Enabling Self-Service Automation: United Fire Group on Roles and Permissions for Members

Hi, everybody. Welcome afternoon and good evening to our global audience joining us again today for another session of Stone Ranch Online. It's my pleasure to introduce our speaker for today, Michael Ohl, who is operations team leader at United Fire Group. So, I hand things over to you, Michael. Thank you, Marissa. You know, I guess before we start, you know, I'd like to just thank all the Stone Branch team, Marissa, Colin, everybody who's been working to put this together. It's been a really great series, I think. And I appreciate all the hard work you guys have been able to do and pull this together. And I think everybody here probably feels the same way. So thank you very much. As Marisa said, I will take questions and answers, but I'd like to hold those until the end of the presentation. There's a lot of data or a lot of information I want to cover today. And I just want to make sure that, we get through that and then be able to answer your questions if they haven't already been answered. So with that being said, this session today is called UAC Security, a customer perspective, Universal Automation Center, United Fire, or perhaps, as I like to call it, if you build it, they can't see it. A beginner's guide to business services and security. Business services are really centered a lot around organization and security in general. And this this presentation I'm gonna give you today will cover a lot of how that works. I know Doug and Scott covered some of this information in their presentation on the relics user experience that we had earlier this month. But I'm gonna cover this a little more in-depth, provide you with some ideas that may help you implement this in your environment. So what are we gonna do today? Well, I'm gonna talk to you a little bit about who I am, who the world is UFG, and why Stone Ranch? Why do we choose Stone Ranch? What our business requirements were? The implementation that we did of business services, how we use it right now? We'll get into a little bit of a demo, so you can actually see this stuff real time, and working as is expected. And then we'll cover a little bit of lessons learned. Because, obviously, with every implementation, you always have lessons you're gonna learn. Alright. So about us, or more particular about me. I have over twenty years in the IT industry, ten of it in IT management. But don't let that fool you. I've been a working manager. I've not really been a full manager. So twenty years in IT. Started at Gateway two thousand, for those of you who remember Gateway two thousand. Big spotted cow buildings that they had and the spotted cow boxes that they, sold their products in? Yeah. That was me. I worked on phone support for them. But since then, I've done desktop administration, server network, security, backup, all those administrations, infrastructure and operation supervision, a little bit of DevOps experience. All boils down to jack of all trades. And some of you that are in the the smaller companies that are out there completely understand what I'm talking about with this. So, at UFG, I've been employed here since December of twenty sixteen. Started in security. Yes, I did start in security, and everybody can kind of groan at that. But then I moved into the operations or mainframe group supervision in June of twenty eighteen. So United Fire Group, first time I looked at this and said, what is United Fire Group? Is it a fire station? Why do they need IT people? No. UFG is actually an insurance company. Stands for United Fire Group Insurance. It's headquartered in Cedar Rapids, Iowa, and it's publicly traded on the NASDAQ. So, we all know how well the market's been doing with COVID. And obviously, with it being down right now, it's a great time to invest. So if you're looking to invest, UFCS is the stock ticker symbol for us. But more importantly, we're an insurance company with zero debt, which is really hard for companies nowadays to be at a zero debt company. And we have around twelve hundred employees. That, over the last five years, has almost doubled. So we went from five or six hundred five years ago to twelve hundred now. So obviously, we're not accustomed, and we're growing as well as a company. But we focus primarily on commercial, personal, and bond insurance types. Although we just announced recently that we sold off our personal insurance business because we're going to get out of that and focus primarily on commercial and surety bonds. And that insurance is now going over to Nationwide. A little fun fact, if you look at this blue squiggly, that's to the right of the UFG insurance name. It's actually two use intertwined. But the fact that they never disconnect, earned it the nickname, the worm. So, I work at a company with the worm. Alright. So let's get into why we chose Stone Branch. We had a lot of interesting challenges and drivers here. We have an environment that's mixed. It has Windows servers. Originally, when I got here, ranging from two thousand and three to twenty sixteen. But now, two thousand and eight to twenty nineteen, we have a Unisys mainframe. So, for those of you who don't know who Unisys is or don't know what Unisys mainframe is, it's actually old Burrows system. And then we have a bunch of Windows PC and Macs. The mainframe itself already had a scheduling tool. It's called BL Sched by a company of b and l. And we continue to use that today. It's been very effective in that environment. But what we found, you know, we were able to centrally control it as an operations team. And we could run a few Windows tasks with it, but it didn't have a lot of additional functionality to do all the Windows tasks that we now have with our Windows Servers. Windows Server wise, we had tasks everywhere. We have tasks and task schedulers. We had tasks and SQL scheduler. And we had a bunch of miscellaneous applications that all had their own scheduling tool. So, in essence, we had no way to really understand how many things are going on in our environment because they're running all over the place. Alright. Let's get into our business requirements a little bit. For us, it really came down to trying to get a centralized solution, something where we could pull everything together and see what was going on in our environment. We wanted some newer technology, not something that was built strictly on the mainframe, but something that would cover potentially all Windows servers and then potentially the mainframe as well. But that was a secondary because we already have a fairly strong scheduling tool there. So the newer technology we wanted needed to cover PowerShell scripts and batch scripts, SQL