs with a degree of independence – a safe operating space where they will not be micromanaged or unnecessarily burdened by processes.
Effective guardrails define and enforce a range of acceptable behaviors, as well as reduce risk and speed application delivery.

While low-code application platforms (LCAPs) each have their unique capabilities and technical implementations, relevant features can be viewed in three broad categories: platform foundation security, app dev access control and development tools & processes.

Within the context of your specific LCAP and development methodology, you need to consider and answer the following questions:

Platform Foundation Security

  • How will you provide your CDs a “safe” environment to build and test their applications? Does your platform support separate and secure development, test and production environments? Will you put your citizen developers in their own discrete development environment?
  • Will your developers be working with data that requires encryption and/or localization? If so, does your platform support data encryption and compliance with relevant data residency laws?
  • Does your LCAP support anti-virus scanning and/or HTML sanitization, and if not, how will you prevent a CD from inadvertently putting your organization at risk?
  • What logging and auditing is required for your CD activities? Who reviews logs? How long is the information kept?
  • Does your platform support enhanced security mechanisms like two-factor authentication (2FA) or virtual private networks (VPNs)? Will citizen developers be working in areas or with applications that require enhanced security?
  • Are there other risk, compliance and security standards that your organization mandates? If so, how will you incorporate them?

App Dev Access Control

  • How will you provision or deprovision developer and tester accounts? How will you handle developer login and authentication into the development environment?
  • Will CDs have development access to downstream environments across testing, staging and production?
  • Will you use groups to control access to applications in development, and if so, who will manage these groups?
  • Will you use roles to grant access to distinct development capabilities like tables, workflows, UIs, mobile, reporting, analytics, etc.? What determines which role(s) a citizen developer is granted?
  • Will you provide a library of pre-built application components (e.g., workflows, dashboards, virtual agents, etc.)? How will you control access to and usage of the pre-built components?
  • Will you allow citizen developers to access pre-built integrations? How will you control access to and monitor usage of those pre-built integrations?
  • Does the developer identity and access management process need to be driven by an enterprise identity provider, such as Azure Active Directory?
  • Will citizen developed applications be able to access other citizen developed applications? How will app-to-app access be controlled?

Development Tools and Processes

  • How will you manage your demand intake process? How will you ensure that new applications do not duplicate existing application functionality? What criteria will you use to determine if an application is a good fit for a citizen developer?
  • Will you require your CDs to adhere to all, some or none of your existing development methodology? Can you explain the methodology in terms the citizen developer will understand and accept?
  • Will you require CDs to create requirements or agile stories before building an application?
  • Will you require tests be developed for CDs’ applications, and if so, can these be automated? Who will develop those tests?
  • Will you require code or application reviews of citizen developed applications? What best practices and standards will be used during those reviews? Can those reviews be automated?
  • What level of documentation, if any, will you require developers to produce?
  • How will you promote applications through the development pipeline (i.e., dev to test to prod)? Can the app promotion process be automated?
  • How will you track and manage CDs’ applications through the development pipeline and their life cycle?

Reflections on Citizen Development Programs

The exercise of writing this series and your feedback has encouraged me to reflect on parts one (selecting the right use cases) and two (enabling citizen developers). Here are a few final thoughts to consider:

  • Do you care that a CD builds just one app or do you want them to build more?
    Ideally, a CD continues to deliver app after app. But attrition can be high in a CD program. Therefore, if your CD built a single application that delivers business value and then returned to their “day job,” you should still celebrate that success.
  • Is citizen development better suited for creating new apps or maintaining existing apps?
    In my view, the answer is both. LCAPs provide great opportunity for CDs to prototype or even produce an MVP of an application. At the same time, LCAPs allow professional developers to build more complex applications and turn the maintenance of those applications over to CDs.
  • How many LCAPs can you reasonably expect a citizen developer to understand?
    Realistically, perhaps one, or maybe two. Keep in mind that app development is important, but having CDs focus their technology choices on a single LCAP vastly improves their chances of success.
  • Do citizen developers make good professional developers?
    Consider this – some of the best developers I have worked with do not have computer science or software engineering degrees. It’s more important that a developer has a passion for technology and, more importantly, for understanding how technology solves business problems.
  • Finally, explore and embrace citizen development before your competitors do, as the value proposition is real in this new world of work we have found ourselves in. After 30 years in enterprise IT, I can confidently say we’ve reached an inflection point in technology and business, truly democratizing application development.

This post is the third of a three-part series from Mark Tognetti that provides real-world insights on delivering business value from citizen development initiatives.

Leave a Reply

Your email address will not be published. Required fields are marked *