Late last year we announced the SnapLogic Integration Cloud Winter 2014 release. One of the features that was mentioned but didn’t get much fanfare was what we call “Sub-orgs.” Here’s how it was described in the press release:
“Parent/child org support enabling enterprise IT to delegate privileges and enable self-service to divisions, departments and lines of business while retaining strong governance and control.”
The January 2014 upgrade of the SnapLogic Integration Cloud expands our enterprise-grade hierarchical model to organize and provide fine-grained access control to all integration platform as a service (iPaaS) assets. Assets are defined as any resource that can be created by a SnapLogic Integration organization (or org) and tracked by the service in the monitoring and reporting Dashboard.
In the new model there are two types of objects: Assets and Containers
- Assets: Pipelines, Tasks (scheduled vs. triggered jobs), Files, Accounts, APIs, Snaplex (scale-out cluster of nodes), Snaps
- Containers: Organizations, Projects
Assets are contained within the Container type (Projects or Organizations) and each Asset can be applied User and Group permissions that can provide complete isolation across different departments and execution environments. Assets can be shared across all Projects (for example, an entire Organization) or restricted by group and user ACLs within specific Projects.
Some of the key highlights of this new model include:
- We now have a completely uniform access control model based on Read, Write, and Execute permissions. All Assets and Containers can have an associated user and group ACL. Specific permissions can be inherited through nested Containers to simplify ACL specification.
- We now have the notion of groups of users within an Organization, which combined with the new permissions model makes it easy to control how Assets are used.
- Each Container can have its own Snaplex. This will help create complete isolation of the Snaplex at the Project level. The main benefit is that an Organization can have different departments running on an isolated Snaplex or create different environments across separate Containers and have isolated Snaplexes running on them.
- Customers and embedded cloud integration partners can implement a hierarchical organization setup. The hierarchy enables the notion of Containers that can be used as projects, or sub-organizations. There is no technical limit on the depth of the hierarchy. (More on this below.)
- This new model paves the way for future LDAP and SAML integration to support customer identity management.
Customer and Partner Benefits of Assets and Hierarchies
The new Assets and Container hierarchy model brings immediate benefits to both enterprise customers as well as SnapLogic Integration embedded partners and resellers. Here’s an overview:
Enterprise Customers
In working closely with SnapLogic customers over the last number of months, here are some of the benefits I believe Assets and Hierarchies will deliver:
- Simplified as well as sophisticated navigation of the Organization Assets based on the existing enterprise hierarchy file systems
- Flexible organization through sub-Folders, Projects, and sub-Organizations
- Simplified and inherited access control through a uniform permissions model
- Improved access control through groups
- Complete isolation with fine-grained security access across Assets and Containers
- The ability to provide secure execution environments for running business critical integration tasks across the enterprise (e.g. QA, Dev, Production)
The most profound benefit is that our enterprise customers will now see a consistent view of all of the resources associated with their SnapLogic Integration Cloud deployment. The hierarchical Organization is based on the same type of hierarchy found in commonly used file systems such as Windows, Mac OS X, and UNIX. Therefore, our users should be immediately comfortable with this approach. Arbitrary Folders can be created to represent an Organization strategy that is appropriate for a specific customer. All SnapLogic Assets live in the same namespace, which means a user cannot create the same name for different assets. For example, you cannot have a Pipeline and Task that are both called Update Inventory in the same directory. This helps avoid confusion when naming Assets. Here’s a screenshot of a Project in the Manager:
The new permissions model also introduces simple Read, Write, and Execute controls for all Containers and Assets. This approach, which also draws from existing file systems, lowers the conceptual weight of managing access to different Assets. Any Asset can be assigned permissions, which form the access control list. A permission consists of a subject type (which can be a user or a group), a subject (which is a user name or a group name), and a set of permissions (RWX). In addition, a permission set as inheritance. This allows a user or a group to be given access to everything within a folder, including everything in subfolders. This model greatly simplifies the assignment of permissions to Assets, especially for customers with several Projects consisting of several Assets.
The group feature also makes it easy for SnapLogic Integration Cloud customers to de-couple specific users from specific permissions. This is extremely useful in situations in which a customer may have users that eventually leave their organization or their role in the organization. It is also useful when a customer hires professional services through SnapLogic or through one of our implementation partners. A group possibly combined with inheritance makes it easy to temporarily add access for a 3rd party professional services consult.
By virtue of fine-grained ACL permissions at the Assets and Container level, the model is flexible to provide complete security isolation between Folders, Projects or Sub-Organizations for each Asset type. For example, Snaps, APIs, Pipelines can now be completely isolated to maintain security between different Containers and Sub-Orgs. On the other hand, Assets can also be shared across Containers and Sub-Orgs, thus enabling cross-departmental and organizational collaboration.
Here’s a screenshot of the SnapLogic Integration Cloud Manager dialog for specifying permissions on a Project container:
Project containers are not exposed in the Designer when working on Pipelines. Here’s a screenshot:
Here is an example of a customer hierarchy and permissions:
/FooBarCorp
| Groups:
| [members: alice, bob, jane, john]
| [admin: alice, bob]
| [dev: jane]
| [hr: john]
|-/Shared
| ACL:
| [dev, RWX, inherit=true]
| [hr, X, inherit=true]
| SalesforceAccount
| TwitterAccount
|-/Social
| ACL:
| [dev, RWX, inherit=true]
| GetTweetsPipeline
| GetFollewrsPipeline
| TwitterTask
|-/Reports
| ACL:
| [dev, RWX, inherit=true]
| [hr, X, inherit=true]
Embedded Cloud Integration Partners and Resellers
Earlier in this post I mentioned that another motivation for the new Assets and Hierarchy model is support for the concept of Sub-Organizations. A Sub-Organization can live in a primary Organization?s hierarchy. However, the primary Organization will have administrative control over the Sub-Organization. This administrative control will enable SnapLogic OEM and reseller partners to create, manage, and service Sub-Organizations. This feature will make it easier to rollout the SnapLogic Integration Cloud to a large customer base and for the partner to better service their customers directly.
Here is an example of an OEM/reseller Hierarchy and permissions:
/AwesomeIntegrators
| Groups:
| [members: alice, bob]
| [admin: alice, bob]
|-/NewFlix
| | Groups:
| | [members: sally, tom]
| | [admin: sally]
| |-/Project1
| |-/Project2
|-/SmartMart
| | Groups:
| | [members: bob, betty]
| | [admin: bob]
| |-/Project1
| |-/Project2
All SnapLogic Integration Cloud customers will be upgraded this coming weekend. I look forward to your feedback on this and other exciting new features we’re delivering as we continue to push the boundaries of integration delivered as a cloud service.
