Important Note! 2012 RC is not supported in a production environment unless you are in the Microsoft TAP program for Operations Manager.
This blog post is to be considered an experience report, and not an official guideline.
I admit it, I’m lazy – especially when it comes down to dull tasks like creating a bulk of User Roles. Fortunately, this can be 100% scripted.
What I first need to do is getting a list of all User Roles (non-system only) and their configurations.
Note: I don’t use the System Rules and I don’t want to modify them – relatively any Role that already exists to prevent me from locking myself out.
Since Role Configurations target Ids of certain Objects (Groups, Classes, Views, Tasks) I also retrieve the name of these objects as I want to verify that they are still the same in the new environment, and that they actually exist. Objects that don’t exist or that conflict (different object with same Id) won’t be added to the newly created Roles in the 2012 environment.
Once all that information is gathered, I’ll test-run my role creation script in a simulation mode (it acts as if it’d create roles but it doesn’t) to see if there are any issues.
If everything is fine, I’ll go ahead with the live script and create my roles.
NOTE: The scripts mentioned in this blog post are available in the attached zip file as a reference. Use at your own risk.
Running Inventory of User Roles
First I need to get a list of all User Roles in my 2007 environment including which tasks/views/groups they have access to and all other configuration parameters. Then I store that information in a char-separated text file.
Additionally I’ll get each object (Task/View/Etc.) that is part of the configuration and its name that I will add to my inventory as well – This way I can later verify that the Id I target exists in the new environment and that it is still the same.
Script: GetRolesAndPermissions.ps1 (needs to run in Operations Manager Shell) creates C:\temp\RoleConfigurations.txt
I then copy the RoleConfigurations.txt over to c:\temp on my 2012 Management Server from which I’ll run the verification and creation scripts. They all assume it’s at this location.
Simulate User Role Creation
User Roles can be scoped against certain views, groups and also tasks can be added to it. The question is – are all of these available in the new environment? And of course, would my script function properly?
Note: In my last Blog Posts I covered the Management Pack Migration therefore all Management Packs are available in the new environment.
For this I wrote a script that simulates the creation of the User Roles so I can verify each role and its configuration before I actually make any changes.
What the script does:
- Read the RoleConfigurations.txt file
- Parse configuration parameters
- Verify that the Object Ids relatively that the objects are there and still the same
- Check if Role already exists – if yes, no creation
- If no, Ask if Role should be created
Note: As you can see, some views don’t exist in the 2012 environment. These won’t be added to the Views of this Role.
If yes, create Role and output configuration
Note: This will create the role object, it will not import it yet
Ask if Role should be imported
If yes, it WON’T import the role as the actual import line has been commented out.
Create User Roles
Once I have verified that everything works fine I go ahead and use the actual creation script: CreateRolesAndPermissions.ps1
The steps are the same as above except for that when it asks “Do you want to import the Role?” it will actually import the Role.