Using a role mapping file to import default roles
By default, built-in roles (ADMIN, USER, DESIGNER, GRID_ADMIN, REPOSITORY_ADMIN) are not imported into the BMC Single Sign-On (SSO) system and rules for built-in roles are not imported into the repository or the CDP.
This default behavior is intended to prevent the unintentional merging of authorization domains when migrating multiple BMC Atrium Orchestrator environments into a single SSO environment. This behavior can be changed by providing a role mapping file specifying the role names to be used for import in place of the built-in roles.
The role mapping file is a Java Properties file supplied to the migration tool using the
‑‑roleMap option. This properties file alters the default import behavior for Access Manager built-in (and user-defined) roles.
Role map properties file functions
The content of the file is governed by the rules for a Java
java.utils.Properties file read using the load(java.io.Reader) method. The file must be encoded using the default character encoding for the system (see
). Each property entry is a key/value pair where the key is the built-in or user-defined role to which roles are mapped. The value is a comma-separated list of role names mapped to (or aliases of) the role identified by the key.
In the example, you specify "BAO Admin" and "AoGridAdmin" as aliases for the built-in role GRID_ADMIN.
Role names with embedded spaces are supported; leading and trailing whitespace is discarded. To use a user-defined role with an embedded space as a key, you must specify the embedded space with a backslash (\). Role names that contain an embedded comma are not supported.
Role names are not case-sensitive. Therefore, "GRID_ADMIN" and "gRiD_aDmIn" refer to the same role. The first appearance of a role name defines its case-preserved value used when adding the role to SSO. (The case-preserved value for user-defined and built-in role names are set in Access Manager.)
The role map properties file functions in the following manner:
- During role import into SSO, the roles mapped to a built-in or user-defined role are each added to SSO.
- The membership of any added or existing role is updated to include the members of the built-in or user-defined role to which the role is mapped.
For example, a mapping of
EPOSITORY_ADMIN=AoRootimports the AoRoot role into SSO and assigns it members from both GRID_ADMIN and REPOSITORY_ADMIN.
- During rule import into the repository or the CDP, rules written for a built-in or user-defined role for which a mapping is provided are imported as rules for the mapped role(s).
For example, a mapping of
USER=AuthenticatedUserscauses CDP process execution rules permitting USER rights to run workflows to be imported as rules for the role AuthenticatedUsers.