PA Configuration database table: Difference between revisions
Jump to navigation
Jump to search
(TK-63184) |
|||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 145: | Line 145: | ||
== SAML 2.0 Federated Authentication Settings == | == SAML 2.0 Federated Authentication Settings == | ||
Note that the SAMLMetadataUrl and ServiceProviderLocation are mandatory for the federated authentication to work. | Note that the SAMLMetadataUrl and ServiceProviderLocation are mandatory for the federated authentication to work. Having both ExternalOAuthServerConfiguration and SAML authentication configured at the same time is not supported. | ||
{| class="wikitable" style="text-align: left" | {| class="wikitable" style="text-align: left" | ||
| Line 172: | Line 172: | ||
||SAMLSigningCertificate | ||SAMLSigningCertificate | ||
||This setting defines a PFX formatted X.509 certificate (defined in RCF 1422) used to sign SAML authentication requests sent from QPR ProcessAnalyzer to the identity provider. The public key of the certificate is published in the service provider metadata, where the identity provider can read it, to verify the authenticity of the SAML requests. The setting needs to be a PFX formatted certificate file that is base64 encoded and it doesn't contain the BEGIN CERTIFICATE etc. header or footer lines. If this setting is not defined, the internal hard-coded signing certificate is used. More information how to create the certificate file (https://stackoverflow.com/questions/16480846/x-509-private-public-key) and convert it to base64 (https://stackoverflow.com/questions/46959822/base-64-encoded-form-of-the-pfx-file). | ||This setting defines a PFX formatted X.509 certificate (defined in RCF 1422) used to sign SAML authentication requests sent from QPR ProcessAnalyzer to the identity provider. The public key of the certificate is published in the service provider metadata, where the identity provider can read it, to verify the authenticity of the SAML requests. The setting needs to be a PFX formatted certificate file that is base64 encoded and it doesn't contain the BEGIN CERTIFICATE etc. header or footer lines. If this setting is not defined, the internal hard-coded signing certificate is used. More information how to create the certificate file (https://stackoverflow.com/questions/16480846/x-509-private-public-key) and convert it to base64 (https://stackoverflow.com/questions/46959822/base-64-encoded-form-of-the-pfx-file). | ||
|} | |||
== OAuth 2.0 Authentication Settings == | |||
Having both ExternalOAuthServerConfiguration and SAML authentication configured at the same time is not supported. | |||
{| class="wikitable" style="text-align: left" | |||
!Name !!Description | |||
|- | |||
||ExternalOAuthServerConfiguration | |||
||Used to configure OAuth 2.0 compatible OAuth server settings for server that is used to authenticate the user signing in to ProcessAnalyzer. If not set, external OAuth server will not be used for authentication. If set, contains a string representation of a JSON object that supports the following properties: | |||
* '''Authority''' (string): OAuth authority URL for authentication. E.g., https://accounts.google.com/ | |||
* '''Audience''' (string): Mandatory. OAuth audience/client ID for validating OAuth tokens. | |||
* '''AuthorizeUrlOverride''' (string): Override URL for the OAuth authorization endpoint. If empty or not defined, the default URL from the authority's discovery document is used. | |||
* '''TokenUrlOverride''' (string): Override URL for the OAuth token endpoint. If empty or not defined, the default URL from the authority's discovery document is used. | |||
* '''UserInfoUrlOverride''' (string): Override URL to fetch user information from the OAuth provider. If empty or not defined, the default URL from the authority's discovery document is used. Should not be used if OpendID Connect is to be used as access token validation is skipped. | |||
* '''ClientSecret''' (string): OAuth client secret for confidential client authentication. If configured, this value is sent as the client_secret parameter when exchanging authorization codes for tokens. | |||
* '''Issuer''' (string): OAuth issuer for validating OAuth tokens. If empty, the authority URL's issuer is used. | |||
* '''UserNameClaim''' (string): Name of the claim whose value is to be used as the name of the authenticated user. The default value is "preferred_username". | |||
* '''UserGroupsClaim''' (string): Name of the claim whose value is to be used as the names of the user groups the authenticated user belongs to. When a user logs in, the user is added to and removed from groups based on the information in the UserGroupsClaim. If this setting is not configured, users are not added to or removed from groups automatically. Note that the user needs to login for the groups to be synchronized. If a group doesn't exist in QPR ProcessAnalyzer, that group is skipped. The default value is empty, i.e. groups are not synchronized.<br> | |||
