A) We need a way to pull a report of all action permissions for all groups added to a core and some ability to update these groups in bulk.
B) Doing a comparrison between 2 cores is also something we badly need to ensure our PRE-PRD environment matches PROD.
I have found a Report called: Users and Authorizations, By User Group. This looks to give what we need to find the info about all the groups, however, every time I try to run it, the HPSA Client hangs and Java ends up not responding to the point where I have to end the task and restart the client. I have even tried a smaller set of groups by filtering the groups it seachers for, but even that still hangs. We have 2 main cores we need to look at\update over 200 groups per core. I tried to pull a report of only 12 groups and it did end up working but still took a very long time; when trying for 20+ groups it failed completely.
We need a better way to get this info... Perhaps there is a DB query we can run from the DB server, or the slice to directly pull this info?
Once we have done an assesment of current permissions we need to make updates (most likely to ALL groups for this specific initative). It is related to another topic I opened recently, (https://community.softwaregrp.com/t5/Data-Center-Automation-Idea/Running-root-admin-level-Adhoc-scripts/idc-p/1658398) where we have been setting groups with the ability to run Admin Ad-hoc scripts because we didn't think it could be taken away without removing their ability to run saved scripts. This is a big security concern and we need to remove that permissions on All the groups ASAP. (End of next week :s)
How can we do this other than one group at a time manually?
Also related to the above... our process is to stage changes to groups in the PRE-PRD (PAT) Environment, then using /opt/opsware/cbt/bin/cbt we "promote" the updated group to PRD. I am concerned since this is such a large scale change that some groups may not be 100% the same between PAT and PRD. If we don't compare all the permissions for each group between the 2 ENV, I am concerned we could push the updated group from PAT to PRD ,but also effectivly change the PRD group to match PAT, where it maybe shouldn't be...
ie. PAT group A SHOULD be the same as PRD group A. Somewhere along the line, PRD group A's permission Y was changed manually and now the PAT and PRD groups are out of sync. I go to make a permission change to PAT group A's permission X and push that to PRD. Now the permission Y also gets changed in PRD becuse we didnt know they were not in sync.
We some way to compare these 2 cores and all their groups\permissions to find any differences. Perhpas some API or direct query to the DB would do it? We do the same thing for content in terms of promotion for scripts, software policies, packages, etc, which should also be the same between the cores, but that is another topic not under tesnion yet...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.