On-Demand Policy Guide
This guide provides information about the various policies and practices employed by SugarCRM's On-Demand SaaS service.
Integrating with Sugar On-Demand
SugarCRM is actively moving towards a middleware integration policy. The recommended and safest mechanism for integrating with Sugar is through the use of our REST APIs. The current integration method using module-loadable packages is problematic for a number of reasons. Module-loadable packages are not being deprecated at present, however, we are working towards a model where they can be removed in the future. Module-loadable packages can call private, internal application APIs that are not guaranteed to behave the same between releases. This deep-linking model causes issues for both SugarCRM and the independent software vendor because there is no well-defined, testable surface area that can be tested between releases to ensure compatibility for integrations.
We recognize that not all of the hooks are present today to accomplish everything using middleware. Please help us to ensure that we are providing the necessary hooks by raising bugs and enhancement requests where appropriate. We believe that most customizations can be achieved through a combination of robust APIs and web hook-based callbacks.
Third-party modules installed in a hosted environment decrease overall security, as running untrusted code will always increase the surface area for attack. At present, we support dynamically loadable modules in our On-Demand environment provided they are compatible with the Package Scanner. Disabling the Package Scanner in a Sugar On-Demand instance is strictly forbidden and constitutes a violation of the Sugar Master Subscription Agreement.
It is expected that all customized files in an On-Demand instance are installed via Module Loader. The Sugar Support team will not execute requests to copy individual files into an On-Demand instance.
The Package Scanner provides a mechanism to blacklist certain function and method calls which cause performance problems or could potentially be used to bypass security mechanisms in the hosted environment. If you wish to deploy your customization to an On-Demand instance, it is imperative that you test loading it with Package Scanner enabled and work around any issues raised. You can enable Package Scanner in your local development environment by setting the following in the
$sugar_config['moduleInstaller']['packageScan'] = true;
For details on the Package Scanner and a listing of blacklisted functions, please visit the Developer Guide specific to your version:
You should note that Sugar On-Demand does not allow the overwriting of Sugar core files with customized versions. In addition to blacklisted functions, for support reasons, we do not allow any modules that permit arbitrary SQL commands to be run against a Sugar database. Should we find such a module we will remove it immediately and without warning.
- When integrating with services that make use of SSL or TLS, such as LDAP or SMTP servers, certificate validation is enforced in Sugar On-Demand. Any certificates used must be issued by an industry recognized Certificate Authority with a valid trust hierarchy.
- All inbound entryPoints must be authenticated.
- Outbound HTTP connections must have timeouts under 1 second.
- Batch API access should reuse a session rather than performing a login for every call.
- In On-Demand, Sugar is deployed with the PHP
- This configuration setting limits which files can be accessed from PHP to a predefined list of directories.
- This is an important setting that helps to keep your data secure.
- A side effect of
open_basediris that the ability for curl to follow HTTP redirects is disabled. Attempts to set
CURLOPT_FOLLOWLOCATIONwill cause PHP failures.
- Sugar On-Demand runs a Linux operating system with a case-sensitive file system. Windows- or OSX-based developers should verify that their customizations function appropriately when case sensitive file systems are utilized.
- Sugar On-Demand does not allow customers to relay email through SugarCRM SMTP servers. In order to configure your own SMTP servers please refer to the article Configuring Your SMTP Server to Work With On-Demand.
- All MySQL tables must use the InnoDB storage engine. MyISAM tables are not permitted in order to maintain data integrity.
- File names should only consist of UTF-8 characters. Non-UTF-8 characters in file names are not supported.
- Sugar On-Demand does not enable support for htaccess. As such, no changes to htaccess rules are permitted in On-Demand.
- Sugar On-Demand scheduled jobs within an instance are limited to a maximum runtime of 30 minutes.
Enforced Configuration Parameters
The following configuration parameters are enforced in the On-Demand environment for performance and security reasons. Should you require a setting to be temporarily changed on an On-Demand production environment, you must open a support case. To change any of these default settings on a backup or sandbox environment, you must be a developer with access to the config.php file. To see a description of the setting as well as other potential values, click on the parameter name in the table below.
