Service Desk Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Importing Role/Folder Item Access

Highlighted
Gavin Bromfield
Acclaimed Contributor

Importing Role/Folder Item Access

Hi,

We need to define approximately 1000 roles and 1000 folders within Service Desk and then grant access to certain items for specific role/folder combinations. We would like to automate this process as far as possible avoid data entry errors and streamline future update efforts.

We have imported role and folder definitions using a standard data exchange task, but now need to define item access.

For example:
Role1 must have full access to incidents in folder1,
Role2 must have full access to incidents in folder2,
Role3 must have... etc

I have been exploring two possibilities:

1. Create a base role/folder item access definition within Service Desk, perform an ACES export for that definition, then use a script to modify/append to the .xml file to automatically create the definitions for the other role/folder definitions.
It would however appear as though Service Desk assigns OID's for each Role/Folder/Item Access definition which, for obvious reasons, cannot be scripted externally (see attached document). Does any one have any experience with this?

2. Use a Data Exchange task
I have created an import mapping using the Service Desk â Item Accessâ type (see attached document) to map to my external class. I am only attempting to import very basic Item Access permissions as a proof of concept â but this process is not working s expected.
I have 7 roles and 7 corresponding folders defined within SD. I have an access database with three columns: ROLENAME, FOLDERNAME and ITEM (sample data in attached document). The intent being I want to associate a role/folder combination with a certain item. I created the field mappings as shown in the attached document.

The data exchange task runs without any errors, but the resulting log file contains an â Error converting data type nvarchar to numericâ error for each record as shown in the attached document (the data extraction to XML works fine).

I have also tried using field value mappings for all of the fields in question (see example in attached file) but with the same results.

Any ideas, thoughts, comments in this regard would be hugely appreciated!

Thanks!
7 REPLIES
FRANS_5
Collector

Re: Importing Role/Folder Item Access

Never tried this, but the following should work:
Create the #roles you need by copy & paste in the admin console. Don't bother with the Roles' properties, it's only for the OID.
Next, export the Roles using ACES.
Modify the XML to the desired properties for each role (including its name!).
Import the XML, replacing the existing Roles.

Note: both roles and folders put a strain on the system. The numbers mentioned (1000/1000) are way beyond recommended maximums and will likely cause severe performance degradation.

Good luck,
Frans
The early worm gets the bird.
Jan Pavelka
Occasional Visitor

Re: Importing Role/Folder Item Access

Hi Gavin,

please be aware that this number of folders can significantly slow down your SD performance. For each action SD must check access rights and it takes time.

I have no personal experiance with this but it is well known and discussed issue (see other threads in this forum).

I would recommend to re-design your SD implementation (if it is possible) and try to define access rights in different manner.
To maintain the folders is very boring and time-consuming work even if you have only 20 folders.

HTH
Jan
Gavin Bromfield
Acclaimed Contributor

Re: Importing Role/Folder Item Access

Hey Frans,

Thanks for the response!

I have already used a data exchange process to create the role I wanted (including role defaults). hence no need for a 'copy/paste' workaround.

What I am trying to automate is assigning rights for RoleX to Incidents that are in FolderY.

Thanks for the heads up on folder numbers though. Do you perhaps know where I can get more info regarding 'recommended maximums' and more details around performance penalties?

Thanks a ton!
Gavin Bromfield
Acclaimed Contributor

Re: Importing Role/Folder Item Access

Hey Jan,

Thanks for the advice around the use of folders. We unfortunately do not have an option in this regard due to the number of sites we are supporting.

So far initial tests have brought a performance impact to fore, but tweaks to the JVM memory allocation settings have (for the most part) resolved these issues.

I totally agree with you - maintaining folders is boring, but it is also time consuming and error prone - that is why we are trying to automate the creation and maintenance thereof.

Gavin.
Robert S. Falko
Honored Contributor

Re: Importing Role/Folder Item Access

I think you always have an option to use folders or not. The key is more likely to be in the diversity of roles, which in turn will determine the templates, forms and views that are available. In particular, you should be able to simulate the effects of folders by filtering in your views.

Granted, using folders might be the most elegant solution in many cases. However, you need to test quite rapidly if the number of folders you propose will really bring peformance to a crawl.

-Josh
Gavin Bromfield
Acclaimed Contributor

Re: Importing Role/Folder Item Access

For those interested: This can be achieved using a data exchange task. The trick is to use the Migration account for this task, and ensure that Folder, Role and Item properties have the 'This field is used for key binding' checkbox checked.
Gavin Bromfield
Acclaimed Contributor

Re: Importing Role/Folder Item Access

For those interested: This can be achieved using a data exchange task. The trick is to use the Migration account for this task, and ensure that Folder, Role and Item properties have the 'This field is used for key binding' checkbox checked.
//Add this to "OnDomLoad" event