Example configuration:<br> | |||
<pre> | |||
{ | |||
"Authority": "https://accounts.google.com/", | |||
"Audience": "...", | |||
"ClientSecret": "...", | |||
"UserNameClaim": "name" | |||
} | |||
</pre> | |||
|} | |} | ||
| Line 203: | Line 232: | ||
== MCP Server Settings == | == MCP Server Settings == | ||
MCP server settings are needed for QPR ProcessAnalyzer to act as an MCP server. | MCP server settings are needed for QPR ProcessAnalyzer to act as an [[QPR_ProcessAnalyzer_as_MCP_Server|MCP server]]. | ||
{| class="wikitable" style="text-align: left" | {| class="wikitable" style="text-align: left" | ||
| Line 209: | Line 238: | ||
|- | |- | ||
||McpServerConfiguration | ||McpServerConfiguration | ||
||Used to configure the | ||Used to configure the MCP server built-in to ProcessAnalyzer server. If not set, MCP server functionality is disabled and MCP clients can't access to this server using MCP. If set, contains a string representation of a JSON object that supports the following properties: | ||
* McpApiKey: If defined and not empty, defines the API key that can be used to connect to QPR ProcessAnalyzer MCP server without any other authentication. Default value is empty. | * '''McpApiKey''' (string): If defined and not empty, defines the API key that can be used to connect to QPR ProcessAnalyzer MCP server without any other authentication. Default value is empty.<br> | ||
Example value when using API Key authentication: | |||
<pre> | |||
{ "McpApiKey": "xnTqr@Hd87JcuCmQZbjUHfwD@" } | |||
</pre> | |||
Example value when using OAuth 2.0 authentication: | |||
<pre> | |||
{ "McpApiKey": null } | |||
</pre> | |||
Note that when using OAuth 2.0 authentication the BuiltInOAuthServerConfiguration (see below) needs to be defined with an AcceptedAudiences value other than the default. | |||
|- | |||
||BuiltInOAuthServerConfiguration | |||
||Used to configure OAuth 2.0 compatible OAuth server settings for OAuth server built-in to ProcessAnalyzer server. If not set, built-in OAuth server functionality is disabled and clients can't connect to this server using OAuth. If set, contains a string representation of a JSON object that supports the following properties: | |||
* '''Issuer''' (string): OAuth issuer, which identifies a trusted authorization server that authenticates users and issues OAuth 2.0 access tokens and JSON Web Tokens (JWTs). If not defined or empty, default value is used, which is of format: <QPR ProcessAnalyzer server's base URL>/builtin-oauth. For example: https://example.com/builtin-oauth. The default value is empty. | |||
* '''AcceptedAudiences''' (array of strings): Array of strings that define all the accepted audiences this QPR ProcessAnalyzer server is serving. When authorizing user using OAuth, these values are matched with the audience-parameter (a.k.a. client id) of the authorization. Only requests with a value that matches a value in this array are accepted. If null, audience-parameters are not validated at all. Instead, all authorization requests will pass the audience validation check. This also enables [https://datatracker.ietf.org/doc/html/rfc7591 Dynamic Client Registration Protocol (DCR)]. The default value is an empty array. | |||
* '''SigningKey''' (string): Signing key for the built-in OAuth identity provider. If empty, generates a non-deterministic key based on the physical system where QPR ProcessAnalyzer is running. NOTE: Once QPR ProcessAnalyzer server is restarted, these non-deterministic keys no longer work. If defined, string must contain the key either in PEM ([https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.importfrompem?view=net-10.0 RFC 7468 PEM-encoded key]) or JSON ([https://datatracker.ietf.org/doc/html/rfc7517 RFC 7517]) format. The default value is empty. | |||
* '''TokenLifetimeSeconds''' (integer): Token lifetime in seconds for the built-in OAuth identity provider. After access token created by built-in gets older than this lifetime, it becomes unusable and a new token has to be created. The default value is 3600. | |||
* '''DisableExternalOAuthForwarding''' (boolean): Can be used to disable forwarding OAuth requests to any configured external OAuth authorization server or SAML identity provider. If set, a QPR ProcessAnalyzer's own login view functionality is always used when authorizing a user. The default value is false. | |||
Example configuration:<br> | |||
<pre> | |||
{ | |||
"Issuer": "", | |||
"AcceptedAudiences": ["qpr-processanalyzer"], | |||
"SigningKey": "", | |||
"TokenLifetime": 3600 | |||
} | |||
</pre> | |||
|} | |} | ||
Latest revision as of 13:36, 9 April 2026
QPR ProcessAnalyzer database has a configuration table PA_Configuration containing settings listed in the tables below. You need SQL Server Management Studio to edit the settings in the configuration table. QPR ProcessAnalyzer Server needs to be restarted (e.g. IIS application pool recycled) for the changes to take effect.
