How role is not mapped when cloned

NikhilEtikala
Tera Contributor

‎12-02-2024 07:27 AM

We have cloned production instance with int instance for upgrade process. In production, I don't have impersonator role.but in the int instance I am able to impersonate users. How this is possible?

0 Helpfuls
  • 335 Views
2 REPLIES 2

Dr Atul G- LNG
Tera Patron
Tera Patron

‎12-02-2024 07:29 AM

Hi @NikhilEtikala 

 

As per my understanding, if in Int you have admin role , you got impersonate role implicitly. 

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

jMarshal
Mega Sage
Mega Sage

‎12-02-2024 08:22 AM

Atul @Dr Atul G- LNG is correct - "impersonator" is embedded in "admin" OOB.

@NikhilEtikala Further, if you are asking about how a clone can produce different results in terms of user permissions, it likely has to do with table preservers in your clone profile. If there is a table preserver in your clone profile, it could be over-writing your user permissions. Also, it is not always easy to understand table preserver configuration, when it comes to user accounts/roles/permissions/access/groups - as there are 6 tables that you need to consider, which is not intuitive for a lot of folks:

sys_user

sys_user_group


sys_user_role


sys_user_grmember

sys_user_has_role <- likely that this one is the culprit, if your role assignment is off, but group membership is not...especially if the role assignment is not inherited.

sys_group_has_role <- also a possible cause for your problem...if the role assignment is incorrect, but the role is inherited (then, likely group membership is preserved and doesn't match production).

...if you want your subproduction instance to exactly match your production instance (in terms of group membership, users and role assignment), make sure that NONE of the tables listed above has a preserver in the clone profile that you use.

Further, if you are not preserving those tables, but still having issues with your role assignment, group membership or user base (not matching production, as expected)...it could be the case that a previous/other platform admin has set up a connection to an external source (such as a specific ldap user/group import for your subproduction environment).