Skip to Content
avatar image
Former Member

Best way to merge lots of roles into one new role

I am currently working on a rebuild of the current roles and profiles. The users now have lots of large and small roles which also have lots of similar authorisation objects in them. I can create new roles and then import the old profiles into them one by one and then merge the whole lot but would prefer a quicker way if possible i.e. combine lots of roles into one new role in one go. Any suggestions are welcome.

Thom Dijkstra

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • avatar image
    Former Member
    Dec 28, 2011 at 02:35 PM

    Dear Thom,

    You can make composite roles.This is the good way for maintenance purpose as you can assign 2-3 composite roles to end users.

    Regards,

    Amit Barnawal

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 28, 2011 at 02:47 PM

    Unfortunately that is not an option. We want to include all authorisations for each single function in one single role. It's not the prettiest option but better for this organisation.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 28, 2011 at 03:41 PM

    There are at least three ways to do this, but it depends on how qualitative the mergable singles are in their authorizations and how you want to deal with org. level fields.

    You need to provide more infos about that.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 28, 2011 at 06:21 PM

    Hi Thom,

    I'd say rebuild from the menu. You can import the menus from the other roles and keep those other roles for reference while filling the authorization values.

    Maybe you can speed up the initial part (loading all the menus into the new role) with an ECATT script.

    Jurjen

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      The dirty solution is within the new role --> import the profiles of the various single roles.

      However, the auths are all manual regardless of the source status and you have no menu.

      That is why you must provide more information.

      This is however not a best practice and Jurjen is correct, it is quite possible that starting over is better.

      Cheers,

      Julius

  • avatar image
    Former Member
    Jan 02, 2012 at 08:47 AM

    ls,

    Thanks for the info. i think I have the information that I need, unfortunately it seems there is no easy solution for this (I was kind of expecting this).

    Within the organisation there are a lot of things missing for me to be able to do this the right way:

    - there are no process- or function descriptions

    - there is no person or board who is responsible for or who can indicate what each function should be able to do (and not be allowed to do)

    - there is no auditlog (I am working on that but will take time to build up some history)

    So, the challenge is that the only thing I have to go on are the current authorisations which is a mix of all kinds of big and small roles with lots of overlapping objects. My idea was to merge all these roles into one role for each function and then go through these to see where there might be control-issues. At least I would have 1 role to work with for each function which would also make it easier for the people doing the usermanagement.

    Hope this explains it a bit better.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Again, do the roles have a menu or not?

      What is the status of the authorization instances in the roles?

      You should consider that starting over is mostly a cleaner way and you can still do user based comparisons between the test system (with new role(s) assigned) and the production system (with the spagetti).

      Cheers,

      Julius

  • avatar image
    Former Member
    Jan 02, 2012 at 10:58 AM

    @ Julius: sorry missed that remark. Most roles do not have a menu. A lot of transactions have been added manually including their compulsory objects.

    Add comment
    10|10000 characters needed characters exceeded