stored procedures and SSIS packages, Cognos, pass, Visual Basic scripts. Yes. Believe it or not, we still have Visual Basic scripts that are being written. And then do FTP because a lot of our file transfers between the mainframe and the Windows server environment are all done via FTP, as well as many third parties still send and receive files with us via FTP or SFTP. We additionally needed security to protect the IDs and the tasks that are being run. Because if we're going to put all of this together, we need to make sure that somebody from, say, our digital web team isn't necessarily going to be able to use the SA account on SQL and run some query or run some tests they shouldn't have access to. So security was big at the forefront of this. We also needed it to be very organized. Because when you start bringing a whole bunch of disparate systems together, it can get cluttered really quickly. For our environment, we also wanted a dev, a test, and a production environment, because that's how we were set up here. So, let's talk about how we implemented business services. Stone branch, I got a couple definitions here. Stone branch kind of defines this as a feature that allows you to organize your data into groups of related information. It also lets you set security permissions, that are specific for the business service. Perfect. Exactly what we're looking for. But as we defined it at U of G, it's it's a way for us to get our business units, whether their application or whether they're department level, to see and operate only within their perspective areas. We wonder a way to reduce the complexity of a scheduling system because let's face it, UAC has a ton of functionality in it, and it continues to grow. So we wanna make sure we can minimize what tasks were available, what options were available, and provide them a means to name their tasks the way they need to be named. And then, of course, we needed to apply security. We didn't want just anybody being able to get in and do whatever they wanted to do on this. Alright. So, let's talk a little bit about business services and security. Groups are key. In fact, groups are a requirement. I know within Doug and Scott's presentation on the relics user experience, there was a question that came up about using active directory groups, because they're just easier to add to a system. And Stone Branch has their own groups, and a lot of the member services are attached to those groups. Let me answer it in this way. Yes, you can absolutely use active directory groups. But I'm gonna ask the question, do you control those groups? Can you control who gets into those groups? Because if you do your security or create your security around those groups, and you don't totally control the access to those groups, you could have somebody inadvertently getting access to things they shouldn't have access to. For that reason, here, we're using a little bit of a hybrid where we have a group that people can have access to that gives them access to the Stone Branch application, but doesn't give them access to any tasks. We then would add them to a local group at that point, to give them access to the tasks and the things that they needed access to. So groups are key. Local groups are the best way to handle this, because you can keep control of who has access to those kinds of things. Just some key point to keep in mind there. We wanted to limit visibility, right? So, business services themselves allow us to do that. We can set people in a group with a business service, and the only thing they're going to see is what's assigned to that business service. And we can do that from multiple perspectives. We can do it from just the task level. We can do it at trigger levels. We can do it at even agent levels or calendar levels, those kind of things if we want to. And then we want to make sure we utilize naming standards. Within this system, it's very difficult. From our perspective, was very difficult to just turn this loose without having some sort of naming standard. The reason for that is twofold. Number one, you want to make sure you understand who's really utilizing the system. And number two, you can't have identical names. So, by using a naming standard, you're gonna try to prevent people from trying to create tasks with identical names. And then getting frustrated because, quite honestly, they don't don't have what they need, or they aren't able to save what they want. And it just kind of gives them that, I don't know what I'm doing, and I don't like what I'm doing. So, setting up access and functionality on a business service, there's really two pieces to doing this. And these apply at the group level, their roles and their permissions. Now roles, by the link here, there's a there's a link to the roles here that you see on the screen, but it takes you and describes what each of the roles does. But think of roles as basically groups of permissions. So maybe it's a role that deals with the dashboard, but these are all permissions that deal with what you can do on the dash dashboard. Permissions are the fine tune piece of this. So permissions are the individual sections or pieces. For example, you can create a task, but you can't execute it. Or you can read a task and you can execute it, but you can't update it. These are all permission level items where you can do specific things to something, but you can't do everything you wanna do. And then they get very granular. Permissions themselves, as well as roles can be applied both at group and user level. Although, I would say keep them at a group level. So a couple drawbacks, as we're looking at business services securities, might as well cover these now. There are no group templates, although, thank you to Colin and team, that's this coming in seven dot o, which is supposed to be third quarter, I believe. So that'll be good. There's a lot of things where you set up a group and you set it up with the permissions and you want to duplicate that for all the different business services that you want to do. The group template is a great way to have that set up and ready to go. The other drawback is that groups are not promotable. I see this as a good and a bad thing, both. Good in a way that when you sometimes promote things, you don't know what you're really giving in the next environment, as far as permissions and as far as what's going on. But when you're creating each of these groups, one by one, and you have two, three, four, ten different environments, you always see controllers that you want to, you want to be able to duplicate this effort on Having them not promotable also makes it very difficult. Promote with caution. That's probably the best way to say this. Because