Maintenance

Non-Prod Environment Configuration

10 min

the following configuration options are commonly used when setting up qa, uat, or test environments they help reduce the risk of unintended changes to production users and systems while still allowing meaningful validation of workflows, access controls, and notifications restricting access to the uat activate web portal access to the activate web portal can be restricted using the availableusers configuration parameter when this parameter is set, only users who are members of the specified role can access activate all other users are redirected to an unavailable page this approach is commonly used to limit access in qa or uat environments, or to temporarily disable access during upgrades or maintenance windows configuration set the following parameters under //resources/configuration/web availableusers specifies the role a user must belong to in order to access activate the referenced role must be a dynamic role unavailablemessage defines the message displayed to users who are not members of the availableusers role restricting orchestrator changes within active directory there are two supported approaches for limiting what the activate orchestrator can modify within active directory in a uat environment option 1 restrict updates using an activate function an activate function can be used to limit directory updates to a specific ou jobs will continue to complete successfully, but any attempted updates outside the permitted ou are skipped and recorded in the audit log this option is typically used when a uat environment is connected to a production active directory and it is necessary to prevent changes to production objects option 2 use a separate active directory service account alternatively, the uat orchestrator can run under a dedicated active directory service account with restricted permissions delegated access can be applied to allow write permissions only within specific ous, reducing the risk of unintended changes and simplifying testing activate function overrideupdatableou the overrideupdatableou function limits activate to updating only users and groups within a specified ou in active directory this is intended for uat environments that share the same active directory forest as production configuration navigate to //resources/configuration create a new parameter with the following properties name overrideupdatableou type ou reference objects outside the specified ou are treated as non updatable any attempt to modify them results in an audit log entry on the associated job behaviour and validation after setting this parameter, restart the activate orchestrator and perform an iis reset you can validate the configuration by searching for users in tasks such as update user users outside the permitted ou appear in the search results with a red strike through you can also assign a test user to a role that includes defaultusergroup parameters referencing groups outside the permitted ou the user is added to the activate role, but is not added to those active directory groups azure directory environments in azure based directory environments where organisational units are not available, direct distinguished names (dns) must be specified instead multiple dns can be configured by separating each value with a semi colon only objects that match the specified distinguished names are treated as updatable all other objects are skipped and recorded in the audit log separate orchestrator service account in active directory uat environments can be configured to use a different active directory service account from production for the activate orchestrator this service account can be granted limited permissions using delegated access, typically scoped to specific ous this further reduces risk when testing against shared directory infrastructure this approach is often combined with email redirection to prevent notifications being sent to production users redirect all emails to a single email address when testing workflows in environments connected to production systems, it can be useful to redirect all outbound emails to a single mailbox this allows notifications and approval workflows to be tested without emailing production users or test users who do not have mailboxes configuration navigate to //resources/configuration create a new parameter with the following properties name overrideemailaddress type string value email address to receive all redirected messages restart the activate orchestrator and perform an iis reset for the change to take effect redirected emails have their subject prefixed with the original recipient address, for example wendy evans\@activatelive com services approval request manager approval disable email sending in non production environments, it may be desirable to prevent emails from being sent while still generating and storing them in the database this allows workflow testing without user impact configuration steps open activate studio navigate to //resources/configuration set the smtp server value to local save the parameter, no restart of services is required