For boolean values, true and 1 are valid values for yes, and false and 0 are valid for no.
General Settings
| Name | Default value | Description |
|---|---|---|
| DefaultDataSource | Datasource where datatables data is stored when datatables are created by a script when the datasource is not explicitly specified in the script. Options are Snowflake and SqlServer. Value snowflake can be used when the SnowflakeConnectionString setting is defined, and value sqlserver can be used when the setting SqlServerConnectionString is configured. The setting can be changed without affecting the existing datatables, as the setting only affect new datatables. When this setting is empty, datatables are created in the metadata database. | |
| SnowflakeConnectionString | ODBC connection string for the Snowflake account. This setting is needed to make analytics calculations in the Snowflake. More information how to configure the Snowflake connection string. The Snowflake ODBC driver also needs to be installed in the machine running the QPR ProcessAnalyzer Server. When this setting has been configured, users can create Snowflake stored datatables and models using Snowflake calculation.
When running QPR ProcessAnalyzer in the Snowpark Container Services, leave the SnowflakeConnectionString empty because then the connection string is created automatically using the method provided by the Snowpark Container Services. | |
| SqlServerConnectionString | Connection string for the SQL Server database containing the datatables data. It's recommended to use a separate database, but it's also possible to connect to the same database as the configuration data. If this setting is not configured, local datatables cannot be created (SQL Server stored). Existing datatables located in the configuration datatabase still work even if this setting has not be configured. Note that the connection uses ADO.Net (not ODBC), so the connection string is similar to the configuration database (appsettings.json file). | |
| DefaultColorPalette | Charts color palette used globally in the environment. Defined as a json array of strings encoded with RGB hex (with or without alpha). Note that when a color palette in a chart has been changed, the chart starts using a chart-specific color palette, and the global color palette doesn't affect those charts.
Example: ["#1F77B4", "#FF7F0E", "#2CA02C", "#D62728", "#9467BD", "#8C564B", "#E377C2", "#7F7F7F", "#BCBD22", "#17BECF"] | |
| OpenAIAPIKey | API key for the OpenAI API (https://platform.openai.com/docs/api-reference). It needs to be configured to use the AI Assistant and OpenAIChatCompletion function. | |
| OpenAIDefaultModelName | gpt-4o | OpenAI large language model (LLM) to use for the AI Assistant and OpenAIChatCompletion function. If not defined, gpt-4o will be used. Note that only LLM's that support the function calling feature, are suitable for the AI Assistant. More information about OpenAI models: https://platform.openai.com/docs/models. |
| DefaultCortexAgentsModelName | llama3.1-70b | Specifies the default language model when using Snowflake Cortex Agents (https://docs.snowflake.com/en/user-guide/snowflake-cortex/cortex-agents-rest-api). If not defined, llama3.1-70b is used. |
| QueryTimeout | 300 | Timeout (in seconds) for requests made to /api/expression/query and /api/expression endpoints. When the timeout is exceeded, the query is stopped and a timeout error is returned. Purpose of the timeout is to protect the system against potentially too long running or even never-ending queries which might otherwise jam the system. |
| SessionIdleTimeout | 3600 | Idle user session expiration timeout in seconds. User session expires if the session hasn't been used after this amount of time. |
| SessionMaximumDuration | 86400 | Maximum duration for a user session in seconds. Even if a session is used so that the SessionIdleTimeout is not reached, the session is expired after this amount of time. |