you don't want to promote something and then find out that you just gave access to something you really shouldn't be giving access to. Alright. So, oops, I just clicked on the link. How about that? Okay, there's your rules. Demo time. Let's start by talking a little bit about our naming standards, because I think that's probably important to show how we're going to get people into using this product and getting them as an end user readily available and understanding how this product works. So let me switch over. We created, we have our own internal Wiki. We created a Wiki page that actually shows how our naming standards work and gives examples of those. So we talk about things like what their constraints are, their triggers, like all the triggers that are in Storm Ranch, the tasks that are in Storm Ranch that they couldn't go into monitors, calendars, agents. You'll see that some of this stuff, there's no longer an FTP file monitor when you get into six dot eight. So, some of my documentation has to be updated. That's an ongoing process that everybody's going to have to deal with. But as I go into some of these, I talk about what the definition is. I give them a brief definition here, but then I actually show them a bigger definition. Alright? So, they get a real understanding of what they're doing and what they're trying to do. But if I look then at a requirement or example, I actually give them a screenshot. And I highlight the areas that I'm going to talk about or highlight the things that I want them to be able to put in and want them to be able to do. And then at the bottom, I talk about what each of those sections are and how they should do it. So giving them this kind of detail is going to help them to utilize this system. Okay. So let's talk about, but let's actually get in to universal controller. I've actually signed in here already. So, let me get back to the dashboard. As you can see it in a development environment, obviously things are going to fail all the time because that's what they do. That's what developments for. But let's talk about this environment a little bit. Talk about how much as an administrator we can see. I mean, there's a lot of things here that we can see, from all the tasks, instances, triggers, those kind of things. You get into dashboards and reports here, you get into agents and system stuff, you get more into system configurations. A lot of this stuff, your bundles and promotions, a lot of the stuff you don't want the end user to be able to see. It's going to confuse them. It's going to make them look at this and go, I have no idea where to start. I don't really wanna do this. And the end goal really here is really democratization, right, of the product. Because Colin kind of talked about that in a previous presentation he did, I think, when he was talking about what the roadmap is. But the point being, you want people to be able to utilize this and utilize the automation within it to move their business forward. So you really want to reduce the complexity of it and the views and how things are done, so that you can enable them to do what they need to do effectively. In this case, like I said, as an admin, there's a whole bunch of things we can see. Now, for the purpose of this demo, I also created a test user. And I'm gonna show you what the test user is going to look like when we actually put them into a group and put them into a business service. But before we go there, I want to talk about how you actually set up business services to start with. So business services themselves are all under the administration tab and under security right here. And really, when you look at business services, you're setting one up. There's really nothing to it. It's a name and a description. That's it. There's no security. There's no way to add people to that business service. This is all there is to it. So, to accomplish the security piece of this, you do have to utilize groups and groups are right next to business services here under security. So when I look at groups, and I'll look at the digital and then and then digital non BS, and no, that does not stand for what you think it stands for. It's non business service. But as I look at these, I'm going to talk about the roles a little bit here and show you the roles and the permissions and how they can change and how they're different. So, as I look at the digital non BS or non business service group, let's start here at the control navigation visibility. This is where you control what they can see in this navigation pane. So, so back to where I was at on the administration page, your business services, your groups, and your users are all listed under security of the administration page. Your business services are literally a name and a description. That's all you can do to create a business service. You don't actually set your security on the business service. You set it on the group. So when we get into groups, I have two groups here I'm gonna take a look at. One's digital and one's not digital non BS, which is not the BS you think it stands for. It's non business service, which I, you know, kinda cool. But as we look at this group, you'll put your name, you put your description in, but we wanna control all what they see. And you control that navigation visibility right here on the group by hitting this checkbox, and then coming in and selecting the items you want them to see. Now, there are certain things that I know they're never going to use, like Linux and Unix tasks, because they don't have any Linux or Unix servers that they're gonna use or ZOS tasks or SAP and PeopleSoft. So you really want to, not show those kinds of things because it's just more clutter that they would have to go through. But there are things like file transfers or manual tests and timer tests that you want them to be able to handle and be able to do. So those are the ones you select and whichever you have selected here is what's going to show up on this left side when they sign in. And we will look at that here in a minute when I actually utilize my test user to sign into the environment. Now, group roles. We talked about roles a little bit earlier, and we talked about how they're a group of functionality that you can utilize. So in other words, you don't have to put individual permissions on things. You can actually grab a group of roles that already identify what you want to do. For example, there's a dashboard group right here, and a filter group. So the filter group lets them do filtering, and a forecasting view group lets them actually see the forecasted jobs that are going on for their for their tasks. But these are groups that I felt for our environment, made sense for what we wanted