User Management Process - Frequently Asked Questions
Does the UMP run under a service account that would be given elevated privileges using an account from our AD? Or as the SYSTEM account?
The UMP runs a Windows Command Batch (.bat) file typically scheduled using Windows Task Scheduler (unless you have another preferred job scheduling tool).
We typically configure this job to run under the SYSTEM account which would need to have full access to the artifacts folder, which we will deploying during the UMP installation, and any Python executables (basically the Python folder). When running the job under the SYSTEM account, that account would also need to have access to the folder that the UMP file will reside in and access to the SQL Server database with db_owner privileges on the database we will be deploying on the SQL Server (called AQForumIntegrations) as well as tempdb. Typically, the SYSTEM account would already have the access to the SQL Server, but in case it does not, this would be required.
If you want to run the process under another account (local or domain), the same level of permissions described above would be required for the chosen account.
How is the UMP database configured?
In either instance (SQLite or SQL) the database will be configured by AgilQuest as a part of the UMP build process and a backup will be provided as a part of the build. For MS SQL Server database environments, the client is responsible for the installation of the MS SQL Server instance on their server(s).
Is there a script involved in the process?
For the SQL version, the UMP relies on a number of stored procedures to run; any scripting will be handled by the AgilQuest team, no scripting needed for the SQLite version
What sort of access will be required?
For the SQL version we will need to be able to connect to the database either with a dedicated SQL Login or a trusted connection as a DB Owner to the database that AQ will provide. For SQLite no particular access considerations are needed
Is there a naming convention for the database?
Yes, AQForumIntegrations
How much space do we anticipate this will take?
SQLite is lightweight (12 MB) and will reside within the UMP folder, SQL backup is roughly the same size.
Can the Forum UMP run on a virtual server?
Yes! Absolutely.
Is any AgilQuest connectivity required to the Forum UMP software and/or server?
Only during the initial deployment of the UMP solution to work with the client team to implement on the client server. Once the setup is complete, the process does not require AgilQuest to connect to the client server remotely.
What are the various data formats permitted in this transmission (batch and online)? Eg XML, JSON, XLS, CSV
Pipe (|) delimited or direct data source for the client data source. The files produced by the UMP for DMU consumption are .CSV files.
Are column headers required for the Custom UMP Feed File?
Yes, column headers are required in the Custom UMP feed files (extracts.)
Does the user feed batch need to be the entire user population or only add, update and delete records?
The entire population of users needs to be sent with a status flag for active and inactive users
Do you have an example powershell to pull the data out of Active Directory in the pipe delimited format required for the UMP?
Sure! Here is a sample powershell. It's only a sample so you'll want to adjust the fields based on the data elements and field names you will use.
Get-ADUser -Filter '*' -Properties name,Surname,GivenName,mail,department,enabled | Select-Object name,Surname,GivenName,mail,department,Enabled | ConvertTo-csv -Delimiter "|" | Select -Skip 1 | % { $_ -replace '"',""} | out-file "C:\temp\users.txt"
How does the UMP job run?
We typically run the UMP job under the Windows Task Scheduler using the SYSTEM account which typically uses the service account that the SQL service runs under to execute against the database server.
Please verify with your DBA that this is acceptable and if not, let your project team know how they would prefer to provide the access to the SQL Server environment(s) for this process to run. The UMP requires owner access to the AQForumIntegrations DB (which we will provide), tempdb and msdb (for database mail notifications).
If we have a UMP, can we still add or manage users manually through the web? Or will the UMP overwrite what you change?
The answer is: it totally depends!
It depends on what information you are updating and the parameters set for your UMP which you would decide with your AgilQuest implementation team during the UMP requirements gathering sessions.
There are certain data elements that, as a standard, are updated every time the UMP runs . Things like, first name, last name, email address etc. where the source of truth is your source system (this could be Active Directory, your HRMS or other system of choice). This means that the information must be correct in your source system, which will then allow the data to flow into Forum via the UMP.
Example: A user wants their First Name to appear in Forum as Chris vs Christian.