| DatabaseId | Unique identifier for the QPR ProcessAnalyzer environment. Any characters between a-z, A-Z, 0-9 and _ (underscore) can be used in the DatabaseId. If the DatabaseId is missing or set to null, the system will generate a new GUID during startup and use it as the DatabaseId. The DatabaseId can also be an empty string. If using several QPR ProcessAnalyzer environments, make sure each use a different DatabaseId. The DatabaseId is used as part of the table names in Snowflake and SQL Server (in the datatables database). Thus if the DatabaseId is changed, all tables in Snowflake and SQL Server named with qprpa_dt_<DatabaseId>_<DatatableId> need to be renamed. | |
| CacheOnlyPrimaryKeysForFilters | false | Defines whether to include all columns in the Snowflake event cache filter tables (false), or only the primary key columns (true). When false, cache table creation is slower, but the analysis calculation is faster because the original event table is not used anymore. When false, also the cache tables require more storage space in Snowflake. |
Localization Settings
| Name | Default value | Description |
|---|---|---|
| DefaultUiLanguage | en_US | Language code for the UI language that new user accounts get by default. Thus, a created user account has this language until the user changes her/his language. Also the login page is translated using this language when QPR ProcessAnalyzer is used for the first time in that web browser (when user has changed the language, it's remembered by the browser). This setting must be one of the supported language codes (xx_XX):
|
| DefaultDateFormat | MM/dd/yyyy | Default date format that new user accounts get by default. The date format does not contain the time part (e.g. hours, minutes and seconds). Defined using the .Net date format (https://docs.microsoft.com/en-us/dotnet/standard/base-types/custom-date-and-time-format-strings). |
| DefaultFirstDayOfWeek | 0 | Default first day of the week that new user accounts get by default. 0 is Sunday and 1 is Monday. This information is used by the UI when showing e.g. calendars. |
| DefaultUse12HourClock | false | Defines whether the 12-hour clock is used by default (instead of the 24-hour clock) for the new user accounts when showing time information in the UI. Defined as true or false. More information about the 12-hour clock: https://en.wikipedia.org/wiki/12-hour_clock. |
ETL Scripts Settings
| Name | Default value | Description |
|---|---|---|
| AllowExternalDatasources | true | Can be used to disallow all connections to external datasources in the expression language and SQL scripts to improve security. Disallowed operations include ODBC, OLE DB, SQL Server (Ado.Net), SAP, Salesforce, and call web service. Note that this setting does not prevent the Snowflake processing. Regardless of this setting, QPR ScriptLauncher can be used to extract data from source systems. |
| SandboxDatabaseConnectionString | Connection string to scripting sandbox database (ETL). If not defined, SQL-based ETL scripts cannot be run. Connection string for the scripting sandbox database is similar to the QPR ProcessAnalyzer database connection string. More information: Setting up Scripting Sandbox. | |
| AllowNonTemporaryETLTargetTable | false | Defined whether ETL scripts are allowed to create global temporary database tables (tables starting with ##). More information about temporary tables: https://docs.microsoft.com/en-us/sql/t-sql/statements/create-table-transact-sql?view=sql-server-ver15#temporary-tables. |
| DatabaseBulkCopyTimeout | 600 | Timeout used for data import operations to datatables. |
| SandboxDatabaseBulkCopyTimeout | 600 | Timeout used for data import operations to sandbox tables in the SQL scripts. |
| DatabaseBulkCopyBatchSize | 5000 | BulkCopyBatchSize given for QPR ProcessAnalyzer database SqlBulkCopy operations. |
| SandboxDatabaseBulkCopyBatchSize | 5000 | BulkCopyBatchSize given for sandbox SqlBulkCopy operations. |
In-memory Calculation Settings
| Name | Default value | Description |
|---|---|---|
| NumberOfParallelModelReaders | 4 | Models and datatable contents can be loaded with multiple simultaneous connections to the database to speed up the loading. This setting determines how many parallel loaders/readers at maximum (loaders are loading at the same time). For smaller models there are less parallel loaders than the defined limit: If there are less than 100000 rows in the table, there is only one loader. If there are less than 200000 rows in the table, there are only two loaders, and so on.