to try to do and what we try to want to accomplish here. And then, when we get into permissions, this is where it gets really individualized and very much, I guess, you identify what you want them to do and don't want them to do. So, for example, as we look at this, this is the type of task and obviously, there's all of these different things that you can add, right? But the type of task, and I can tell them, if I only want read, well, then I just give them read access. In this case, this is a development environment. I don't care if they do anything they want to do with their work. I'm all good with that. But additional, besides create, read, update, or delete, you can get into commands for what can happen on this particular type. So as we see here, you can copy a task, launch it, recalculate forecast, so on and so forth. Well, these commands are going to change based on your task selection. So if I go back and do agent, for example, this is all I get for agent. Or if I go into triggers, then I get this for triggers. So this is all going to change based on whatever type you select. And this is how granular you can get. Now, the interesting part here is that I have one type all the way down with the exception of calendar, which I have two. And the reason I have two for that is because I have one that's for anything that they create that's a digital calendar. But then I have a set of universal calendars that they can just use and not have to worry about them changing. They're always going to stay the same. So, I give them read access to the universal calendars because a) I don't want them changing the universal calendars if people are using them. But then, for their own digital calendars that they create, I'm giving them the ability to create, read, update, or delete. So, you can have multiple lines in here for the same type and allow them to do different things for different types of items that they're working on and whatever business service or name they're working on. Now, if we look at this again, as a task, and continue down, I give them all access to all the commands. By default, it's up to none. So you could give them create, read, update, and delete, but they could never launch the task because they didn't have that command. So these permissions can get, very tricky a little bit. You're gonna have to work with them a little bit to make sure you're getting what you want out of them. But if all I want them to do is launch, I don't choose all, I just choose launch. The name is what it's going to allow the task to be. So in this case, I'm saying, give me tasks or let them utilize tasks that all start with digital and then anything else after it. And that's good because I don't want them seeing maybe something that's SQL or something that's maybe HR. I want them just to see digital. But notice, as this is the non business service task, I did not add the business service here. I left it strictly as a naming. Now, that's great. If you can get everybody to want to continue to name their things exactly the way you're asking them to name them. And by doing this, they're required to have digital something. But in our case, maybe we're not going to have agents that are digital, or we're not going to have calendars that are digital, or we're not going to have scripts that all start with digital. And that gets a little trickier because if I come in and I say, for example, my credentials. Here's a great one. Credentials. You're not gonna say digital dash this credential. You don't typically say that. You just wanna put down, it's this credential. So as I'm setting these as a individual or setting this for this group, I would say, well, then I want any credentials. I can do anything on this. Well, that's a problem. Right? Because if SQL team puts in an SA credential, you don't want them to be able to do that. And most times, you can say, no, you know what? If you wanna use credentials, you have to do it this way. Alright. So if I look at the digital side, then the now the business service side of this, I still control visibility and I control it right here. But then, as I look at my roles, they're all the same. As I look at my permissions, they're very similar. And I'll say similar because they have all the same operations. They have all the same commands, but the names are all asterisks. So, first thing you're thinking is, wow, they're going to see everything. Well, not really. Because if I look at the triggers, they have to be in the digital business service in order for them to see it. So I took away the need for for them to have a certain name at this point, but just said, if it's in digital, you can work with it. Alright. So, a lot of talk. Let's kind of look at what this looks like from a user perspective. My users are actually pulled in through Active Directory, and I have a test user that I actually created that is strictly a local user on Stone Branch. But I wanted to kind of show you an equivalent of what that's gonna look like. So right now, my test user has no user roles. They're not a member of a group and they don't have any permissions. So what I'm gonna do is I'm gonna add them to the business or digital non business service group, just so we can take a look at this. Now, as you see, when I added them to that, there's some user roles that popped up. Those are all coming in and it tells you where they're getting those user roles. So when you add them to a group that has roles already attached to it, they're gonna show up under that user. So you can see where they're accessing or getting access to particular roles right away. What you're seeing here as well as you don't see permissions. Because these permissions, when I add permissions in here, are for this user and not for the group. It would be kinda neat in future enhancement request, Colin, as long as you're listening, that if we were able to actually pull in the group inheritance in here as well. So you could see what permissions were inherited by groups, if they're if they're still using them. Alright. So we've added them to non digital or digital non BS user group. Let's go ahead and let's pull up an incognito window, so I can sign in as this test user and put in my super secret password. And the first thing we're going to notice is because I limited the visibility, we only have four tabs up here instead of five. I didn't give them access to the bundles. But even looking at these, you don't see the ZOS task or you don't see the SQL tasks in here. You don't see a lot of those extra things that you don't want them to be able to see. I go over to reports, they can see reports. I get into the system and wow, there's only three here compared to what we saw. And let me go back and