Access Restrictions and Safety Measures for Activate Non-Prod

5 min

the following options are useful when setting up qa, uat or test environments restricting access to the uat activate web portal general access to the activate web portal can be restricted by using the availableusers parameter only users in the specified role will be able to use activate, anyone else will be directed to an unavailable page the message on this page can be customised this functionality is also useful for temporarily disabling access during an upgrade or more permanently for a qa/uat environment parameters to set on //resources/configuration/web availableusers – specifies the role to which you must belong to access activate (note that the referenced role needs to be a dynamic one) unavailablemessage – the message that shows to anyone who is not in the availableusers role warning the system roles\users is not an appropriate role to use as the user won’t have rights to read the availableusers parameter and it will not work correctly to achieve this, copy the users role membership definition and use this as the availableusers value restrict orchestrator changes within active directory there are 2 different approaches to restricting what the activate uat job service account can do within active directory you can either use an activate function to restrict ad changes to objects in a specified ou only, this will allow the job to complete without errors and will log in the audit log the groups that the user was not added to or you can use a different service account in ad which has limited rights within ad to make changes this user could have write access on a specific ou to make testing easier activate function overrideupdatableou this provides the ability to limit activate to only updating objects in a specified ou within ad this is designed for uat environments which reside within the production ad environment where it is desirable to limit the uat server from updating production information navigate to //resources/configuration/ and create a new parameter with a type of ou reference called overrideupdatableou non updatable users and groups will fail with an audit log entry on the associated job you must restart the activate job service/iireset after setting this parameter for it to take effect this can be tested by searching for users in a task like 'update user' and the user will appear in the search list with a red strike through you can also test this by adding a test user to a role that has a number of defautusergroup parameters assigned for groups that are not in the ou specified for the overrideupdatableou the user will be added to the activate role but should not be added to any of the defaultusergroups azure only environments don't currently support ou references, overrideupdatableou on these environments are restricted to being a string type parameter with a semi colon separate list of groups or users that can be modified an enhancement to this functionality is in development separate job service account in active directory you can configure the activate uat job service account to use a different ad service account to the one being used by the production activate job service this uat service account can have limited permissions within active directory by using delegated access rights these options are normally configured with the 'overrideemailaddress' function below to send all email notifications to a common mailbox for uat redirect all emails to a single email address during testing in a production environment, it can sometimes be useful to redirect all emails to a single mailbox this can be used to test workflows and notifications without sending the emails to production users or test users that do not have a mailbox to configure this, create a new parameter on //resources/configuration called "overrideemailaddress" of a string type, and specify the email address where emails should be redirected to ensure you restart the activate job service and the activate web pool (iisreset) any emails to the override email address will have the subject prefixed with the original target, e g mailto\ wendy evans\@activatelive com services approval request manager approval