Copy a role and permissions

Go to solution
maryc
Tera Contributor

‎06-18-2016 03:27 PM

Hi,

I want to copy the OOB ITIL role and make some modifications ( remove and add )to the permissions for   the new role. Is there an easy method to do this?

If I inherit the ITIL role, can this modification be done?

0 Helpfuls
  • 7,018 Views
1 ACCEPTED SOLUTION

Go to solution
Deepak Ingale1
Mega Sage
In response to maryc

‎06-20-2016 02:08 AM 

var referenceRole = 'itil' // reference role for cloning

var newRole = 'itil_dummy'; // new role to be cloned from reference role



var newRoleObj = new GlideRecord('sys_user_role'); // create a new role

   newRoleObj.initialize();

   newRoleObj.name = newRole;

var newRoleSysID = newRoleObj.insert();



var aclAndRole = new GlideRecord('sys_security_acl_role');   // find all the ACLs for reference role

   aclAndRole.addQuery('sys_user_role.name',referenceRole);

   aclAndRole.addQuery('sys_security_acl.active',true);

   aclAndRole.query();



while(aclAndRole.next()){


   gs.print(aclAndRole.sys_security_acl.name);

   gs.print(aclAndRole.sys_security_acl.advanced);

   gs.print(aclAndRole.sys_security_acl.script);

   gs.print(aclAndRole.sys_security_acl.condition);

     

   var newACLs = new GlideRecord('sys_security_acl');   

   newACLs.initialize(); // create new ACLs for new Role

   newACLs.name = aclAndRole.sys_security_acl.name;

   newACLs.advanced = aclAndRole.sys_security_acl.advanced;

   newACLs.condition = aclAndRole.sys_security_acl.condition;

   newACLs.script = aclAndRole.sys_security_acl.script;

   var newACLSysID = newACLs.insert();

     

   var newACLAndRole = new GlideRecord('sys_security_acl_role');   

   newACLAndRole.initialize(); // build a relation between new ACL and new Role so that new Role appears in related section for ACL

   newACLAndRole.sys_security_acl = newACLSysID;

   newACLAndRole.sys_user_role = newRoleSysID;

   newACLAndRole.insert();

}



Hi Mary,



As I said, I was trying this out in past and I left it in the middle due to some change in the requirement. However, I have modified the code which you can see above.



The design considerations are



1) Create a new role entry in sys_user_role table for dummy role , lets say "itil_dummy"


2) Find the "Associated ACLs" for existing role using sys_security_acl_role using "Reference" role lets say "itil".


3) Now, have new ACLs created for "itil_dummy" role using step 2. These ACLs will have same "Condition", "Script" fields as per the result got in step 2.


4) Create relation between new role and these new ACLs using m2m table "sys_security_acl_role".



Remember, you will have to test it thoroughly, i checked the above code in my dev instance it created new Role ITIL_dummy with ACLs associated with ITIL role with same condition, script fields. I have not taken in consideration other fields of ACL like "admin overrides", you can do that by adding a line in code snippet from line 27 to 29.


Also, this changes will not be captured in your update set since you are running this code as background script. Also one more thing, ACLs are performance maker or breaker, the lesser we have, the better it is. So please rethink again before making any decision.


View solution in original post

18 REPLIES 18

Go to solution
Mike Allen
Mega Sage
In response to Vineetha Rohra1

‎09-27-2016 02:52 PM

Sorry.. it is now Contains Roles and Contained By:



find_real_file.png


Preview file
50 KB
0 Helpfuls

Go to solution
Vineetha Rohra1
Giga Guru
In response to Mike Allen

‎09-27-2016 10:40 PM

Okay, Thanks for the reply


0 Helpfuls

Go to solution
Mike Allen
Mega Sage

‎06-18-2016 05:12 PM

Probably the easiest way to do this is to not inherit itil.   That way you can keep it as close to OOB as possible.   Create the new role, the look at all the ACLs that itil is a part of and add your new role to the rules you want.   Also, make sure you check modules and any scripts that may be calling itil.



With that said, what you are looking to do is probably going to take a lot of work.   itil is the base role of the entire system, and replacing it will take a ton of testing, finding the places where it is called, etc.


Go to solution
Deepak Ingale1
Mega Sage

‎06-18-2016 07:51 PM

HI Mary,



How to create a clone / dummy role?



This is what I ended up doing in past but I remember I had to skip this up since the requirement changed at our end.



Please check if it helps you, it will create a new role from reference role with same ACLs as reference role, having said this and as already pointed out by Mike, you will have to modify modules and scripts as well depending on your requirement


0 Helpfuls

Go to solution
maryc
Tera Contributor
In response to Deepak Ingale1

‎06-19-2016 06:17 AM

Thanks Deepak, Do you think that code is enough to clone a OOB role and then customize it?


0 Helpfuls