show you again. And system, all of these were originally there. But now, because we reduced that view, we only see the email templates, the database connection applications. So that's what the limit visibility option is doing for us, which is a really good thing. And then all I have is audits and video classroom. So there's no way for them to add to the group or add a user or, you know, basically add a business service that they want to. This is all they're gonna get. So this makes it much easier for them to see what's going on. And they can also see only the things that are actually running or waiting in this case in their group. So this is just digital. So they have a digital task, right? A File Monitor, Agent File Monitor running. They can see that. Now, if I look back at the administrative side, and I went to the dashboard, there's actually seventeen different things that are running right now. So you're really reducing that footprint, really reducing what people are going to see. And that's a good thing. It helps keep the clutter down. Alright. So, let's look at the task. So, when I look at this, there are only three tasks here. Reality, and some of this is tweaking and setup. This is not all the digital tasks that are out there. In fact, there's a number of tasks that are out there just because their business service digital tasks, but they're not showing up here. So I'm gonna flip over now, and I'm gonna show you what that looks like, when we go to a business service and utilize business services. So I'm gonna come back over to my groups. I'm going to refresh because my test user, and you can do this from the group level or the user level. But my test user is in this group. So I'm gonna edit and take him out. And I'm gonna go to the digital group that is utilizing the business service. And I've got two people in there already, but I'm gonna add my test user to this group. And then I'm gonna flip back over. And I'm gonna hit refresh. I'm not even gonna log out because I switched some groups. I'm just gonna hit refresh. Now, it's applied as new security as a business service, and I'm seeing thirty seven tasks in here. And every one of these tasks have digital assigned to it. Okay. Well, now you're looking at it and say, okay, well, this is all great and good. And what happens if I have a task and everybody has these, but what happens if I have a task that covers multiple areas Or coworkers, multiple applications that covers multiple business units? Very easy. They can actually add that by clicking on the business service and adding that other task. So, for example, I could add this to SQL DBA, and now SQL DBA group and the digital group would be able to see this task. That works out very, very well for tasks that you know, multiple groups need to see. Now, the other side of this is, okay, what if you have that user, kinda like myself, who has been a jack of all trades, and not only are they doing digital work, but they're also doing SQL work. So they need to see all the SQL stuff and they need to see all the digital stuff. Well, in that case, you're not gonna go to every one of those tasks and add SQL DBA to these tasks, because you don't want the rest of the digital people to be able to see the SQL DBA test. You just want this this one person to be able to do that. So I'm gonna get rid of this. I'm gonna go back over to the administrative one. And we're gonna say, okay, well, you're part of digital now. Let's add you as part of SQL DBA as well. So I'm gonna come into group members. I'm gonna add them. And I'm gonna pull down here to the test user, put them in. And now that I'm in here, I'm gonna go back. My clicking is a little slow this morning. And as we started with thirty seven tasks, I'm gonna refresh again. And now we're up to forty six tasks. And what we can see is we have digital tasks, but we also have a couple of operations tasks that showed up. Why? Because digital was part of that. We have SQL DBA tasks that showed up, because we've added them to that SQL DBA group. So now this person who does multiple jobs or covers multiple areas can now operate within both of those areas. Now, one of the issues we had with the initially with business services and and really rolling this out to to the end user populace is when they would create a new task. For example, let me go to a Windows task, And I'm just gonna call this test. And I click on the drop down for business services. I see every single business service that's in here. Okay. That's great. What happens if I clicked on SQL HR and says SQL DBA, and I'm not part of that group? Well, when I would try to save it, it would tell me, well, other than the fact that I don't have an agent field, so let's put an agent in here and a command field. So I'm just going say test that back because I'm very creative that way. I'm going to hit and hit save, and it's going to kick me back and duplicate value task name must be unique. Well, that's my number one problem. So, let's do test for digital. Or in this case, since we're doing SQL SQL. Let me save it. Operation prohibited due to consider security constraints. Well, why is that? Because this is not a group I'm a part of. They can only select a group they're a part of. I selected again. I hit save. I still have security constraints. So there's other things in here that I've selected that they don't have access to. Okay. So to give to go back on this a little bit, but to look at business services, there's a lot of business services in here. There's a new feature in six dot eight, and thank you to Stone Branch for doing this. But there's a new feature in six dot eight that allows under the system properties to restrict the visibility of business services unless you're a part of them. So, if I come in and change this to true, okay, and now I go back over and I refresh. Yes, I know it's been modified. I'm going to refresh. Now, if I come back in, and I can look at a common or this our common one. No, I can't look at a common one. I must have to do a new one. And Colin jump in if I'm if I'm not doing this right. But here, now it's reduced them to just the stuff that I have access to. So there is no need to scare them with all the business services, you can now reduce this. So they're only going to see what they have access to. Alright. So, one other question before we jump out of this and get into lessons learned a little bit. One other thing that's kind of come up, and and I've talked to Matt and support about this, and and hopefully, will be a future release. But one of the things that I run into is when I signed in as a test user, for example, nowhere on the screen, nowhere on the dashboard, no pop up, nothing tells me what business service or what