In addition to Module Loader, the Package Scanner is also used during the migration procedure. When an on-site instance is migrated to On-Demand, the following procedure is followed:
- Only currently supported versions of Sugar 7.x can be migrated to Sugar On-Demand. For the current list of supported software, consult the list of supported versions. If you are running Sugar 6.x, you will need to perform the upgrade to 7.x before providing the required files and database to our team for migration.
- All backups must consist of the MySQL dump and an accompanying file system in TAR format. Detailed instructions for creating backups are located in the Recommended Backup Procedure section of this documentation.
- The customer or partner should open a support case to provision an FTP site to upload the customer's instance to and coordinate the migration process. We require at least seven (7) calendar days' advanced notice for a requested migration to ensure the desired date and time can be accommodated. This notice should be provided in the form of a support case.
- When requesting a migration, we ask you to provide the following details to ensure we can ensure the appropriate resources are allocated for your On-Demand instance:
- Instance total file size
- Instance total database size
- Total active users in the instance and estimated maximum concurrent users in the instance
- Primary business use(s) for the instance (e.g. sales, call center, marketing campaigns, etc.)
- Integrations installed on the instance
- Description of any external services connecting to the application via API
- Once the FTP account is provided, the instance files and the database should be uploaded at the desired date and time.
- Sugar performs several tasks with the provided files:
- All instance core files are replaced with stock versions.
- Config values located in
./config_override.phpare replaced to reflect values required by On-Demand. For more information, please refer to the Enforced Configuration Parameters section of this documentation.
- All non-core files are scanned using the latest version of the Package Scanner.
- If any files are found that do no not pass the Package Scanner, the migration will be rejected. Upon rejection, the case is updated to indicate the reason for rejection. The customer should correct the issue and upload a new backup.
- If the instance passes Package Scanner, the instance will be upgraded to the latest version of Sugar.
- Full-text search will be configured and a full system index will be triggered.
Recommended Backup Procedure
Migrating a Sugar instance from on-site to On-Demand is a straightforward, two-step process: packaging the instance database and packaging the instance file system.
Sugar On-Demand does not support using custom database triggers or stored procedures, so confirm that your instance does not have any customizations that require them. Once you are sure that your instance does not use triggers or procedures, you can make a dump of the database with the following command, where DATABASE_NAME is the name of your Sugar instance's database:
mysqldump --no-create-db --routine DATABASE_NAME > db_dump.timestamp.sql
Do not use
--skip-dump-date, as these options will cause your database to fail the import process.
Once the dump has completed, check the last line of the dump file and confirm the presence of a date/time stamp showing when the dump file was created. You can then compress it with gzip or zip. We will not accept other compression formats.
Similarly, you can package and compress the file system using tar and gzip, or zip. Again, we will only accept these formats. To package the file system, use one of the two commands below, where SUGARPATH is the path to your instance's parent directory, and SUGARDIR is the directory containing your Sugar instance:
Tar + Gzip:
cd SUGARPATH tar czf filesystem.timestamp.tar.gz SUGARDIR
cd SUGARPATH zip -r filesystem.timestamp.zip SUGARDIR
Logging can dramatically affect performance. It is imperative that your integrations do not log anything but fatal errors at the fatal log level. On-Demand instances are run at the fatal log level to minimize the logger's impact on performance. Please note that the Logger Settings panel in Admin > System Settings is not available in On-Demand instances.
Should you require a log level to be temporarily changed on an On-Demand production environment, you must open a support case. Running instances in debug mode is expressly forbidden in the On-Demand environment for performance reasons. Please note that it is also forbidden for integrations to change the log level directly.
File System and Database Size Limits
All On-Demand instances are subject to disk utilization limitations. We measure disk utilization as follows:
- The file system and on-disk database sizes for all instances associated with a given license key are summed together.
- Sandboxes are also counted in this total.
- Should the sum exceed the licensed amount of storage, the customer will be contacted and offered storage uplifts or an opportunity to reduce disk consumption.
- There is currently no mechanism for the customer to view their usage directly so the best way to accomplish this is through a support case.
