Everytime when changing a role name in SF, we need to assign it to User Groups back again in IAM. Probably because of User Group <> Role matching is done based on their names instead of unique ID's?
This brings a risk of forgetting to re-assign it completely to all relevant User Groups. Renaming Roles should not require re-assigning at all in my opinion.
Changing Role name in SF requires re-assigning to User Groups in IAM - this could be easier
Intelligent Application Manager
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Hi@Suleyman ,
We are using the default User groups and we sort it out from SF itself before we deploy to any other env.
We did this as you are facing issues someone might forget or miss the release notes, renamings of roles etc…
So each deployment we simply “Apply Default Authorization” in IAM and that is it. Users have the same Default User group already assigned to them so if a role is renamed is considered as added in IAM.
We have carefully fine grained the Roles and User groups so if anything additional would be needed it can be done from Support team and communicate to include it in next release if it affects all users in the partigular User group.
Hope this was useful to you.
Hi,
In addition to the above reply, to IAM it currently looks like the old role has been deleted and a new role had been created. They happen to have the same rights but it is not possible to detect that at the moment.
There are no unique identity assigned to Roles, as well as pretty much all other entities in the SF and IAM. We do plan to look into introducing identity values to replace the current semantic keys in the future, which will also allow users to rename objects without it actually being a insert (with new name) and delete (of old name).
Nevertheless, the Idea is still valuable I’d say.
There's a way to do it, but it requires a lot of additional work that would be obsolete once we decide to move from semantic keys to identity values. Data migration works a bit in a special way, because the moment your rename a table of column, the data migration gets updated immediately. With Roles and IAM, that is not the case.
When synchronizing model data from the SF to IAM, there's no mapping of old key values to new key values taking place. Using data migration for this is not an option. It would most likely require an additional "old_value” column of some sort to make it work. It's just not feasable at the moment. (Just a quick thought)
The amount of time and effort it would cost to reconnect renamed roles vs reconnecting it manually is not worth the effort. I'm more advocating for the identity value solution.