group I'm a part of. So for me, I can't tell what I need to be naming something or I can't tell what business service I need to be selecting other than when I just restricted it, I can only reselect the business services I have. So what would be really nice and again, content, is for us to be able to get some sort of window or pop up saying, hey, you're a part of these groups. And that just tells people I can do things for these type of type of actions or these type of groups. So, alright, let's get to lessons learned. And let me apparently, my advanced didn't work the way I hoped. Alright. Lessons learned. First and foremost, keep it simple. Use the kiss principle on this stuff. If you if you try to over engineer it, you're gonna run into issues like I just had there where I didn't say something because I had security security constraint. But keep it simple. Keep it simple for the end user, but also keep it simple administratively. If it's not simple, people are not gonna take to it as well as you'd like them to take to it. Have a good set of standards and definitions. Obviously, giving them examples, showing them what they should fill in, how they should fill it in, is a great way for them to get an understanding and a view of how they should use this product. Then start with tighter restrictions and open them as you need to. So, one of the biggest issues we ran into initially, and this was just learning curve from trying to set this up. But when we set it up and we set it up with business services, we didn't restrict, or we didn't have a way or didn't know of a way to restrict them on how to name their tasks. So we ended up with a whole bunch of tasks that were not named in this format or the structure we wanted them in. And in essence, we've rolled back that that access for now until we can get it cleaned up. Well, anytime you take something away from anybody, everybody knows nobody likes to have things taken away from them. Start with it easy, get them used to it, and then increase their access as you need to. And then add your business services as you need for visibility. So again, if you have somebody that wears multiple hats, you can put them in multiple groups that assign the business service. If you have tasks that are covering multiple areas, add the business service to that task so that they both groups can actually see it without having to see everything from everybody else. Alright, with that, questions? Oh, already have questions coming in. Very cool. Let me just turn my camera back on. First of all, a really cool demo. I'm sure everyone really enjoyed that. Thought it was pretty cool. So, we have, first, a comment from saying, I'm using the business service to segregate my environment in multi tenant. It's a very good resource to do this. Agree. Agree. Nice. Second, we have a question from Tim. Question, when someone hits a security constraint, is there a way to tell specifically what security constraint was encountered? Great question. I haven't seen a way to see that because it just tells you there's a security constraint. Colin, do you know right offhand? How do I jump in here? So, you know, yeah, the message isn't great from the user perspective, but the audit log should show you that. I have to double check that all events are captured. But the administrator should be able to go to the audit log and see that. That is something that has been discussed before. We'll probably have to revisit that, is that, you know, can we or should we make those messages more apparent? There's usually one line of thought around security is that, you know, if somebody's bumping into security, you don't want to give them too much information to try and circumvent it, but I'm not sure that that necessarily applies in all these cases. So fair question. We will look into that. Is this something that maybe we highlight the field where there's a security issue? So for example, if they select a bad member server or business service, obviously would highlight the business service field what they would need to change. Potentially, yeah. Okay. Great question. Yeah, excellent question. Thanks, Tim. And please keep the questions coming. Feel free to type them in. While we're waiting for more questions. We have one from oh, here we go. Here's another one from Glenn. If someone has access to the digital business service but they select an additional business service they are not a member of, in addition to the digital business service, will they be able to save that change? In parentheses, they used to be able to save it as long as digital was in the list, but that has changed at some point, so they could no longer change tasks with multiple business services. Correct. Yes. So it basically checks all of them. You need the relevant authority to all of them there. There might be a property if we change the behaviour there, there's probably a property that controls that behaviour. If you search for strict, that's usually where it is. Restrict? Yeah, just in the top window, above the name, if you just type in strict and press enter. Just above the name in the column. Yep, gotcha. Yeah. So we added the search in Cape Verde, just strict. No, strict. Not restrict, strict. S t r I c Yeah. Might be the strict business availability that does that. I'd have to look it up and check from that side, but yes, the way I certainly would like to see it operate is that you need to have authority over the whole thing in order to change it. There are cases where I think you want to share tasks between business services, but you don't necessarily want one business service to be able to change that task without the permission or knowledge of the other business service. Another great question. Yep. Thanks, Glenn. That was from Glenn. We have a question from Ron now. Can you not add a widget to the dashboard selecting the membership of the logged in user in order to see its access? Was something that Michael mentioned, and yes, I was listing Michael. I made a note of that, so I think that's a great requirement. It makes sense to me. I will bring it up with the team, and we'll see where it goes. Cool. Another question while we're waiting for more to come in. I had saved. How many groups have you actually created, Michael? How many groups? I'm sitting twenty three groups right now. Twenty three. Yep. So, as you can tell, and we talked about this security wise, each one of these, when I set them up, had to have the specific permission set up with the business service set up on it, and the So, this is where the group templates that are coming in seven, seven dot o, will make a big difference because I could actually set a template up and say, I want all of these group roles as a part