[FEATURE REQUEST] Custom Role Collection Support
dachtera opened this issue · 8 comments
Which area is mainly impacted
Configuration
Requested Feature
The request is to allow the creation of custom role collections within the BTP Setup Automator
Use Case/Scenario
The use for this would be creating a custom role such as 'HCADeveloper' in our team, and assigning multiple existing role collections such as "Cloud Connector Administrator", "Business_Application_Studio_Administrator", "Launchpad Admin", etc.
This feature is presently available in the UI, but not supported in the automator. I am happy to help test this, or provide additional scoping/detail.
Would you like to support us?
- Yes, I would like to support you
Anything else?
No response
Necessary extensions:
- Adjust JSON schema for usecase with array with roles i.e. name of the role
- Extract relevant data from btp cli for subaccount via role name:
btp list security/role --subaccount <ID>(role template and roleapp id) - Enrich creation of custom role collection with logic to fetch role data and assign roles to role collection (
libs/python/helperRolesAndUsers.py->assignUsersToCustomRoleCollections)
The feature is available with the latest version of the btp setup automator. To add custom role collection including roles the following data must be provided:
parameters.json - Example
"myusergroups": [
{
"name": "admins",
"members": [
"sam.sample@sap.com"
]
}
]This data entry was already possible before the new feature, nothing has changed at this point
usecase.json - Example
"assignrolecollections": [
{
"name": "test-custom",
"level": "sub account",
"type": "custom",
"assignedUserGroupsFromParameterFile": [
"admins"
],
"assignedRoles": [
"Cloud Connector Administrator",
"Cloud Connector Auditor"
]
}
]For role collections of type custom you can add the roles that should be added to the role collection via their names.
Hello @lechnerc77 - Are you saying that in order to create these custom groups, we need to modify the usecase.json file to include our custom name? If so, does not become problematic having to redeploy your custom files each time the docker image is updated?
Hi @dachtera not sure if I fully get the question: Yes, in case we make changes and fixes the Docker image needs to be updated.
To include the right data for your use case, you must declare that in a usecase.json file. This file is either the one in the container (that you need to modify when you rebuild/restart the container), or you mount a local file source into the Docker container, or you specify the use casefile files that are reachable via HTTP. There is nothing specific to the roles, this is true for all declarations like services etc.
Thank you, I misunderstood that it goes in the usecase file (which we are calling hca.json for our needs)
I added your code and with the exception of changing the included role collections to Launchpad_Admin, I get the following error:
####################################################################################################
# Assign users to role collections specific to a service
####################################################################################################
[2022-10-20 18:07:44] INFO : assign users to custom role collection >leurldev<
[2022-10-20 18:07:44] INFO : Check if role collection >leurldev< already exists
[2022-10-20 18:07:44] RUN COMMAND: btp get security/role-collection 'leurldev'
[2022-10-20 18:07:46] INFO : Assign role collection >leurldev
[2022-10-20 18:07:46] RUN COMMAND: btp create security/role-collection 'leurldev' --description 'leurldev' --subaccount '43fce21c-87e8-437a-b848-107489f507e0'
[2022-10-20 18:07:48] ERROR : Traceback (most recent call last):
NoneType: None
[2022-10-20 18:07:48] ERROR : File "/home/user/./btpsa", line 42, in <module>
myBtpUseCase.createRoleCollections()
NoneType: None
[2022-10-20 18:07:48] ERROR : File "/home/user/libs/python/btp_cli.py", line 607, in createRoleCollections
assignUsersToCustomRoleCollections(self)
NoneType: None
[2022-10-20 18:07:48] ERROR : File "/home/user/libs/python/helperRolesAndUsers.py", line 221, in assignUsersToCustomRoleCollections
for role in rolecollection["roles"]:
NoneType: None
[2022-10-20 18:07:48] ERROR : KeyError: 'roles'
NoneType: None
[2022-10-20 18:07:48] ERROR : 'roles'
NoneType: None
btp-setup-automator: user $
I just re-launched the container before running with the updated code, and the error results. Thoughts on what I may have missed?
"assignrolecollections": [
{
"name": "leurldev",
"level": "sub account",
"type": "custom",
"assignedUserGroupsFromParameterFile": [
"developers"
],
"assignedRoles": [
"Launchpad_Admin"
]
},
I can confirm the 'developers' group exists, as it's already in-use and working for other aspects of the setup.
Is "Launchpad_Admin" the role template or the role name? The assignedRoles section expects the role name (which might have whitespaces). Looking at your screen shot from above Launchpad_Admin is a role collection not a role. Assigning existing role collections to a user was already possible without the extension you requested and follows the path descibed in #119.
If it is the role name please attach the complete usecase.json and parameters.json so that I can reproduce the error in my account.
Here are the files. As far as I know, the Launchpad_Admin exists, as we use it to specifically call out that role for users (near bottom of hca.json file). - Could not directly attach the two json files. You'll need to update the email and account ID for your environment.
Archive.zip
Thank You!
Took a look at the system based on your files:
- The
Launchpad_Adminis indeed a role collection that you assign in lines 173 - 178 to your user group called "developers". So here you already achieved the goal. - The assignment of a (new) role collection must contain roles. There is no role
Launchpad_Adminavailable in your setup:
.
If you want a custom role that comprises the same capabilities as the role collection Lauchpad_Admin you need to put the following roles in:
- Editor
- Super_Admin
- Theme_Admin
- Viewer