Database Update Requests
On-Demand customers do not have direct access to the database supporting their instance, and it is forbidden to install any utility which circumvents this restriction. Occasionally, there may be a need for direct database queries to be run against an On-Demand instance, and if this needed, please open a support case. When opening a case, please observe the following guidelines for these types of requests:
- It is the responsibility of the customer and/or partner to develop the desired database queries for the Sugar Support team to run.
- Requests should be submitted a minimum of 1 business day before the request needs to be completed. Depending on the volume of database queries that need to be performed, additional lead time may be necessary to complete the request.
- All database queries should be submitted in a .sql file attached as a note to the case, or if larger in size, via an FTP account that will be provided by Sugar Support. Please archive any .sql file larger than 1 MB. We will not accept files hosted on an external FTP account or URL.
- Recurring requests will not be accepted as these requests should leverage our supported APIs to complete.
- Please indicate the nature of the database queries the Sugar Support team is expected to perform:
- UPDATE, INSERT, and/or DELETE statements are the only queries the Sugar Support team will perform.
- Please indicate if any of the statements involve table joins as that will require additional analysis to ensure they are optimized and will not impact server performance.
- Sugar On-Demand does not support using custom database triggers or stored procedures, and any requests to perform queries creating these properties will be rejected.
Activities within an On-Demand instance are expected to be performant and not exceed a maximum number of requests per second to ensure a stable environment. SugarCRM reserves the right to block traffic to an On-Demand instance when one or both of the following scenarios are impacting the stability of the On-Demand environment:
- Traffic in excess of 20 requests per second
- Inefficient requests (e.g. non-optimized database queries, unsupported APIs, etc.)
In the event that SugarCRM detects one of the above scenarios impacting your instance, the following actions will be taken:
- Traffic from the offending IP address(es) to the On-Demand environment will be temporarily blocked
- A support case detailing the reasons for the restriction will be opened under your account if one does not already exist
- The Sugar Support team will contact you to advise of the temporary traffic restriction and work with you to resolve the issue
- Once you confirm the traffic issue to be remedied, the temporary restriction will be lifted and traffic will be closely monitored to ensure no recurrence of the behavior
In the event that you expect to perform a temporary action which would exceed 20 requests per second or you expect your traffic to exceed this rate on an ongoing basis, we require advance notice of the action as follows:
- A case is created with the following information a minimum of 7 calendar days before the increased activity is to take place:
- Start date and time of the activity and expected duration
- Direct phone and email contact information for the individual coordinating or performing the activity
- Specific details of activity including advanced agreement on limits for requests per second, concurrency, and the originating IP address(es) of the activity
- Details of any external integrations to be utilized
- During the activity period, SugarCRM staff will monitor the database and web servers for potential issues.
- Should issues arise, our staff will contact the individual performing the activity and ask them to immediately cease.
Load testing of an On-Demand instance is permitted only if the following conditions are met:
- A case is created with the following information a minimum of 7 calendar days before the load test is to take place:
- Load test date and time
- Direct phone and email contact information for the individual performing the testing
- Specific details of test including advanced agreement on limits for requests per second, concurrency, and the specific workflows to be tested
- Details of any external integrations to be tested
- During the load testing, SugarCRM staff will monitor the database and web servers for potential issues.
- Should issues arise, our staff will contact the individual performing the load test and ask them to immediately cease.
No load testing will be permitted without explicit written sign off from Sugar Support. In addition to load testing, you are required to notify us of any expected, significant upticks in general usage, which is defined as any increase of more than 10%.
Penetration testing of an On-Demand instance is permitted only if the following conditions are met:
- A case is created with the following information a minimum of 7 calendar days before the penetration test is to take place:
- Penetration test date and time
- Direct phone and email contact information for the individual performing the testing
- Agreement to share the results with SugarCRM at the conclusion of the penetration test
- Agreement that the results of the test are bound by our NDA and are non-disclosable to any other parties
- During the penetration testing, SugarCRM staff will monitor the database and web servers for potential issues.
- Should issues arise, our staff will contact the individual performing the penetration test and ask them to immediately cease.
No penetration testing will be permitted without explicit written sign off from Sugar Support. In addition to penetration testing, you are required to notify us of any expected, significant upticks in general usage, which is defined as any increase of more than 10%.