of the template, and I want all these permissions. And you can leave your business services as star. Then you can actually take that and create a new group with it, and then just modify each of these with all the permissions already preset, but modify them with the business service you want them attached to. So just a note on that, the version number is actually not set at this point, so we're referring to it as pre release. The version number may or may not be seven. Who knows? There will be a release at the end of Q3 that will contain that feature. Perfect. We have another question from Glenn, referring back to his initial question on digital business services. I'm not a member of digital business services. He said, So the incognito window is new with six point eight, which I know to be correct, right, Michael? Correct. No He just said, Incognito window is new with six point eight, and if not, how do I access it in six point seven? So, I suppose it's not accessible in six point seven. Is that right? Sorry. I'm not following the question, but that may just be His initial question was if someone has access to the digital business service, but they select an additional business service and are not a member that they are not a member of in addition to the digital business service, will they be able to save that change? That was his original question. Oh, right. So he's talking about the restricted view, I guess, on the I had a look at when it came in. Know it's definitely there in six point eight. It wasn't there in six point six. I can't remember if we put that there in six point seven or six point eight, but I have to check the release notes to confirm exactly when that was added, but sometime around there. You can check for the version you have fairly easily by looking at the properties and see whether the strict business service visibility property is available on the system that you have. If not, then it'll be a higher version, but I would have to check the release notes. Next question from Stefan Mantins. Groups are defined in the controller. Is there a way to populate a group from an LDAP or by SAML? Yes, actually, you can pull groups in. But that kind of goes back to that same comment I made earlier. You can pull them in, you can actually apply permissions to those groups. The issue comes back to, do you control those groups? Do you control who has access to put people in those groups? So, within the properties, and actually in the LDAP settings, you can actually select target o use, user o use, group target o use. So you can actually pull our group filters. You can pull groups, individual group names in here. We did it where we actually used a user filter and pulled only the stone branch users group that we created an active directory and the people of that to actually bring the users in. But, yes, you can actually have a group filter here. And the same applies with single sign on. You can use the external security, LDAP, or single sign on to do the provisioning of both the users and the groups. Obviously, the assignment of permissions within the groups is done within the controller itself, but the creation of groups and obviously there's a filter you want to make sure you don't pull in potentially every group in your Active Directory, but only related functionality within the product. Yeah, I think this next question actually speaks to this as well, Or you've already spoken to this next question. How do you map the groups between LDAP and UAC? How can we handle the new users and levers in terms of granting and revoking access? Yes. Yeah, we did kind of do that. So, you know, it's basically a filter in LDAP. It's an LDAP filter, which groups you pull in. In single sign on, it's something similar. There is an attribute mappings that you can basically set up as to what you pull in. So it's not maybe as sophisticated as the LDAP filters, but there's capabilities there. And as you say, the actual permissions are assigned within the product. So usually the groups are fairly static. So once you've kind of pulled them all in and set them all up, then it's really user assignment. But obviously, as you add new departments or lines of business or whatever you're supporting, there's some administration work to be done to configure it first time through. Well, the other thing I want to put out there, Colin, if you add somebody to a group, it doesn't necessarily pull them in right away. If you're expecting them to be readily available to start accessing. Number of times, I've actually had to come in to the server operations and do a synchronization manually, so it would pull them right away. It will do it over time. It just doesn't necessarily do it right away since you add them to a group. Right. I believe the synchronization is set up to run once a day. There may be some control over that. I'd have to look into some of the properties around what control we have over that. But yes, you always have the option to kick off the sync at any time. That's always nice. John just supported us in our wonderings that six point seven also has the restrict. Now we have the answer to that. Glenn was actually asking about the ability to open an incognito window. And Glenn, I can't answer this question. That is a feature of Google Chrome. So all you have to do is go up to the top of Google Chrome on the right side and right click on your user profile, and it gives you the option to open an incognito window, which basically acts like a blank slate in terms of your cache, so it doesn't record the fact that you're logged in already as someone else. That's a feature of your web browser, not necessarily Stubborn. Yeah, it destroys old cookies when it shuts. Frank had a question. Look at me, I hinted questions on this session. So exciting. Frank has a question now: When giving access to a user, I'm afraid that I have given the user too much access to the shotgun approach. Is there a way to tell exactly what a user can do? A graphic or not sure what that word is a listing would be really nice. Might be more of Colin, do you know if there's a report maybe that would give that? Well, you can report on those tables. Let me have a quick look and kind of see what we have. So, the security stuff is available. You can do it by user roles or users. Yeah. Group roles. So from a specific user's perspective, potentially not a single report that pulls all that stuff together, but you should be able to filter on permissions and roles as separate things for the user. Let me see if he's a part of the selection field on that. So the answer is, I think so. I don't believe that we provide a built in report that does that. Good question, maybe we should. We do add built in reports from