Retrieving list of usergroups that cannot be imported to SaaS
Article ID: 391337
Updated On:
Products
Issue/Introduction
With SaaS, there are restrictions on usergroups that can be imported into the Automic SaaS system. These include the following:
Administration
ILM actions
Create diagnostic information
Execute system Upgrades
View Messages
Dump memory trace
Access Control
Login via CallAPI
Since a user cannot assign privileges that it does not already have, the ultimate restrictions can be found in client 0 in the SAAS_USRG usergroup. Anything not assigned in here is not available to import either via xml or transport case. Attempting to do so will result in the following error:
Starting import of object 'USRG.USERGROUP_NAME'
Object 'USRG.USERGROUP_NAME' does not yet exist. Object will be created.
U00004518 Missing privilege
U04005760 Errors occurred while importing object 'USRG.USERGROUP_NAME'.
Please take a look at the Resolution section in order to help identify what usergroups will have problems.
Resolution
The following will help to identify which usergroups cannot be imported with their current settings.
Each usergroup identified here will need to be adjusted in the source system before it can be imported into the Automic SaaS system!!!
Follow steps 1 through 5 of the solution in the following knowledge article: Retrieving human-readable UserGroup privileges prior to V24 in list
For step 6, replace the code with the following:
! set variable names
! get_usergroups_var is the sec_sqli var that will be looped through to get usg_oh_idnr and usg_privilege (the decimal representation of the binary privileges)
! usergroup_name_and_clieng_var is the sec_sqli var that is used to get usergroup name and client from the db - based on usg_oh_idnr from get_usergroups_var
:set &get_usergroups_var# = 'vara.sqli.find_usergroups'
:set &usergroup_name_and_client_var# = 'vara.sec_sqli.get_usergroup_name_and_client'
! set new line character
:set &nl# = UC_CRLF()
! Loop through the usergroups
:set &hnd# = prep_process_var(&get_usergroups_var#)
:process &hnd#
! get the decimal representation for the usergroup privileges
: set &privilege# = get_process_line(&hnd#, 4)
! get the oh_idnr from the usergroup
: set &usergroup_id# = get_process_line(&hnd#, 2)
! get the usergroup name for the report
: set &group_name# = get_var(&usergroup_name_and_client_var#, &usergroup_id#, 2)
! get the usergroup client for the report
: set &usergroup_client# = get_var(&usergroup_name_and_client_var#, &usergroup_id#, 3)
! initialize results to be blank and each group of privileges for the report
: set &result# = ''
: set &full_out# = "UserGroup &group_name# in client &usergroup_client# has the following permissions that will not allow it to be imported into Automic SaaS:"
: set &full_out_grp2# = 'Category: Administration'
: set &full_out_grp5# = 'Category: View Messages'
: set &full_out_grp6# = 'Category: Access Control'
! highest position (as of 21.0.13) will be 45 for binary - we will loop through backwards from this binary position
: set &pos# = 45
! set flag to false - if flag is true at the end of the loop, we will write out to report
: set &flag# = 'false'
! Loop through the binary of the privileges, looking at each bit and lowering position by 1 each time through
: while &pos# > 0
: set &output# = get_bit(&privilege#, &pos#)
: set &pos# = sub(&pos#, 1)
: set &pos# = format(&pos#)
! if the bit came back with something, write this to the final report - each bit corresponds with one of the privileges in a usergroup
: if &output# = 1
: switch &pos#
! Group 2 - Adminsitration
: case 24
: set &priv# = "Create diagnostic information"
: set &full_out_grp2# = "&full_out_grp2#&nl# &priv#"
: set &flag# = 'true'
: case 8
: set &priv# = "Execute system upgrades"
: set &full_out_grp2# = "&full_out_grp2#&nl# &priv#"
: set &flag# = 'true'
: case 26
: set &priv# = "ILM actions"
: set &full_out_grp2# = "&full_out_grp2#&nl# &priv#"
: set &flag# = 'true'
! Group 5 - View Messages
: case 42
: set &priv# = "Dump memory trace"
: set &full_out_grp5# = "&full_out_grp5#&nl# &priv#"
: set &flag# = 'true'
! Group 6 - Access Control
: case 20
: set &priv# = "Logon via CallAPI"
: set &full_out_grp6# = "&full_out_grp6#&nl# &priv#"
: set &flag# = 'true'
: endswitch
: endif
: set &result# = &result#&output#
: endwhile
! print results to report
: if &flag# = 'true'
: p 'decimal in binary is &result#'
: p &full_out#
: if &full_out_grp2# <> "Category: Administration"
: p &full_out_grp2#
: endif
: if &full_out_grp5# <> "Category: View Messages"
: p &full_out_grp5#
: endif
: if &full_out_grp6# <> "Category: Access Control"
: p &full_out_grp6#
: endif
: p 'End report for usergroup &group_name# in client &usergroup_client# &nl#&nl#'
: endif
:endprocess &hnd#Output will now look something like this:
2025-03-19 22:54:14 - U00020408 decimal in binary is 111111111111111111111111111011111010111111111
2025-03-19 22:54:14 - U00020408 UserGroup ADMINISTRATORS in client 0 has the following permissions that will not allow it to be imported into Automic SaaS:
2025-03-19 22:54:14 - U00020408 Administration
ILM actions
Create diagnostic information
Execute system upgrades
2025-03-19 22:54:14 - U00020408 Category: View Messages
Dump memory trace
2025-03-19 22:54:14 - U00020408 Category: Access Control
Logon via CallAPI
2025-03-19 22:54:14 - U00020408 End report for usergroup ADMINISTRATORS in client Client 0Additional Information
Something similar can be used for users. Update the variable vara.sqli.find_usergroups to use:
select usr_oh_idnr, USR_AccessC0, USR_Privilege from usr
You may also want to change the line:
: set &full_out# = "UserGroup &group_name# in client &usergroup_client# has the following permissions that will not allow it to be imported into Automic SaaS:"
to
: set &full_out# = "User &group_name# in client &usergroup_client# has the following permissions that will not allow it to be imported into Automic SaaS:"
and change the line:
: p 'End report for usergroup &group_name# in client &usergroup_client# &nl#&nl#'
to:
: p 'End report for user &group_name# in client &usergroup_client# &nl#&nl#'
Feedback
