Use a Secure Agent group as the runtime environment when you need to access data on-premises or when you want to access data in a cloud computing services environment without using the Hosted Agent. When you select a Secure Agent group as the runtime environment for a connection or task, a Secure Agent within the group runs the tasks.
Create Secure Agent groups to accomplish the following goals:
Prevent the activities of one department from affecting another department.
To prevent the activities of one department from impacting a different department, create separate Secure Agent groups for each department. For example, users in the sales department run 10 times as many tasks as users in the finance department, but the finance tasks are more time critical. To prevent the sales tasks from impacting the finance tasks, create separate Secure Agent groups for each department. Then assign the sales tasks to one runtime environment and the finance tasks to the other runtime environment.
Separate tasks by environment.
You can create different Secure Agent groups for test and production environments. When you configure a connection, you can associate it with the test or production database by choosing the appropriate Secure Agent group as the runtime environment.
When you create a Secure Agent group, all users in the organization can select the Secure Agent group as the runtime environment.
You can add and remove Secure Agents from a group. Based on your license, you can also perform the following actions:
•If you have the Secure Agent Cluster license, you can add multiple agents to a Secure Agent group.
•If you have the Organization Hierarchy license, you can share a Secure Agent group with your sub-organizations.
Note: If you use the runtime environment to run a mapping task that is based on an elastic mapping, the Secure Agent group must have only one Secure Agent.
If you need to access output files on the Secure Agent machine, you can view the All Jobs page in Monitor or the My Jobs page in Data Integration to determine where a task ran.
Secure Agent groups with multiple agents
When you create a Secure Agent, it is added to its own group by default. If you have the Secure Agent Cluster license, you can add multiple agents to one Secure Agent group. All agents within a group must be of the same type, for example, all agents that run within your network or all agents that run on Amazon EC2 machines.
Add multiple agents to a group to achieve the following goals:
Balance the workload across machines.
Add multiple agents to a group to balance the distribution of tasks across machines. When the runtime environment is a Secure Agent group with multiple agents, the group dispatches tasks to the available agents in a round-robin fashion.
Improve scalability for connections and tasks.
When you create a connection or task, you select the runtime environment to use. If the runtime environment is a Secure Agent group with multiple agents, the tasks can run if any Secure Agent in the group is up and running. You do not need to change connection or task properties when you add or remove an agent or if an agent in the group stops running.
When you add multiple agents to a group, ensure that all of the Secure Agents are of the same type. For example, your organization installs four Secure Agents on physical machines within your network and two Secure Agents on Amazon EC2 machines. You can create a Secure Agent group that contains some or all of the local agents and a different group that contains the EC2 agents. Do not create a group that contains both a local agent and an EC2 agent.
If you need to access output files on the Secure Agent machine, you can view the job details to determine which Secure Agent ran the task. To view job details, open Monitor, select All Jobs, and click the job name.
Service assignment for Secure Agent groups
By default, when you create a Secure Agent group, all services that your organization uses can use the group. If your organization uses multiple services, the demand on the Secure Agent group can be high. To reduce the potential demand on a Secure Agent group, you can enable and disable specific Secure Agent services for the group.
The services that you enable and disable for a Secure Agent group are the Secure Agent services, which are different from the Informatica Intelligent Cloud Services. For example, if you want to use the agents in a group only for Operational Insights, enable the OI Data Collector service for the group and disable all other services. For more information about Secure Agent services, see Secure Agent services.
You can perform the following actions:
Enable services for a Secure Agent group.
Enable services when you want the agents in the group to run the connections, tasks, processes, or product features associated with a service or set of services. When you enable a service, the service starts on each agent in the Secure Agent group.
Disable services for a Secure Agent group.
Disable services when you do not want the agents in the group to run the connections, tasks, processes, or product features associated with a service or set of services. When you disable a service, the service stops on each agent in the Secure Agent group. Any connection, task, process, or product feature that uses the Secure Agent group as the runtime environment no longer runs.
Enable or disable services for a Secure Agent group on the Runtime Environments page.
The following image shows the Runtime Environments page:
The Enabled Services column indicates which services are enabled for the Secure Agent group. The Enabled Services column for the Hosted Agent lists all Secure Agent services that your organization is licensed to use. To enable or disable a service, expand the Actions menu for the Secure Agent group, and select Enable or Disable Services.
After you make service assignments for a Secure Agent group, you might add or remove agents. When you add a Secure Agent to a group, the agent inherits the service assignments of the group that you add it to.
Example
Your organization uses Data Integration and has licenses for mass ingestion and for Enterprise Data Catalog data discovery. The organization uses the following Secure Agent groups:
By default, users in your organization can select any group as the runtime environment for any connection or any task, including file ingestion tasks. An administrator can also select any group as the runtime environment for integration with Enterprise Data Catalog.
To balance the load across Secure Agent groups, you want might want to reserve Group 1 for Data Integration tasks except file ingestion tasks, Group 2 for file ingestion tasks, and Group 3 for data catalog discovery.