Changing this in Forum will only be temporary if it doesn't get changed in your source system. If the feed for the UMP still contains "Christian" as the user's first name in the record, the manual change your made in Forum will get overwritten on the next UMP run.
So the data flow is from your source system (again the "source of truth"). It doesn't flow from Forum into your source system.
On the other hand, there could be some data elements on the user's profile where you have decided (again during the requirements gathering) should only be made in Forum during the initial creation of the user's record and not update every time the UMP runs. This means that a user can modify that field in their profile and it will not get changed by the UMP. (like Location or Preferred Name)
If you're not sure which data fields are updated nightly, vs which ones are only done on the initial add, refer to your UMP requirements workbook or your UMP Overview for your specific settings.
What is the protocol that is used to transmit the data? How is it secured?
The DMU which is used to transmit data to the forum uses HTTPS to transmit data securely. Calls are to a RESTful API over HTTPS using TLS 1.2
How much data should be sent and how frequently can this be transmitted?
The data should include your entire population of users who will have access to Forum. We will also need a status flag for terminated users so we can make them inactive (or archive) their user records. As a best practice, we recommend that the process runs daily.
Can the data for the UMP be transactional based for a single individual as well as a daily batch of many individuals?
No, the process requires the full set of data each time which would include new and existing users (for updates) and users that have been terminated.
What is the response or acknowledgement mechanism to confirm that the transmission was successful and the processing of the request was complete and successful? Is there logging and reporting to record the synchronization events?
There is a success/failure notification email that is built in to the process. Upon completion, a success notification goes out including the number of users added, changed, deleted (archived). Any failure in the process will also result in an email. The email can also include the error records and the reason for the failure (example: duplicate login ids etc). Along with the email notifications, there are several data tables which reside in the database backend used for tracking the process and acknowledgement of success/failures, error tracking, etc in the UMP.
The DMU also produces log files that are consumed during UMP execution to provide for reporting successes/failures. These are where the email notifications get their information and the data objects are accessible to the client in the database once we deploy the solution in the client environment
What is the ETL as it relates to the Forum UMP?
The ETL “Extract” is the client source file produced by the client from their HR source system (i.e. AD, Peoplesoft, etc.). The ETL “Load” is handled by the Data Management Utility tool (provided by AgilQuest with associated documentation as needed). The ETL “Transform” is the UMP process which imports the user related data from the HR Feed (flat file or direct DB source). The process applies logic to the source data to produce the files for adds, changes, and deletes (archives) to user information in the AgilQuest Forum to be consumed by the Data Management Utility tool.
Does the UMP software have to reside within our firewall? Can AgilQuest host the UMP environment?
Yes, the UMP does have to reside in your environment/server. Though, technically you could have that environment hosted in Azure or AWS if you prefer not to have it on-Premise. The client would need to figure out what method to use to transmit the data source to a hosted environment (like Azure/AWS). AgilQuest does NOT host the client UMP environments.
What are the requirements for the server beyond 20 GB of space and server 2016+ (i.e. processor/RAM)?
Aside from the requirements for the DMU we don’t have a recommendation in terms of the RAM/processor. If you need something for the base build, you can use 4GB of RAM as a minimum. Additionally, if you are installing the MS SQL Server Instance on the UMP server, you should follow Microsoft's recommendations for the MS SQL Server version that you are installing.
What is the expected DB size and growth for the SQL database?
The database that will be deployed for the UMP will typically be less than 1GB to start and uses the SIMPLE recovery model so transaction logs are not maintained (though daily backups are recommended for DR purposes). You can allow for a 10% growth rate to be safe, but the DB growth will mostly be driven by the client's user population (as it increases).
What permissions does the SQL user need? Is it just DBO or RW on its database, or does it need higher level permissions on the system? Is AgilQuest setting up SQL jobs or is all the automation being done on the UMP server?
DB Owner access to the database that we will be delivering and tempdb should be sufficient for the process. The database that will be delivered with the solution will hold the database objects (tables, functions, stored procedures) accessed during process execution. You have the option of automating the process execution using a SQL Agent Job or through Windows Task Scheduler on the UMP server.
Comments
0 comments
Please sign in to leave a comment.