Phase 1.3 Production Population Runbook
Purpose: Populate Phase 1.3 identity resolution tables (dim_agent_identity_admin, dim_agent_pepm_agent_map) in production using admin API endpoints.
Prerequisites:
- Phase 1.3 code deployed to production
- Admin/CEO role access to
/api/v1/admin/identity/*endpoints - BigQuery access to
payroll-bi-gauntletproject - JWT authentication token with admin/CEO role
Overview
Phase 1.3 introduces two admin-managed tables for identity resolution:dim_agent_pepm_agent_map: Maps PEPM sheet names →agent_key(one-time mapping)dim_agent_identity_admin: Admin overrides for identity resolution (optional, as-needed)
Step 1: Derive Tenant-Relevant PEPM Pairs
Goal: Identify PEPM agent/business combinations that actually appear in production data for the tenant.Option A: Query Stage3 Snapshots (Recommended)
Querystage3_snapshots for the tenant and last closed period to find agent/business pairs that need PEPM mappings:
@tenant_id:'creative_benefit_strategies'@period_label: Last closed period (e.g.,DATE('2025-11-01'))
(pepm_agent_name_norm, pepm_business_name_norm, agent_id) tuples that need mappings.
Option B: Query Multiple Recent Periods
For more comprehensive coverage, query multiple recent periods:Step 2: Resolve agent_key for Each PEPM Pair
Goal: For each PEPM pair, determine the correct agent_key from dim_agent_identity.
Query dim_agent_identity to Find Matching agent_key
agent_id doesn’t match exactly, you may need to:
- Check
display_namematches (case-insensitive) - Check
aliasesarray for matches - Manually resolve ambiguous cases
pepm_agent_name_norm: Normalized PEPM agent namepepm_business_name_norm: Normalized PEPM business nameagent_key: Resolvedagent_keyfromdim_agent_identityresolved_agent_id: Optional, informational only (can be NULL)match_source:'initial_mapping'(or'admin_override'if manually corrected)
Step 3: Generate Mapping Candidates (Read-Only)
Goal: Create a review document with all mapping candidates before applying. Create a CSV or JSON file with candidate mappings:- All PEPM pairs have valid
agent_keyvalues -
pepm_agent_name_normmatches normalization:UPPER(TRIM(CONCAT(agent_first_name, ' ', agent_last_name))) -
pepm_business_name_normmatches normalization:UPPER(TRIM(business_name)) -
effective_start_dateis set to earliest period (e.g.,2024-01-01) -
reasonfield is non-empty and descriptive - No duplicate
(pepm_agent_name_norm, pepm_business_name_norm)pairs
Step 4: Admin Review and Approval
Goal: Review mapping candidates before applying to production. Review Process:- Spot-check 5-10 mappings against source PEPM data
- Verify
agent_keyresolution is correct - Confirm no ambiguous mappings (one
agent_keyper PEPM pair) - Approve mapping list for production
Step 5: Apply Mappings via Admin API
Goal: Create PEPM mappings using/api/v1/admin/identity/pepm-map endpoint.
Endpoint Details
URL:POST /api/v1/admin/identity/pepm-map
Authentication: JWT token with admin or ceo role
Request Body Schema (PEPMAgentMapCreate):
pepm_agent_name_norm: STRING (normalized:UPPER(TRIM(CONCAT(agent_first_name, ' ', agent_last_name))))pepm_business_name_norm: STRING (normalized:UPPER(TRIM(business_name)))agent_key: STRING (must exist indim_agent_identity)match_source: STRING ('admin_override'|'initial_mapping'|'auto_resolved')effective_start_date: DATE (e.g.,"2024-01-01")reason: STRING (min_length=1, required for audit)
resolved_agent_id: STRING (informational only, can be NULL)effective_end_date: DATE (NULL = active)is_active: BOOL (default:true)notes: STRING (optional)
PEPMAgentMapResponse):
override_id from each response for audit trail.