Therefore, you enable and disable the following Secure Agent services:
Secure Agent Group
Enabled Services
Disabled Services
Group 1
Data Integration Server
Mass Ingestion, EDC Search Agent
Group 2
Mass Ingestion
Data Integration Server, EDC Search Agent
Group 3
EDC Search Agent
Data Integration Server, Mass Ingestion
To avoid task and feature failures, you must also verify the following settings:
•All Data Integration tasks except file ingestion tasks use Group 1 as the runtime environment. All connections that these tasks use also use Group 1 as the runtime environment.
•All file ingestion tasks use Group 2 as the runtime environment. All connections that these tasks use also use Group 2 as the runtime environment.
•On the Organization page in Administrator, the Enterprise Data Catalog integration properties use Group 3 as the runtime environment.
Service assignment guidelines
Use the following guidelines when you enable and disable services for a Secure Agent group:
•Before you disable a service, verify that no connection, task, or process that uses the group as the runtime environment requires the service.
If a connection, task, or process has a Secure Agent group selected as the runtime environment and you disable a required service, the task or process cannot run. For example, the connection for a mapping source uses runtime environment RuntimeEnv1. If you disable Data Integration Server on RuntimeEnv1, the mapping task fails at run time.
•Before you disable a service, verify that no feature that uses the group as the runtime environment requires the service.
If a feature has a Secure Agent group selected as the runtime environment and you disable a required service, the feature cannot be used. For example, the runtime environment for Enterprise Data Catalog integration is set to RuntimeEnv2. If you disable EDC Search Service on RuntimeEnv2, you can no longer perform data catalog discovery.
•When you create a connection, select a runtime environment in which the required services are enabled.
For example, you want to create an Advanced SFTP connection for a file ingestion task target. When you create the connection, select a runtime environment in which the Mass Ingestion service is enabled.
•Do not disable a service to temporarily stop the service on a Secure Agent. For information about temporarily stopping a service on a Secure Agent, see Stopping and starting services on a Secure Agent.
Shared Secure Agent groups
If you are the administrator of a parent organization, you can share a Secure Agent group with the sub-organizations. When you share a Secure Agent group, all sub-organizations can run data integration jobs on the Secure Agents within the group.
Note: Share a Secure Agent group when all agents in the group run only the Data Integration Server service. You cannot run non-data integration jobs on a shared Secure Agent group.
Share a Secure Agent group to optimize the use of available Secure Agent resources. For example, your organization contains separate sub-organizations for departments in different time zones. Each sub-organization runs data integration tasks at different times of the day. If you create one Secure Agent group for each sub-organization, some Secure Agent groups might be used heavily at certain times of the day while others remain idle. To distribute the tasks more evenly, add the Secure Agents to a Secure Agent group, and share the Secure Agent group with the sub-organizations.
To share a Secure Agent group, you must have the appropriate license.
When you share a Secure Agent group, the group appears on the Runtime Environments page in all sub-organizations. The sub-organization administrators cannot view the Secure Agents within the group. They cannot perform management tasks on the group such as adding or deleting Secure Agents, renaming, deleting, or unsharing the group, or changing the group permissions.
When a user in the sub-organization creates a connection or task, the user can select the shared Secure Agent group as the runtime environment.
Flat file connections in shared Secure Agent groups
If a shared Secure Agent group contains multiple Secure Agents and the group is used as the runtime environment for a flat file connection, the directory used in the connection must be accessible by all Secure Agents in the group.
If the directory is not accessible by all Secure Agents, tasks that use the connection fail if they are assigned to a Secure Agent that cannot access the directory.
Working with Secure Agent groups
Create Secure Agent groups on the Runtime Environments page. After you create a Secure Agent group, you can rename or delete the group, add and remove Secure Agents, and change group permissions.
You can complete the following tasks:
Create a Secure Agent group.
To create a Secure Agent group, click New Runtime Environment and enter a name for the group. After you create a group, you can add Secure Agents to the group.
Rename a Secure Agent group.
To rename a Secure Agent group, expand the Actions menu, select Rename Secure Agent Group, and enter a new name for the group. Informatica Intelligent Cloud Services updates the group name in all services that use the group.
Enable or disable services for a Secure Agent group.
To enable or disable services for a Secure Agent group, expand the Actions menu, select Enable or Disable Services, and select the services to enable or disable. You can enable or disable any service that your organization is licensed to use.
Note: Before you disable a service, verify that no connection, task, or process that uses the group as the runtime environment requires the service. If a connection, task, or process has a Secure Agent group selected as the runtime environment and you disable a required service, the task or process cannot run. Similarly, if a feature has a Secure Agent group selected as the runtime environment and you disable a required service, the feature cannot be used.
Add Secure Agents to a group.
To add Secure Agents to a group, expand the Actions menu and select Add or Remove Secure Agents. You can add any agent that is in the Unassigned Agents group on the Runtime Environments page.
