Hi,
To enable us developers, apply correct role assignment to IAM 'User Groups' from SF via 'Default User Groups'. Default User Groups from Software Factory should be used as a template for related applications' User Groups in IAM.
New changes from 'Default User Groups' should always apply and overwrite every time US developers 'Sync To IAM.'
We were informed that "if you want to un-grant access of existing roles, you need to change it within the IAM as the Default user group will not overrule (and thus not un-grant) the existing role assignment" , in our recent ticket in TCP.
Every deployments from SF to different environments or If we need to apply corrections for non development environments, We sync to IAM:
* After creation once the an environment is upgraded with the new objects from SF
* We do a 'Sync to IAM' for the rights changes in the 'Roles' and 'Default User Groups' from the main branch
* After 'Sync to IAM' from SF, I press the 'Apply Default Authorization' in IAM for the synced 'Default User Groups(SF)' to apply on 'User Groups(IAM)'
* Then the 'User Groups' from IAM should mirror the 'Default User Groups' from SF regardless of if a user group is just new or old, and SF User Group is the main template
This should be the case so that, It is faster to remove/add roles from a user group if changes were introduced by the users.
and the default user groups changes is always kept in every creation of a branch of a model and is no need to manually change the role assignments from User Groups in IAM every time we have a deployment.
We have scenarios where:
If the Admin gets a complain that a User is missing Roles then a Custom IAM user group can be created to attach on the related problematic user(s). A ticket to update the defaults in case it is for everyone on the same Default User group should be raised to do so in SF.
If the Admin/Manager sees a User having more permissions than expected a temporary removal from the Default User Group can be made. A ticket to update the defaults in case it is for everyone on the same default User group should be raised to do so in SF or add an extra default User group to cater for this scenario of Users.
Regards,
Jeff
