Copy a role and permissions

maryc · ‎06-18-2016

Hi,

I want to copy the OOB ITIL role and make some modifications ( remove and add )to the permissions for the new role. Is there an easy method to do this?

If I inherit the ITIL role, can this modification be done?

Deepak Ingale1 · ‎06-20-2016

var referenceRole = 'itil' // reference role for cloning

var newRole = 'itil_dummy'; // new role to be cloned from reference role



var newRoleObj = new GlideRecord('sys_user_role'); // create a new role

   newRoleObj.initialize();

   newRoleObj.name = newRole;

var newRoleSysID = newRoleObj.insert();



var aclAndRole = new GlideRecord('sys_security_acl_role');   // find all the ACLs for reference role

   aclAndRole.addQuery('sys_user_role.name',referenceRole);

   aclAndRole.addQuery('sys_security_acl.active',true);

   aclAndRole.query();



while(aclAndRole.next()){


   gs.print(aclAndRole.sys_security_acl.name);

   gs.print(aclAndRole.sys_security_acl.advanced);

   gs.print(aclAndRole.sys_security_acl.script);

   gs.print(aclAndRole.sys_security_acl.condition);

     

   var newACLs = new GlideRecord('sys_security_acl');   

   newACLs.initialize(); // create new ACLs for new Role

   newACLs.name = aclAndRole.sys_security_acl.name;

   newACLs.advanced = aclAndRole.sys_security_acl.advanced;

   newACLs.condition = aclAndRole.sys_security_acl.condition;

   newACLs.script = aclAndRole.sys_security_acl.script;

   var newACLSysID = newACLs.insert();

     

   var newACLAndRole = new GlideRecord('sys_security_acl_role');   

   newACLAndRole.initialize(); // build a relation between new ACL and new Role so that new Role appears in related section for ACL

   newACLAndRole.sys_security_acl = newACLSysID;

   newACLAndRole.sys_user_role = newRoleSysID;

   newACLAndRole.insert();

}

Hi Mary,

As I said, I was trying this out in past and I left it in the middle due to some change in the requirement. However, I have modified the code which you can see above.

The design considerations are

1) Create a new role entry in sys_user_role table for dummy role , lets say "itil_dummy"

2) Find the "Associated ACLs" for existing role using sys_security_acl_role using "Reference" role lets say "itil".

3) Now, have new ACLs created for "itil_dummy" role using step 2. These ACLs will have same "Condition", "Script" fields as per the result got in step 2.

4) Create relation between new role and these new ACLs using m2m table "sys_security_acl_role".

Remember, you will have to test it thoroughly, i checked the above code in my dev instance it created new Role ITIL_dummy with ACLs associated with ITIL role with same condition, script fields. I have not taken in consideration other fields of ACL like "admin overrides", you can do that by adding a line in code snippet from line 27 to 29.

Also, this changes will not be captured in your update set since you are running this code as background script. Also one more thing, ACLs are performance maker or breaker, the lesser we have, the better it is. So please rethink again before making any decision.

View solution in original post

Mike Allen · ‎06-21-2016

You would do something like:

var app = new GlideRecord('sys_app_application');

app.addQuery('roles', 'CONTAINS', 'itil');

app.query();

while(app.next()){

app.roles += ',new_role';

app.update();

}

or something like that. Look at modules, too.

Always test in subprod!

dann · ‎09-27-2016

Hello Deepack or anyone feels who feels like answering,

Pardon for this question, I am still new to SNOW.

Where would you run this script?

Mike Allen · ‎09-27-2016

Run it in Background Scripts. Elevate to Security Admin and Background scripts is a module you'll have access to once elevated.

Fabian10 · ‎01-14-2019

Attention

Take care: The script in this thread seams to have a bug. The operation is not set for the newly created ACLs, so all ACLs will be "create" ACLs, which is not correct!