cancel
Showing results for 
Search instead for 
Did you mean: 

Clone user role - copy permission question

Walter.Koller
Level 11
We are working with environments with quite a lot of user roles in Blue Prism.
User roles in our environments are derived by process owners / departments, which might be in different subsidiaries (that are separate legal entities). This is required to ensure no wrong robot (or user who happen to get the robot password) can execute a process belonging to another process owner.
With about 70 served departments, each having their own set of user roles like developer, runtime resource, controller, ... in dev + prod... the amount of user roles is quite high.

We try to manage them by creating 'template user roles', defined the common folder permissions, and clone them whenever a new user roles is needed. 
An example of common folder permission is the BP group where Login, Logout, ... and other generic VBO and processes are located. 
This works quite well and a newly cloned user role automatically get the correct folder permissions.
Well, at least most of the time. Because sometimes the newly cloned user role doesn't have any permissions set at all. 
I just had the case when a cloned user role had permissions at process level set correctly but didn't have any permissions for VBO. 

Does anyone know if there is a rule when cloned user roles will also derive their affective permissions from the originating role?

------------------------------
Walter Koller
Solution Manager
Erste Digital / Erste Group Bank
Europe/Vienna
------------------------------
3 REPLIES 3

steven.boggs
Staff
Staff
Hi Walter,

I'll take a crack at addressing the scenario you describe here where a cloned user role did not have correct folder permissions -- it may be that certain folder permissions affect and "override" or "overlap" certain user permissions in some cases. The difference between User Role-based permissions and Folder/Process/Object permissions are outlined in this KB article here, and may help explain this behavior.

Alternately, you may wish to check on the Roles/Permissions in your environment to ensure the permissions for each role are correctly set at the database level. You can create a Role Report showing Roles and Permissions via SQL by following the steps in this guide here.

Lastly, if you think this may be a potential product defect where Blue Prism code is not correctly cloning user roles with the correct permissions in some cases, we would be able to investigate this scenario further with our Product team in a Support ticket. If you're able to consistently reproduce this behavior (and it isn't otherwise explained by the difference between User and Folder permissions in the article above), please provide the steps to reproduce this issue along with the relevant additional information/data in a new Support ticket and we'll be able to determine what may be happening here.

------------------------------
Steve Boggs
Senior Software Support Engineer
Blue Prism
Austin, TX
------------------------------

Hi Steve,

Thanks for your reply and some readings on this topic.

First of all, is my assumption correct that folder permissions should be copied over the the new user role when cloning from an existing user role?
Just now I did test the permissions after cloning in 5 different environments and folder permissions have never been copied over to the new user roles.

The KB article you linked describes exactly the functionally we are trying to take advantage of.
Maybe I should explain exactly what we are trying to achieve (and mostly works):
1. We create a folder, FolderA
2. Create a user role RoleA that is allowed to execute and export
3. Set FolderA to restricted, remove all permissions, allow RoleA to do everything its role permissions allow. 
4. Clone RoleA as RoleA'
Expected: RoleA' has the same check boxes set as RoleA on folder level.
This sometimes work but sometimes all check boxes are not set for the cloned role. 

The guide to create SQL reports directly from DB is very useful and I wished I had this information much earlier 😄 However, this SQL does not seem to work in AD/SSO environment. At least I could not get it to work and the official answer here in this forum was it will not work. 
select count(*) from BPAUser: 36
select count(*) from BPAUser u, BPAUserRoleAssignment ra where u.userid = ra.userid: 1
As far as I know is the relation between user and AD group queried directly from AD at the time of log on to BP. This makes sense as it is the only reliable source. 


------------------------------
Walter Koller
Solution Manager
Erste Digital / Erste Group Bank
Europe/Vienna
------------------------------

Hi Walter,

Glad you found the documentation useful. We have a lot of other KB articles on this topic available in the parent article, "Troubleshooting User Roles and Permissions" that we would also recommend review of.

You are correct that the difference between User Role permissions and folder permissions are likely the cause here. When cloning a User Role, for security implications it's likely the requirements are in place to not also copy over the same folder permissions as you describe. Cloning User Roles may not always involve giving access to the same folders/Processes/Objects (for example, the same User Role being used across different teams/projects), so these folder permissions should be explicitly defined afterwards.

If you'd like to further investigate the product requirements in this area or submit a request for change in this functionality, I would encourage you to open a Support ticket with us so we could provide additional details.

------------------------------
Steve Boggs
Senior Product Support Engineer
Blue Prism
Austin, TX
------------------------------