The more there are parallel loaders, the more processor load and network bandwidth is consumed, and other operations in QPR ProcessAnalyzer might slow down. Note also that the performance optimum is achieved with a certain number of parallel loaders which differs between environment. Thus to achieve the best performance, data loading should be tested with different number of parallel loaders. Increasing number of parallel loaders beyond the optimum decreases the performance. |
| StartupModelLoadingMaxParallelism | 2 | Maximum number of QPR ProcessAnalyzer models that are loaded into memory simultaneously by the Automatic Loading on Server Startup. If there are more models to be loaded on the server startup than this setting, loading for the rest of the models is started one by one when previous model loadings are completed. If this setting is not defined, 2 is used as a default value.
Loading more models at the same time will speed up the whole model loading process, but on the other hand, it causes more load on the system, which affects the system responsiveness for users. Model loading consists of (1) transferring data from the datasource to QPR ProcessAnalyzer and (2) loaded data preprocessing into a model. The former uses mainly network bandwidth (if datasource is in a different server) and the latter uses mainly processor capacity in the QPR ProcessAnalyzer server. This setting affects only the model loading during the server startup and it doesn't restrict models loadings initiated by users. |
SAML 2.0 Federated Authentication Settings
Note that the SAMLMetadataUrl and ServiceProviderLocation are mandatory for the federated authentication to work. Having both ExternalOAuthServerConfiguration and SAML authentication configured at the same time is not supported.
| Name | Description |
|---|---|
| SAMLMetadataUrl |
Metadata URL of the identity provider (IdP). Check that the metadata url can actually be opened using a web browser and is publicly available. The metadata is an XML document starting with <?xml version="1.0" encoding="UTF-8"?> followed by an EntityDescriptor tag. The metadata URL might look https://your.federated.identity.provider.com/saml/metadata. This setting is mandatory for the SAML authentication to work. |
| ServiceProviderLocation |
Specifies the QPR ProcessAnalyzer server location (the root path which contains e.g. the ui folder). It's used by the url to redirect back to QPR ProcessAnalyzer after a successful authentication from the identity provider. The setting is defined in the following form: https://<hostname>/qprpa, for example https://customer.onqpr.com/qprpa. Note that the actual redirect back url is https://<hostname>/qprpa/api/Saml2/Acs (/api/Saml2/Acs is automatically included to the url). This setting is mandatory for the SAML authentication to work. Note that if this reply url is configured the identity provider, it must match with the ServiceProviderLocation setting. |
| SAMLUserIdAttribute |
Name of the SAML attribute in the assertion that will be used as the user's login name. If this field is not defined, the saml:Assertion > saml:Subject > saml:NameID attribute in the assertion is used. If this setting is given, one of the saml:Assertion > saml:AttributeStatement > saml:Attribute elements in the assertion is used (the Name attribute in the saml:Attribute element is used for matching). Please note that the saml:NameID element is different than the usual SAML attributes that are defined by the saml:Attribute elements. For example, if an email address is used as a user id, the value of the setting could be for example http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. |
| SAMLGroupsAttribute | Attribute name in SAML assertion that is mapped to user groups in QPR ProcessAnalyzer. The user group names are case sensitive. When a user logs in, the user is added to and removed from groups based on the information in the SAML assertion. If this setting is not configured, users are not added to or removed from groups automatically. Note that the user needs to login for the groups to be synchronized. If a group doesn't exist in QPR ProcessAnalyzer, that group is skipped.
