How to migrate to Subscription Hub
1. Abstract
Moving to the Subscription Hub all the User management of a live application such as user information, roles, licenses, metadata and custom selects might be challenging. This document aims to guide the client step by step through the transition avoiding any potential inconveniences.
2. Context
There are multiple benefits to having the user management for all the Board Cloud Platforms unified and centralized in a single portal on which the admin can massively upload the user’s list, receive all the subscription requests and approve/decline the access, assign them the proper role and license or easily manage with the permission group, modify the information and the metadata fields and control the collaboration services. The following paragraphs will provide a detailed description of the entire process of migration, highlighting any potential critical points and their respective solutions
3. Content
The Subscription Hub installation will be handled by the Board CloudOps team, while its initialization and connection to all existing Board Cloud Platforms will be the responsibility of the Board solution owner.
The following sections will guide the Board solution owner starting from the request to be raised to the Board Cloud Ops team, explaining how to configure the IDP Federation and link the first instance, listing all the available possibilities to load the User’s list into the Sub Hub with their pro and cons, explaining what will change in the System Administration after the migration
3.1 Request a Subscription Hub activation
The first step is raising a request to Cloud Ops Team which can be reached at cloudoperations@board.com asking for a Subscription Hub installation and providing an administrator email contact who will receive the activation mail
3.2 Configure the Identity Provider Federation
In case of single sign-on (SSO) log-in, it’s mandatory to have the SSO configuration in place through the Identity Provider Federation section before importing the users to the Sub Hub. The Identity Provider Federation section is leveraged to quickly integrate third-party authentication services, enabling users to seamlessly log-in to Board using their existing credentials. These federated identity providers, or external identity providers (IDPs), exchange authentication information, ensuring a secure and streamlined user experience. Board embraces open standards, supporting SAML2 and OIDC-based identity providers, and ensuring compatibility with various enterprise environments.
Figure 1 – IDP Configuration
The Board owner is empowered to manage this task independently through the dedicated section (Opens in new window or tab), however, Board Support and Cloud Ops remain readily available to assist if any complexities arise.
3.3 Join the 1st instance of the Subscription Hub
Once the SSO setting is put in place, the board owner selects a sandbox instance that will be used to test and evaluate the new setup of the user management before adopting it for all the other platforms.
Before starting the process, it’s recommended to download the user’s list from the Users section inside the System Administration portal by clicking on EXPORT in the upper left corner of the page.
Figure 2 - Users
The Cloud Ops team will then join the selected sandbox to the Sub Hub. From this point forward, the sandbox will be committed to the new user management system, and it will not be possible to roll back to the old User management.
Users loading
After the join performed by the Ops Cloud Team, the chosen platform will be visible inside the Subscription Hub home page. Before getting in it's necessary to assign at least one user to this new instance
Figure 3 - Platforms
When loading is completed, each user will now consume one license regardless of how many environments it is authorized to access.
The process of adding users offers multiple options:
3.3.1 Migrate User from the platform
Clicking on the burger menu of the chose platform, it’s possible to directly migrate the existing users to the Subscription Hub.
Figure 4– Import Users for Selected Platform
This process will automatically create all the existing users of the platform inside the Subscription Hub, assigning them
- An “User” License
- A dedicated role if the user had a custom select in the source platform*
- The access to the source platform
- An authentication method (in this example the Identity Provider Federation of the chapter 3.2)
Figure 5 – Sub Hub Users
*Point 2 requires an additional and more detailed explanation:
An application based on the old Users management system might have several custom select specified at Users level to better define the perimeter of their securities. This setting is done inside the System Administration > User > Select tab
Figure 6– User custom select
When Users are added through the “Import Users” button inside the burger menu of the platform, Board automatically generates and assigns a dedicated role to each User who has a custom select. The roles will inherit the name of the Users and the same selections that were defined in the Select Tab of the Users tile in the System Administration.
Figure 7 - Roles
However, this approach is not recommended for applications with a substantial number of users, as it implies the creation of a vast number of roles.
The suggested approach is to reconcile the users to a limited number of roles and manage the user-specific security selections through metadata, “select entity based on cube” or “cube visibility”.
Strength | Weaknesses |
---|---|
“Plug and Play” quick action | For numerous Users application, a rework is needed if the custom select where implemented at the user level before the migration, to avoid having a dedicated role for each User |
3.3.2 Create massively through the Import Button
The massive creation of the Users inside the Sub Hub is possible through the bulk import features, that automatically configure their details and authorizations with the upload of a csv file.
Figure 8 – Sub Hub Users export
To perform this action the following column headers are required and must be included in the CSV file:
- Username
- User license
- Instance name
- Role
- License
This option is preferred for applications with a high number of users, avoiding creating multiple roles as mentioned in the last chapter. To fill the csv file the export made in chapter 3.3 can be helpful.
To have a more detailed description of this step, please refer to the dedicated section of the board manual here
Strengths | Weaknesses |
---|---|
The Excel Input file is easily and massively editable and lets the admin load in one shot the User’s list for all the instances | Filling the input file and its mandatory fields can be time-consuming |
3.3.3 Create Users manually
The last option is to create users one by one with the “+User” button.
Strengths | Weaknesses |
---|---|
There’s more control of the input process, less possibility of misleading entries | Time-consuming for a high number of user applications |
What else has changed?
With the Subscription Hub installed and linked to the Board cloud platforms there are some features that have been moved from the original System Administration home page:
Figure 9 – Legacy System Administration
Figure 10 – Sub Hub System Administration
The Users section has been replaced with the Subscription tile, that now bring to the home page of the Subscription Hub. The same for the User metadata field, that now has its own page in the Sub Hub.
Figure 11 – Sub Hub Users metadata
Once defined, the metadata fields will be managed in the Users section and will be shared with all Board platforms linked to the Sub Hub.
The license settings are now centralized as well. In the Sub Hub there is a dedicated page that shows the overview of the active licenses, with counters on how are used or left. The assignment is managed by the Users section, and as mentioned above, each user will consume one license regardless of how many platforms has access to.
Figure 12 – Sub Hub License
The new Features tile contains some advanced settings that can be managed at roles level to allow/deny specific actions inside the application. This settings were previously controlled inside the Profiles section of the legacy System Administration.
Finally, the general settings are moved too inside the Sub Hub home page. In this section it’s now possible to control the Board authentication, customize the mail sent in the enrollment phase and set the clients for the Board public APIs.
Figure 13 – Sub Hub General Settings
If the Board Web chat is used and if the latest Collaboration feature available with the Sub Hub need to be enabled, a point of attention must be highlighted: all the previous discussions done in the Board chat will be lost
4. Conclusion
If all points above are successful, the other instances can be joined and import of the remaining users, if necessary, can be done as in step 3.4. This plan needs to be carefully evaluated and each step assessed in detail by the Board owner and implementation team before starting any activity. The Board Cloud Ops team is available if any help is needed.
Move to the Subscription Hub all the User configuration has several benefits for a cloud customer. If the process described above will be followed with the assistance of the Board Ops Cloud the transition should be smooth and any unexpected inconvenience avoided