Create roles as templates using other roles

[Dan Munns]

Hi,

Could we have the ability to create roles using other roles (bad way to describe it I know). 

Say I have an analyst starting in the IT Service Desk and they all have a defined role set. At the moment I either have to add the individual roles to the user account or create a custom role and add application rights, database rights etc. It would be much easier to create a role and add other current roles to it and then save the new role as 'IT Service Desk analyst'

Thanks,

Dan

[samwoo]

+1 - It gets quite tedious to have to manually assign roles to each person that needs Hornbill access... different teams have different accesses. I have a PowerShell script to utilize the Hornbill API that does this for me for one team, but would be better to have Role Groups that can be used to assign multiple roles to a single user at once... this would also enable other users in my Team to set up Hornbill users without having to know what the Roles mean.

Additional suggestions:

• If a Role is added or removed from a Role Group then this should affect everyone in that group. 
• Only a single Role Group can be assigned to a user, but individual roles can still be assigned. There should be validation to check if a role added is already a part of the Role Group.

[Dan Munns]

3 minutes ago, samwoo said:

• Only a single Role Group can be assigned to a user, but individual roles can still be assigned. There should be validation to check if a role added is already a part of the Role Group.

We would need the ability to add more than one role group. For example a user may be part of the IT Service Desk, giving them access to IN and SR requests and relevant mailboxes, but also a member of the IT Change team, thereby needing access to CH requests, mailbox and change calendar etc. 

Maybe a setting to be able to limit the amount of groups a user can be added to?

[Steve Giller]

How are you bringing Users into Hornbill?

If you're doing that manually then adding the Roles manually is the only option.

If you're importing them then you can specify what Roles are applied, the simplest option is to run Imports based on a User's AD OU and assign Roles accordingly. If you're familiar with LDAP filters you could also do this by Group Membership (or potentially any other criteria)

 

[Dan Munns]

This is more for when we have users added to Teams due to change of role or change of BU or similar. We have a lot of change going on and I find myself adding users to roles almost daily. It would be so much easier to have a group of roles per team. 

As for new users, our AD is split into admins / everyone else (largely to allow for simple GPO application for default permissions). Some users have a group membership as part of their team for shared mailboxes or storage resources but not all, everyone has a department and Hornbill adds them to that. But adding (Hornbill) users to roles in Hornbill has always been manual for me.

[Steve Giller]

The most logical step for me would be to utilise:

6 minutes ago, Dan Munns said:

Some users have a group membership as part of their team

or

7 minutes ago, Dan Munns said:

everyone has a department and Hornbill adds them to that

If the Department is sufficient to determine what Hornbill Roles are required then filtering on that and running an Import in Update mode could update the roles - if not then adding the Users to a Hornbill Users AD group could be done instead.

I think it would be the department and memberOf filters for this, but it's been a while since I played with LDAP filters.

[Dan Munns]

@Steve Giller at the moment I have 43 teams in Hornbill, with potentially more on the way. So if I use AD then I have to create a new sub OU for Hornbill users (not something we like to do) under the admin OU and general users OU and then 43 AD groups and relevant import tasks plus other work for Azure AD imports for other parts of the group. If I want to add or remove a role then I have to change the import config for that user group/team.

Having the ability to create a role group within admin>roles will be infinitely easier as adding to a Hornbill team is a 'day of' request so I would need to either trigger the import tool or just manually add the user. Plus I assume that people who want to be able to add users to roles based on AD fields could also just add said user to the single role created as a role group (if this feature were added) allowing the role to be the only point of configuration rather than having to add new roles/remove un-needed roles in the import config

[Gerry]

@Dan Munns

Can you not use User Templates, what you are asking for sounds like this is the solution to me?

Gerry

 

[Berto2002]

The fact the templates cannot include the Organisation Groups for the User Type is a limitation for this feature. We use the template to ascribe roles but we manually need to then check and add that person into OGs.

[Dan Munns]

@Gerry I assume that the templates are applied to users as part of the import process and need OUs to identify the users to have the template applied? If this is the case then creating new OUs for each team isn't really possible for us. 

[Gerry]

@Dan Munns @Berto2002

Thats a very good point. I have reviewed to see why this is, and to be honest I see no good reason why we have omitted to create groups as part of a template, both manually or when provisioning via SSO, so I have committed this the 90-day roadmap and will get that implemented.  It will be with  you soon. 

Gerry

[Gerry]

@Dan Munns

"I assume that the templates are applied to users as part of the import process and need OUs to identify the users to have the template applied?"  to be honest I am not sure how the LDAP import functions with regards to templates, that is something I would need to defer to someone who knows how the importer works. 

You suggested that "having the ability to create a role group" would solve your problem.  If we could create a role group it would be given a name, and potentially you may have more than one of these role groups, so you would ultimately still need to deduce which "rile group" to apply to any given user when importing or auto-provisioning would you not?  and this would be the same for the template, in other words it should be possible to use the template (with the role changes) to achieve exactly what you want?

 

Gerry