In the SAML assertion, attributes are in the saml:Assertion > saml:AttributeStatement > saml:Attribute elements (the Name attribute in the saml:Attribute element is used for matching). |
| SAMLEncryptionCertificate | This setting defines a PFX formatted X.509 certificate (defined in RCF 1422) used to encrypt SAML assertions. The public key of the certificate is published in the service provider metadata, where the identity provider can read it and encrypt SAML assertions. QPR ProcessAnalyzer as the service provider uses the corresponding private key of the certificate to decrypt SAML assertions. The setting needs to be a PFX formatted certificate file that is base64 encoded and it doesn't contain the BEGIN CERTIFICATE etc. header or footer lines. This setting is needed only when using the SAML assertions encryption. Even though this setting is defined, the SAML assertions are not required to be encrypted. More information how to create the certificate file (https://stackoverflow.com/questions/16480846/x-509-private-public-key) and convert it to base64 (https://stackoverflow.com/questions/46959822/base-64-encoded-form-of-the-pfx-file). |
| SAMLSigningCertificate | This setting defines a PFX formatted X.509 certificate (defined in RCF 1422) used to sign SAML authentication requests sent from QPR ProcessAnalyzer to the identity provider. The public key of the certificate is published in the service provider metadata, where the identity provider can read it, to verify the authenticity of the SAML requests. The setting needs to be a PFX formatted certificate file that is base64 encoded and it doesn't contain the BEGIN CERTIFICATE etc. header or footer lines. If this setting is not defined, the internal hard-coded signing certificate is used. More information how to create the certificate file (https://stackoverflow.com/questions/16480846/x-509-private-public-key) and convert it to base64 (https://stackoverflow.com/questions/46959822/base-64-encoded-form-of-the-pfx-file). |
OAuth 2.0 Authentication Settings
Having both ExternalOAuthServerConfiguration and SAML authentication configured at the same time is not supported.
| Name | Description |
|---|---|
| ExternalOAuthServerConfiguration | Used to configure OAuth 2.0 compatible OAuth server settings for server that is used to authenticate the user signing in to ProcessAnalyzer. If not set, external OAuth server will not be used for authentication. If set, contains a string representation of a JSON object that supports the following properties:
Example configuration: {
"Authority": "https://accounts.google.com/",
"Audience": "...",
"ClientSecret": "...",
"UserNameClaim": "name"
}
|
SMTP Server Settings
SMTP server settings are needed for QPR ProcessAnalyzer to send email messages. Email sending is used by the notifications and the SendEmail function in the expression language.
| Name | Description |
|---|---|
| SmtpServer | DNS name, host name or IP address of the SMTP server. Mandatory setting for the email sending to work. |
| SmtpPort | TCP port number of the SMTP server. If not defined, port 25 is used by default. |
| SmtpAuthenticationUsername | User name for authenticating to the SMTP server. If not defined, no authentication is used to connect to the SMTP server. |
| SmtpFromAddress | Email address where email messages sent by QPR ProcessAnalyzer appear to be coming from. This doesn't need to be a real email address, although the address used may affect email spam filters. The setting configured here is the default email address to use in following cases:
|
| SmtpAuthenticationPassword | Password for authenticating to the SMTP server. |
| SmtpEnableSSL | Use value True or False depending whether TLS connection to the SMTP server is used or not. If not defined, False is the default value. |
MCP Server Settings
MCP server settings are needed for QPR ProcessAnalyzer to act as an MCP server.
| Name | Description |
|---|---|
| McpServerConfiguration | Used to configure the MCP server built-in to ProcessAnalyzer server. If not set, MCP server functionality is disabled and MCP clients can't access to this server using MCP. If set, contains a string representation of a JSON object that supports the following properties:
Example value when using API Key authentication: { "McpApiKey": "xnTqr@Hd87JcuCmQZbjUHfwD@" }
Example value when using OAuth 2.0 authentication: { "McpApiKey": null }
Note that when using OAuth 2.0 authentication the BuiltInOAuthServerConfiguration (see below) needs to be defined with an AcceptedAudiences value other than the default. |
| BuiltInOAuthServerConfiguration | Used to configure OAuth 2.0 compatible OAuth server settings for OAuth server built-in to ProcessAnalyzer server. If not set, built-in OAuth server functionality is disabled and clients can't connect to this server using OAuth. If set, contains a string representation of a JSON object that supports the following properties:
Example configuration: {
"Issuer": "",
"AcceptedAudiences": ["qpr-processanalyzer"],
"SigningKey": "",
"TokenLifetime": 3600
}
|
Readonly Information
| Name | Description |
|---|---|
| DatabaseVersion | Database schema version. It will be updated automatically when the newer version of QPR ProcessAnalyzer Server connects to the database and performs migration for the database schema. |
| InitializationScriptDatabaseVersion | Database version that was when the database was initialized when the software was installed. Do not change this setting. |
| MinimumDatabaseVersion | Minimum allowed database version for QPR ProcessAnalyzer Server connecting to the database. This is a legacy setting and it should not be used. |