Sitecore - copy Role and users to new environment

2
votes

We are using Sitecore 8 update 3 with Active Directory integration. I am trying to copy a Role and the respective users tied to it from our Dev environment over to Prod

example:

role: Sitecore/IHaveAccess
users: ad/dk123, ad/dk234, ad/dk345...

I tried two different methods:

Method 1: Generate package:

By creating a package that described on the page 19: https://sdn.sitecore.net/upload/sitecore6/65/package_designer_admin_guide-a4.pdf

When I installed the package on the new environment, the role was added but none of the users was under the Role.

Method 2: Serialization:

I serialize the item, but when viewing in Notepad++ is does not contain any users. When I serialize a user who was in the group, I do see the group.

Any thoughts why we have the issue?

1
sitecoresitecore8
Have you seen this answer? - stackoverflow.com/questions/11553980/…Wesley Lomax
Also, this link goo.gl/A9D0MV is relevant to your question. In my past have successfully used both mentioned approaches, have tested that on my sandbox now as well - got successful user serialised. It looks like you've got problems somewhere else ie. in your configuration.Martin Miles
I have tried both options unsuccessfully, it may be due to the fact that I am using Active Directory and AD users are not stored in sitecore? I will continue to look into this.DanO
@DanO What are you serializing? The roles or users (or both)? What type of access do you have to AD? Is it readonly or 2 way sync?jammykam
@jammykam, I serialized both the Role and the user to see what was in them. The Role did not have the users, the users did have the Role in them. It is only 1 way sync, we are only reading AD.... On a seperate story, we originally wanted to use an AD Group (rather than a sitecore group and add users to that) but had issues.DanO

1 Answers

3
votes

Unfortunately, the membership information is stored against the user and not the role (the same for roles within roles). In this instance, the membership information is stored against the AD user. You are storing that a user is a member of role x and not that role x contains member y.

This means that you would need to package up both the role, and the corresponding users. I'm not sure of how this would work using AD though, since you are essentially trying to sync back user related data via Sitecore. I would ensure at your AD provider is not set as readonly in the connection string or it's setup. Since you only have a one-way sync, there's no way to store that information back in AD and have it persist.

Personally, I would set up my roles differently to allow the management to be easier, but it depends on your exact requirements obviously:

  • Create a Sitecore role, assign all your permissions and security against this roles (sitecore\IHaveAccess)
  • Create a matching AD role (ad\IHaveAccess) and add this as a member of your Sitecore role
  • Add your AD users to your AD Group. They will gain the correct permissions through Role In Role. If you already have AD Groups set up, you simply add existing Groups to the new Group even.

Using this, at most you have to add your AD roles back into your Sitecore roles (this shouldn't be the case you added the AD roles as a member of the Sitecore role so the membership is stored in Sitecore). It also has the advtantage that your users/roles/membership is centrally located within one system.