Example cURL Request
Batch Application Script
For large numbers of mappings, create a script to apply them sequentially:Step 6: Optional - Create Identity Admin Overrides
Goal: Create identity admin overrides if needed (optional, as-needed basis).Endpoint Details
URL:POST /api/v1/admin/identity/agent
Request Body Schema (AgentIdentityAdminCreate):
canonical_agent_id: STRING (canonical agent_id this override resolves to)display_name: STRING (canonical display name, normalized: UPPER, TRIM)effective_start_date: DATEreason: STRING (min_length=1, required for audit)
agent_key: STRING (optional, may be set by admin override)upstream_agent_id: STRING (compatibility mirror of canonical_agent_id)effective_end_date: DATE (NULL = active)is_active: BOOL (default:true)notes: STRING
AgentIdentityAdminResponse):
Step 7: Capture Audit Artifacts
Goal: Document all created mappings for audit trail.Required Artifacts
-
Mapping Creation Log:
- Filename:
phase1_3_population_audit_YYYYMMDD_HHMMSS.json - Location:
integration/bigquery/outputs/phase1_3_population/ - Contents:
- Filename:
-
Approval Document:
- Filename:
phase1_3_mapping_approval_YYYYMMDD_HHMMSS.md - Contents: Reviewer name, approval timestamp, mapping candidate summary
- Filename:
- Validation Results (see Step 8)
Step 8: Run Production Validation
Goal: Verify all validation gates pass after population.Execute Validation SQL
Expected Validation Results
All validation gates must return0:
Step 9: Rollback/Closure Procedure
Goal: Close (not delete) incorrect mappings using end-exclusive window logic.Close a PEPM Mapping
Endpoint:PUT /api/v1/admin/identity/pepm-map
Request Body Schema (PEPMAgentMapUpdate):
override_id: STRING (UUID from original POST response)
effective_end_date: DATE (set to closure date, end-exclusive)is_active: BOOL (set tofalseto mark inactive)notes: STRING (explanation for closure)
- Setting
effective_end_date = '2025-12-01'means the mapping is active foreffective_start_date <= as_of_date < '2025-12-01' - For
as_of_date = '2025-12-01'or later, the mapping is not active
Close an Identity Admin Override
Endpoint:PUT /api/v1/admin/identity/agent
Request Body Schema (AgentIdentityAdminUpdate):
UPDATE to set effective_end_date and is_active = false. This preserves audit trail and allows overlap validation to work correctly.
Pass/Fail Criteria
Pass Conditions (All Required)
-
All validation gates = 0:
unmapped_pepm_count = 0(all tenant-relevant PEPM rows mapped)identity_overlap_count = 0(no overlapping admin overrides)pepm_overlap_count = 0(no overlapping PEPM mappings)ambiguous_pepm_count = 0(unambiguous PEPM resolution)ambiguous_identity_count = 0(unambiguous identity resolution)missing_fk_count = 0(allagent_keyreferences valid)
-
Non-empty data present:
- At least 5 PEPM mappings created
- All mappings have valid
agent_keyvalues - All mappings have non-empty
reasonfields
-
Audit artifacts retained:
- Mapping creation log with
override_ids - Approval document
- Validation results JSON
- Mapping creation log with
- No errors during API calls or validation SQL execution
Fail Conditions
- Any validation count > 0
- Missing
override_ids in audit log - API errors during mapping creation
- SQL execution errors during validation
Artifacts to Retain for Audit
-
Mapping Creation Log (
phase1_3_population_audit_YYYYMMDD_HHMMSS.json):- All
override_ids from POST responses - Mapping details (pepm pairs, agent_keys, reasons)
- Timestamp and
created_byuser
- All
-
Approval Document (
phase1_3_mapping_approval_YYYYMMDD_HHMMSS.md):- Reviewer name and email
- Approval timestamp
- Mapping candidate summary (count, sample pairs)
-
Validation Results (
phase1_3_prod_validation_YYYYMMDD_HHMMSS.json):- Full validation SQL output
- All validation gate results
- Execution timestamp
-
Rollback Log (if any closures performed):
override_ids closed- Closure dates and reasons
updated_byuser
integration/bigquery/outputs/phase1_3_population/ for audit compliance.
Follow-Up Tasks (If Discovered)
Note: If any endpoint behavior is missing or incorrect, document here:- List Endpoints: Consider adding
GET /api/v1/admin/identity/pepm-map/listandGET /api/v1/admin/identity/agent/listendpoints to query all mappings for a tenant (with optional filters). Currently, users must query BigQuery directly to list mappings. This is not blocking for initial population but would improve operational visibility.
Troubleshooting
Error: “Overlapping effective date window detected”
Cause: Another active mapping exists for the same(pepm_agent_name_norm, pepm_business_name_norm) with overlapping effective dates.
Resolution:
- Query existing mappings:
SELECT * FROM dim_agent_pepm_agent_map WHERE tenant_id = '...' AND pepm_agent_name_norm = '...' AND pepm_business_name_norm = '...' - Close the existing mapping first (PUT with
effective_end_date) - Then create the new mapping
Error: “agent_key does not exist in dim_agent_identity”
Cause: Theagent_key value doesn’t exist in dim_agent_identity for the tenant.
Resolution:
- Verify
agent_keyexists:SELECT * FROM dim_agent_identity WHERE tenant_id = '...' AND agent_key = '...' - If missing, check if
agent_idmatches and resolve correctagent_key - Update mapping request with correct
agent_key
Querying Existing Mappings
Note: There is no list endpoint for querying all mappings. Use BigQuery directly:Error: “reason field is required and must be non-empty”
Cause:reason field is missing or empty string.
Resolution: Ensure reason field is present and has at least 1 character.
Related Documentation
- Phase 1.3 Validation Plan:
integration/bigquery/sql/validation/phase1_3_identity_resolution_validation.sql - Admin Identity API Schemas:
api/schemas/admin_identity.py - Admin Identity Endpoints:
api/routes/admin_identity.py