time to time, so I'll look at that from the point of view of a built in report, but you should be able to create something using the Report Writer. So if you're in the reporting thing, the table would be it appears as security, and then there's a series of subtables there which allow you to get to the permissions and roles from that side. I can see that being a good audit report as well. Whoops. Whoops, I gave you too much report. Or I gave you too many things that you can access that you're not Stop breaking things report. Cool. Thank you, both of you. Tim asks, When syncing with AD via LDAP, does UAC remove entries when they are removed from AD? We seem to have to do cleanup from time to time. They should be removed. I don't what your experience is on this, Michael. Don't necessarily control that. I can tell because this person has been gone for a while, and so is this one. So it does not clean them up. I'd have to double check if there are any properties of control. My understanding was that it was a two way synchronization that they cleaned up, but there may be a way that that's controlled. Marisa, make a note to I will follow-up on that one. That will take a little bit of investigation. Don't have the information to my fingertips. Great question and comment. Especially when you're Yeah. Was it exactly? Oh, there's another question while I'm writing this down from Helen. I want to use nested groups, like a group in a group. The permissions only work on the users in the lowest group and doesn't grant access to users in the nested group. Any chance this will be allowed? We could certainly consider that as an enhancement request. We'd need to think that through, but I will make a note of it, Helen. I, from an administrative and a security background standpoint, I get what you're trying to do, and I've done it before. It gets a little bit messy administratively, from my point of view, because you don't know how far down the nesting you go in order to find where they're actually getting access. So, would say that would be great to be at least use at least one level, but be very cautious about how much you use that. Yeah, think it's a slippery slope of groups and groups from AD. Okay. Questions? Thank you so much, everyone, for all the good questions. I think it's been a great Q and A so far. Glenn also provided a comment on the cleanup of AD. He said, It does not get cleaned up in our environment. We always have to delete them. If you clean them up, then I think Michael's trick of adding a person to a group just within OpswiseUC would get them deleted out of the group every time it sinks. Okay. And then Helen said her workaround right now for groups within groups is that she has to add the user to each AD group, or maybe that's the workaround for deleting people. No, groups within groups. That's the group, yeah. Yeah. Let's see. I think I had one more thing to ask. Michael, while I'm awaiting more questions, it does look like you have a mix of both IT centric and business user groups. Have the business users actually adopted the tool? They actually have, but not to the level I want them to yet. They've been able to see from a read perspective. I've kinda given them access from a read perspective to see what's going on. But the technicality of it is still a little bit over their head. I'm seeing this probably more, for the non technical folks as more of a reporting tool potentially for them. But a lot of that stuff, I can automate and send to them. Now, to flip that over, there are some obviously technical people in each of these different areas, and we want to make sure that we can extend that, out to them so they can start utilizing it for their business in a way that they see fit and not the IT way, per se. I think a lot of times, from an IT perspective, we kind of get very narrowed on, well, this is the technical way, and this is how you have to do it. When in all reality, we don't necessarily completely understand the business need and what they're trying to do. So, this is where we need to kind of bridge that gap and give them access to things like this, again, without confusing them, but at the same time, them to enhance their business. Yeah, makes sense. Definitely want to bridge the gap as we become more of like a platform that supports broader business services. Any final questions while we're waiting for oh, good, another one. From Adam. Adam says, One thing I found useful to confirm what a user has access to is creating a test user test access and adding identical permissions, business service, etcetera. Are there any plans to potentially add a masquerade feature which would allow an administrator to simulate the user or group permission access without modifying permissions to a test access user for testingverification? Right, so that has, as a requirement, come up before, so I do have an open requirement for it. I don't have that assigned to a specific release. However, I will make a note that that's been mentioned again. Marisa, if you could pass the company information through to me, because that's kind of part of how we did the tracking on that. We'll see. I don't disagree with the requirement. I think it is a valid requirement, just something we haven't gotten around to yet, but we are aware that that would be a useful feature. Cool, yeah, I can definitely pass you that info. Really good questions and comments so far. We await any final questions, Glenn said he also likes that idea, so we have two votes for masquerade mode now. I know where Glenn's from, so While we're waiting any final questions, comments, I'll just share some links in the chat. First link is information about all of our remaining sessions. The second link is registration to our upcoming session on migration and conversion, especially if you're considering this, migrating or converting. I know some of you use multiple automation solutions, so definitely attend that session or recommend it to anyone who you know might be interested. Any final things? Of three votes, John also says he would like that. So, we have three votes for a new feature, Colin. Sorry. I don't think we have any last questions, but if there's a question that comes in after we close the session, we'll make sure to get back to you. But in the meantime, I just wanted to thank Michael so much for agreeing to do this presentation for us. I think it was really interesting, very eye opening, a nice democratic way of setting up users and permissions and roles. And thanks, Colin, for the support on Q and A. I think we had a wonderful session today. Everyone's saying nice job, and we hope we'll see you again next week for our next session, and until then, have a wonderful weekend, and have a great day.