0
Answered

Adoption of Daily Exclusion Timing

Bob Bradley 10 years ago updated by anonymous 8 years ago 2

This morning a PHRIS event occurred which resulted in the unwanted disabling of some 2K+ AD user accounts - see CSODBB-312.

The culprit turned out to be the nightly PHRIS practice of truncating the PERSON table at 3 AM, which had a knock-on effect of causing Identity Broker adapter DELETIONS of some 3.5K JOB records - by virtue of a SQL join on EMPLOYEE in the JOB view which is used within the PHRIS JOB web service method implementation.

This is not something we can prevent from happening in the future - but we need to mitigate the impact this could have - and it has been agreed with the Red Rock consultant (Andy Ross) that the best strategy is to institute a "black out" on all PHRIS web service calls from midnight to 5 AM (this includes a buffer of about a couple of hours either side of the activity).

Looking at the IdB 3.0.7 timing documentation I can see that this idea is supported in this version of the product, but I would appreciate confirmation of the correct use of this setting in my current connector configuration.

The JOB connector timing is presently configured as follows:

        <getAllEntities>
          <timing name="RecurringTimespanStandardTime">
            <timespan value="01:00:00" />
          </timing>
        </getAllEntities>
        <polling>
          <timing name="RecurringTimespanStandardTime">
            <timespan value="00:01:00" />
          </timing>
        </polling>

Am I correct in understanding that I should change the above to the following to achieve the desired "black out"?

        <getAllEntities>
			<timing name="DailyExclusion" start="00:00:01" end="05:00:00" UseLocal="True">
				<timing name="RecurringTimespanStandardTime">
					<timespan value="01:00:00" />
				</timing>
			</timing>
        </getAllEntities>
        <polling>
			<timing name="DailyExclusion" start="00:00:01" end="05:00:00" UseLocal="True">
				<timing name="RecurringTimespanStandardTime">
					<timespan value="00:01:00" />
				</timing>
			</timing>
        </polling>

Appreciate your help with a simple yes/no (plus fix) answer - I am about to start testing the above idea in the lab but thought it would be best to seek confirmation that this will work as I expect.

That looks correct Bob Bradley. Quite easy to confirm too, as you can change the timing to every minute, and attempt to black out the current hour.

You may have to watch out for daylight savings, as it will stay with daylight savings when using the local setting. Depends on whether the blackout shifts with daylight savings or not.

Thanks Adam van Vliet - good point on the UseLocal idea with Daylight Savings. Will maybe add another hour either side then - since UTC is harder to read and hence less maintainable (it stuffed us up today scouring the Identity Broker logs when we realised we had to subtract 11 ).

I had just tested the blackout working in the UAT environment minutes before your response, so yes it works well .