cancel
Showing results for 
Search instead for 
Did you mean: 

Citizen Integrator Solution?

brettdorsey
New Contributor III

Hello all,

We’re in the process of on-boarding our first Citizen Integrator in the SnapLogic Platform. We’ve previously federated the development of production integrations to LOB developers, but the Citizen Integrator has a different set of requirements and I’d like to start a discussion as to how best to accomplish this.

Below is the criteria we’re trying to meet:

  • Enable power users of our Marketing team to do simple, low risk, integrations without involving IT
  • Allow the Marketing user to leverage some of our existing shared pipelines and patterns
  • Isolate the resources the Marketing team enough that it will not affect our production integration performance (new users could do some crazy stuff)
  • Allow access to specific sets of production data, but not all shared accounts.
  • They will not have the concept of dev, qa, and production, as digging through production data is their world.

We’re considering a few options, each with drawbacks and advantages…

We could make a new Project Space, as our current development teams have their own project spaces. This gives the marketing team access to shared assets, but puts them into the same production environment as mission critical integrations.

We could perhaps create an entire new org. This would keep them isolated and I think we could assign a node specifically to that node to manage resources. But they’re not able to see shared objects unless we manually move them over. I’m also not sure if there is a cost involved here.

I’d love to hear from anyone else that has already gone down this road. What methods did you try? What worked, and what didn’t?

Thanks in advance!
Brett

11 REPLIES 11

brettdorsey
New Contributor III

Thanks for the thought-out responses!

Or environment currently consists of 3 Orgs (Dev, QA, Prod)
We have 2 SnapPlexes (Cloud and Ground) that are at the Org-Shared level.
We have defined Project spaces to align with line-of-business development groups

Org

Ecommerce
Corporate Systems
Store Systems
etc…

Marketing is the first set of users that aren’t purely development groups but will not be the last. This needs to a be a practical and sustainable pattern going forward. Seeing as how Orgs cost money, it won’t be accepted very well for departments with one or two users.

The solution we’re leaning toward is to
A) create a new project space called Marketing
B) create a new SnapPlex called Marketing within the Marketing project space’s share.

We have 4 additional nodes pending installation. As far as I know, we should be able to assign one or more of those nodes to the Marketing SnapPlex to isolate the server resources to that group. The problem that remains is keeping the Marketing users from running their pipelines on the Cloud or Ground SnapPlexes. I see two option here. First, as Time mentioned, is to move the existing SnapPlexes down from the org share into a lower level. The problem is that we have many Project Spaces that would all need to have SnapPlexes made. The second option is to remove access from “all users” to the org shared folder. Instead, put every user in a group and grant that group access. Keep marketing left out in their own group that only has access to their Project space. We’d just need to move down common shared objects that we want the the Marketing group into their project space as well.

We do have an Integration Success Team in place to facilitate this sort of management within SnapLogic.

Side note: Seems a bit strange that a SnapPlex, which is merely a run-time environemnt, is shared along with other pipelines and accounts rather than their own type of entity that can have access granted outside of the project structure.

@tlui and I were talking about this the other day. We’re certainly open to suggestions to make the workflow more logical; FWIW, I’m with you on this one, but if we’re going to separate it out we want to make sure the redesign is actually a better user experience, so feedback is very welcome.

Shayne

del
Contributor III

@shodge, my feedback on this, without a lot of analysis to determine caveats, is to create an org-level configuration to host snaplexes (either instead of or in addition to project-level configuration). Then each project (or project space) could be configured to target any or all snaplexes at org level. Then permissions to certain org-level snaplexes (for user, pipeline, task, etc.) would be inherited from the project (or project space) permissions to related snaplexes.

use case: projA has access to snaplexA & snaplexB while projB has access to snaplexA & snaplexC and projMarketing only has access to snaplexMarketing.

shodge
Former Employee

Thanks for the feedback.

Am I correct that this doesn’t change the current permissions model / inheritance, it just moves the Snaplexes into their own (linked back to projects) UI area?

Thanks,

Shayne

del
Contributor III

@shodge, I think you mostly captured what I was saying. I think the paradigm shift is how we look at the globally shared project. I’ve reworked my thoughts and the use case a little bit below. I’m going to use accounts instead of snaplexes to better demonstrate the case, but it works similarly for snaplexes and shared pipelines.

Use Case:

  • Workday is used for ERP - both HCM & Finance
  • A minimum of 3 project spaces are utilized by IT to organize Workday-related integrations: HCM, Finance, and Service Management
  • 4 Workday tenants are implemented: Production, Sandbox, Dev, and Sandbox Preview
  • Workday-related pipelines may require (for each tenant) Workday accounts, SOAP WSSE accounts, and REST accounts. This results in a minimum of 9 accounts to maintain in the globally shared project to be shared across all Workday-related project spaces.
  • The business is attempting to implement a citizen integrator strategy for LOB. But the the LOB integrators have no business accessing Workday HCM or Finance data without strict authorization governance…

Current options are:

  • Remove the 9 accounts from the globally shared project and create and maintain them in each of the 3+ Workday-related project spaces (27+ accounts to maintain)
  • Create new SnapLogic org(s) and snaplexes for the new citizen integrator team(s), resulting in potentially significant add to the budget.
  • Nix the whole citizen integrator strategy
  • Dynamic accounts might be useful in this case, but we don’t want to broadcast passwords out to everyone that has project read access

So, my platform enhancement suggestion might be to create a globally shared/restricted project space where access is not controlled by a user/group mapping, but by a project mapping. Everything else in the platform remains the same.