Experiences with access rights in the portal and manual restart of the Cache builder service

Ingrid_Glatz

We have a lot of impatient users who would like to have access to certain requests in the portal asap. According to the KB article, some changes are synchronized to the portal DB every 2 hours, others get synchronized every 24 hours. Which kind of acess rights belong to which action?

- adding an AD Group to a user role in Service Manager

- adding a user to an existing group in AD; this group or its nested group already has permissions in the portal

- creating a new AD group and add it to a group that has already permissions in the portal

What effect has the manual restart of the Cache Builder Service?

This morning, I added an existing AD group to a user role in Service Manager and restarted the Cache Builder service. This group already has access to incident work items and certain requests, but they want to have access to some new requests being available on the portal for about 3 weeks now. Even after 4 hours, those requests are still not visible to the user in question, he can only see the older requests. He even restarted its machine to make sure that nothing is left in the browser cache.

Are we all to impatient? I thought, restarting the Cache builder service would speed up the access rights. Does it take longer than expected? I would be glad to get a good explanation, so I can tell the users that they probably have to wait until the next day. I'm tired of restarting the service with obviously not the expected effect. The users are unsatisfied and so I'm I after telling them to try again and again and again.....

Thanks for your tipps.

Ingrid

Joe_Burrows

Hi Ingrid

Scoped access syncs every 24 hours by default and on app-pool restart, to force this particular schedule you would need to restart cachebuilder and website. The below table never seems to fail me when I want to rush things up access wise for analysts or end users. 



As @Adam_Dzyacky mentions you can change this default schedule, though scoped access can take some time depending on how much queue scoping you have.

More details on the below KB:
https://support.cireson.com/KnowledgeBase/View/1176#/

So for your questions:

- adding an AD Group to a user role in Service Manager

Scoped access change, restart cachebuilder\website to force sync OR wait the 24hours.

- adding a user to an existing group in AD; this group or its nested group already has permissions in the portal

This is synced ever 2 hours, however if its granting some form of scoped access from the above table you would need to then wait\force the scoped access schedule to run.

- creating a new AD group and add it to a group that has already permissions in the portal

The cachebuilder needs to be able to retrieve the distinguished name from the CMDB to do the AD lookup on the "users and groups" schedule, so you would need to wait or sync your AD connector first.

Hope that helps.
Regards
Joe

Brian_Winter

Have you checked your AD Connector in SCSM?  That has to pull in your AD Updates before Cireson DB can synch them.

Ingrid_Glatz

Hi Brian,

the AD connectors (about 15) sync once at night and I'm aware that newly created groups and users won't be available before the sync. In some cases, I manually sync the AD connector.

But mostly, users and groups already exist and I either add users to an AD group or add an AD group to a user role in Service Manager. Users know that they have to log on when group membership gets changed. But when does the Cireson Portal reflect the newly configured rights if I do not restart the Cache builder?

Adam_Dzyacky

Hey @Ingrid_Glatz, perhaps the following feature request (which ultimately became futile thanks to @merlenette_jones' insight) could be of help?

https://community.cireson.com/discussion/477/selective-cache-building

Candice_Yeudall

Ingrid you are not the only one that thinks that it takes forever to get things updated. We have actually seen it take a day or more for new things to show.

Joe_Burrows

Hi Ingrid

Scoped access syncs every 24 hours by default and on app-pool restart, to force this particular schedule you would need to restart cachebuilder and website. The below table never seems to fail me when I want to rush things up access wise for analysts or end users. 



As @Adam_Dzyacky mentions you can change this default schedule, though scoped access can take some time depending on how much queue scoping you have.

More details on the below KB:
https://support.cireson.com/KnowledgeBase/View/1176#/

So for your questions:

- adding an AD Group to a user role in Service Manager

Scoped access change, restart cachebuilder\website to force sync OR wait the 24hours.

- adding a user to an existing group in AD; this group or its nested group already has permissions in the portal

This is synced ever 2 hours, however if its granting some form of scoped access from the above table you would need to then wait\force the scoped access schedule to run.

- creating a new AD group and add it to a group that has already permissions in the portal

The cachebuilder needs to be able to retrieve the distinguished name from the CMDB to do the AD lookup on the "users and groups" schedule, so you would need to wait or sync your AD connector first.

Hope that helps.
Regards
Joe

Ingrid_Glatz

Hi Joe,

thanks for the detailed explanation. This shed some light into the process.

I will do documentation for our help desk to tell them that it usually will take 24 hours. It wouldn't make sense to try to explain differences. And I don't want to restart Cache builder and Website every other hour for access rights to be poupulated more quickly.

Regards

Ingrid.