On-Demand sandboxes will only be provisioned for customers with valid sandbox licenses. Depending on your Sugar edition, a certain number of sandboxes may already be included. Should you require additional sandboxes, they must be purchased through the orders desk. If your subscription includes a sandbox, we do not automatically provision the sandbox instance. Please file a support case to have a permanent sandbox created for your instance.
By default, cron jobs are not set to run on sandbox instances to avoid scenarios where the sandbox instance executes a scheduled job (e.g. inbound email retrieval) that should have been processed by the customer's production instance.
As a reminder, the file and database storage used by a sandbox is counted towards a customer's overall On-Demand storage limit.
For critical On-Demand events such as major upgrades and maintenance windows, SugarCRM sends an email alert to all administrative users with a valid email address configured in the On-Demand Sugar instance. On-Demand customers running Sugar 7.6 or later can specify additional email addresses for alerts so that your Sugar partner, IT team members, sales managers, etc. may stay abreast of key events without occupying an administrative license in your instance.
Follow these steps to manage the email addresses that receive critical On-Demand notifications:
- Navigate to Admin > Notification Settings.
Note: If you do not see this option, please view your instance's About page to confirm you are running Sugar 7.6 or later. If you confirm you are running a compatible version, please file a support case.
- Add or remove any email addresses that should receive critical On-Demand notifications. Do not add email addresses that are already associated with an administrative user's profile in your instance, as they are automatically sent On-Demand notifications.
- Click the Save button.
SugarCRM provides seven days of notice for major upgrades. Major upgrades are any upgrade in which either of the first two digits of the version number will change. An email is sent out seven days in advance of the upgrade to all configured email addresses as described in the On-Demand Communications section of this documentation. If the proposed upgrade date and time are not amenable to your business needs, you have the option to extend that date by up to 7 calendar days. Upgrade extensions must be requested by opening a support case. At this time, it is not possible to opt out of an upgrade as we ensure a stable, common environment for all customers hosted On-Demand.
Please note that SugarCRM requires all On-Demand customer instances to run on a supported version of Sugar. When running a supported version (e.g. 6.5.x), customers may still be required to upgrade to a more recent version (e.g. 7.7.x) of Sugar to remain in the On-Demand environment. These upgrade requirements ensure we are able to prevent exposure to known security vulnerabilities and maintain an optimal hosting environment for our customers.
Instances with no configured email addresses set up will not receive prior notice for upgrades. Minor upgrades, defined as any upgrade in which either of the first two digits do not change, do not currently trigger a notification.
For more information, please refer to the Upgrading On-Demand Instances knowledge base article.
Backup Storage Policy
SugarCRM backs up all hosted production instances on a nightly basis. All active instances are backed up nightly and each of those backups are retained for 30 days. In addition, backups are taken immediately preceding upgrades and are also retained for a 30-day period. Please note that backups cannot be made available for instances hosted in SugarCRM's demo environment and nightly backups of these instances are not performed.
For our production On-Demand environment, backups can be made available for you to download via the Backups module at a frequency determined by your edition of Sugar. If your current version of Sugar does not have the Backups module enabled yet, open a support case. If, once enabled, the specific backup you require is not available in the Backups module, you can also open a case to request it.
If a customer either migrates from On-Demand to an On-Site deployment or allows their subscription with SugarCRM to expire, their On-Demand instance will be archived. Once archived, a final backup of the instance will be retained for a period of 90 days at which point, the instance files and data will be completely deleted. If this instance data is needed within the 90-day timeframe, please open a support case, or if you are no longer a customer, email email@example.com to request the files.
Security Patch and Communication Process
Upon discovering a security vulnerability, a fix will be developed by our engineering department. Following the successful testing of the fix by our quality assurance department, a hotfix will be developed. The On-Demand hotfix deployment process then begins immediately.
SugarCRM maintains a standard weekly maintenance window from 00:01 UTC to 09:00 UTC on Sundays.
For maintenance which will involve downtime, an email communication will be sent to administrative users of affected instances 3 days prior to the event.
Unscheduled Maintenance and Downtime
Customers can always check the current status at http://status.sugarcrm.com. Details on current status are updated in near real-time.
Last modified: 06/12/2017 12:45pm