This is a test. this is a test.

I created a new group with three users in the group. I added security to one fex - only this group can run the fex.

I created a Change Management Export package for the fex, checking "With Rules".

I imported the Change Management package in the target environment. In Security Center of the target environment, the group was successfully created, but with no users.

Is this a loophole in the process?

This message has been edited. Last edited by: FP Mod Chuck,

I haven't done this - but......

When you "Import Package", in 8009, there's a "Security Resources" that has checkboxes for the Roles, Groups and Users. Did you try checking the Users Box and toggling the "Add/Replace" radio button?

Yes, I should have mentioned that I did have all the radio buttons set to Add/Replace.

So much for the easy fix :-).

I know if one of my guys creates a new application - but doesn't tell me - when I import from dev to test - the code moves - but it doesn't work until I create the new application in test - then re-import the package.

I wonder what would happen if you try and create the user in new "new" environment - but not the permission - then import the package and see if it then adds the permission properly.

I wouldn't expect to be able to move users as generally you're moving from dev to qa to prod...

I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.

Francis,

quote:

I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.

Just because a user exists in your AD, that doesn't mean that they exist in WebFOCUS. I have mine setup to Auto Add users. So a User will only exist in my production environment, if they have logged into my production environment. I don't know what this would mean for rules about specific users or users that are contained within a group.

Can you clarify what you mean by,

quote:

I created a new group with three users in the group.

Do you mean you manually added these 3 users to the group in WebFOCUS? Or did you add them to the group in AD? If you added them to the group in AD then there is no issue, because onces these users log in after these rules have been moved, then WF will automatically add them to the respective group. Until these users log in, WF will not update their rules as to what groups they belong to. At least thats how I understand it. If this is what you did, I would validate that the external group linkage moved with the group.

quote:

I imported the Change Management package in the target environment. In Security Center of the target environment, the group was successfully created, but with no users.

To my understanding, this will only import the rules for the resource. So if you had rules specifically on a user, it should import the rule that User A has rights to run the report (I'm unaware of what if would do if User A does not exist yet). I believe what you are importing, when you select the fex is "Rule 1 States that Group X has run permission, Run Permission Denied to all other groups" If you are expecting to import that Group X contains users A, B, and C, then I think you would need to export that group as well as the fex. In how I read your example. the Rule required that a certain group exists, so it created that group. It does not say what that group needs to include (although I would assume that any external group association would be carried with it, I would validate that this is the case). Whenever I create a new group, I explicitly move that group between environments so that I know I have the group setup the way I want it.

Hi
I have a same issue that Francis had...
I exported a Group with all options clicked (Replace it or Create New One)
Above was an attempt to replicate what I did in one environment and NOT do it again manually in another environment.. I decided to use the CM tool.
CM package did transfer the Group but no members in it (I do have the same members in the target environment, as well)
Then I decided to check the permissions on this Group and those are not found...

If there is any update or if anyone knows how this can accomplished...would appreciate it.. if you creating GROUPS, ROLEs, permissions etc for a Group, Do we need to repeat the process of creating these Groups etc.. manually in the other environment or it can be done via the Change Management Tool

Thanks in advance for your help..

The Security Center is one of the grand new features of WF 8. So is the Change Management Tool. You're supposed to be able to use the Change Management Tool to deploy all WF resources from one environment to another.

Perhaps this is all working better (or as it's expected to) in WF 8.2.

I personally like that user are not move from 1 environment to another as in development users have different permissions then qa or production.

If you are using external security such as AD those external groups do move.

An option that can add users and groups is the REST API. I have used it to AD Groups when the groups are different between environments.

This message has been edited. Last edited by: TexasStingray,

Francis

To expand upon what TexasStingray added if you are using LDAP/AD groups users will be auto added the first time they log in so no user administration is necessary.

I'm not sure how this relates to my comment:

quote:

I'm not moving anything. I don't expect Change Management to copy users from one environment to another. I expect Change Management to include the users that are in the Group that is being migrated from one environment to another. We use Active Directory and like most enterprises, all four of our environments use the same Active Directory service, therefore the users exist in all environments.

I'd like to deploy groups created in WebFOCUS Security Center. I assumed that in the source environment, the groups would be added to the CM package along with a reference to the users within the group, so that when the group is deployed to the target environment, the users would show up when viewing the group in WebFOCUS Security Center. I was seeing empty groups.

Francis

Are the security settings using INTERNAL or LDAP/AD?

Unfortunately, my original post was in 2015 - I no longer remember details and I don't work in that environment at the moment.

Francis

OK.. I am going to check with product management and verify whether users should come across or not and will update the post when I get an answer.

Chuck, thanks for your efforts on this and for your superb administration of the forum.

For this particular subject, I assumed that the information included in the CM export package would be the the WebFOCUS Security group and users selected to be in the group, not information the individual users. Then when the CM package is imported into the target environment, the group would be added/updated and the selected users would be added to the group. If the user does not exist in the target environment, then it doesn't get added. I don't see any security holes with this assumption.

Hi Francis

Thanks for the kind words. I appreciate that!

The bad news is that the users do not come across with change management as it exists today, however there is a current active project to make that happen but not sure what the target release will be.

In the mean time, if the security settings are using EXTERNAL security the first time a user signs in that is a member of an LDAP/AD group that is registered to a WF Security group they will be autoadded and given the security permissions that are part of that group.

This message has been edited. Last edited by: FP Mod Chuck,