Alternatively, you can add a new Secure Agent to an existing group by setting the InfaAgent.GroupName property in the infaagent.ini file before you register the agent.
When you add more than one Secure Agent to a Secure Agent group, all agents must meet the following requirements:
- All of the agents must be of the same type, for example, all local agents or all agents that run on Amazon EC2 machines.
- Each Secure Agent must be configured to connect to the same external systems and have access to files such as libraries, initialization files, and JAR files.
- Each Secure Agent must have access to the files used in tasks. Ensure that all files used in a task are available in a shared location.
Remove Secure Agents from a group.
To remove Secure Agents from a group, expand the Actions menu and select Add or Remove Secure Agents. When you remove an agent from a group, Informatica Intelligent Cloud Services adds it to a group named "Unassigned Agents."
You can remove an agent from a Secure Agent group if the group is not used as the runtime environment for a connection or task. If the group is used, you can remove an agent if it is not the only agent in the group.
Delete a Secure Agent group.
To delete Secure Agent group, expand the Actions menu and select Delete Secure Agent Group. You can delete a Secure Agent group if it does not contain any Secure Agents.
If the Secure Agent group is associated with an elastic configuration and the elastic cluster is running, you must stop the cluster and associate the configuration with a different runtime environment before you can delete the group.
Share or unshare a Secure Agent group.
If you are the administrator of a parent organization, you can share a Secure Agent group so that the sub-organizations can use it. You can unshare a group if it is not used in a connection or task. From the Actions menu associated with the group, choose Share Secure Agent Group or Unshare Secure Agent Group.
Change permissions for a Secure Agent group.
To change permissions for a Secure Agent group, expand the Actions menu and select Change Permissions. You can define permissions for a Secure Agent group for each user group in your organization.
You can set the following permissions:
Permission
Description
Read
View details about the Secure Agent group and use the Secure Agent group in a task.
Update
Edit the Secure Agent group.
Delete
Delete the Secure Agent group.
Change
Change permissions for the Secure Agent group.
Adding a Secure Agent to a group
You can add any available Secure Agent to a Secure Agent group. Available agents appear in the "Unassigned Agents" group on the Runtime Environments page. You cannot add a Secure Agent to a group if the agent has already been added to another group.
1In Administrator, select Runtime Environments.
2Expand the Actions menu for the Secure Agent group, and select Add or Remove Secure Agents.
3In the Available Agents list, enable the checkbox for the Secure Agents that you want to add to the group.
If no agent names are enabled in the Available Agents list, then all agents are added to other groups. You must remove an agent from a group before you can add it to a different group.
When you enable a checkbox, the Secure Agent appears in the Selected Agents list, as shown in the following image:
4Click Select.
Adding a new Secure Agent to an existing group
You can add a Secure Agent to an existing Secure Agent group when you install the agent. To add a Secure Agent to an existing group, add the InfaAgent.GroupName property to the infaagent.ini file before you register the agent.
1Install the Secure Agent.
2On Windows, when you are prompted to register the agent, open Windows Services and stop the agent.
On Linux, when the installation program finishes, do not start the agent.
3Open <Secure Agent installation directory>/apps/agentcore/conf/infaagent.ini in a text editor.
4Add the following property and save the file:
InfaAgent.GroupName=<Secure Agent group name>
5Start the agent.
6Register the agent.
Informatica Intelligent Cloud Services adds the Secure Agent to the group you specify in the InfaAgent.GroupName property instead of a new group.
Removing a Secure Agent from a group
You can remove an agent from a Secure Agent group if the group is not used in a connection or task. If the group is used in a connection or task, you can remove an agent if it is not the only agent in the group. When you remove a Secure Agent from a group, Informatica Intelligent Cloud Services adds it to a group named "Unassigned Agents."
1In Administrator, select Runtime Environments.
2Expand the Actions menu for the Secure Agent group, and select Add or Remove Secure Agents.
3In the Selected Agents list, select the agents that you want to remove from the group, and click X.
The check box for each agent that you remove is disabled and the Secure Agents no longer appear in the Selected Agents list, as shown in the following image:
4Click Select.
The Secure Agent appears in the "Unassigned Agents" group on the Runtime Environments page.
Viewing Secure Agent group dependencies
You can view object dependencies for Secure Agent groups.
When you view dependencies for a Secure Agent group, Administrator lists the connections and assets in each service that use the group as the runtime environment.
To view object dependencies for a Secure Agent Group, expand the Actions menu and select Show Dependencies.
The following image shows the Dependencies page for a Secure Agent group:
To sort the objects that appear on the page, click the sort icon and select the column name for the property you want to sort by.
To filter the objects that appear on the dependencies page, click the Filter icon. Use filters to find specific objects. To apply a filter, click Add Field, select the property to filter by, and then enter the property value. You can specify multiple filters. For example, to find connections with Oracle in the name, add the Type filter and specify Connection. Then add the Name filter and enter "Oracle."
