We are trying to bulk import users to enterprise roles using the .csv import 'Upload Role Association' feature on Identity Repository > Roles page. PFA Role_User_Association_Import_TEST_1.csv for the CSV file used in this import, and Role-Entitlement Association.png for the role-to-entitlement mapping for the role on which user is attempted to be mapped in bulk.
On import, the tasks for 'Add Access' to the entitlements underlying the role (and 'New Account' task in case user does not have account for the particular endpoint to which the entitlements are associated), are not getting generated. As a result of this issue, users in the CSV file are not getting mapped to the underlying entitlements (PFA User_Not_Mapped_To_Underlying_Entitlement.png), but they are getting mapped to the role directly, as they are displayed in the 'Users' tab inside the said role (PFA User_Mapped_To_Role.png).
When we do manual 'Add User' on the same enterprise role, it is working fine, with creation of tasks for mapping of entitlements to the user accounts executed first, and only on completion of all those tasks, the user is getting mapped to the role. However, as explained above, this flow does not work on the bulk csv import process in our environment.
Solved! Go to Solution.
What type of Role you are uploading through CSV? If it's application role, follow below process:
Do not associate roles to user using CSV which will not retrofit the roles, so not add assignedfromrole and assignedfromroles columns in account_entitlments1.
Instead of that, use bulk upload option using below steps.
1. Navigate to Request Home --> Request Access for Others - Multi Users -->Actions -->Bulk Upload Request.
2. Browse and attach the excel file
3. Select "What type of request do you want to upload?" : Access
4. Click Run Now.
Note: I have attached the sample file here, update with your details and don't change the format while saving.
@ReshamDas , Enterprise role assignment is not supported using above mentioned approach.
Can you try with addrole API:
I tried the process 'Request Access for Others - Multi User' feature for role request as per steps mentioned in the documentation here (Section: Procedure for Requesting for Access or Roles). PFA the .xls file containing the user-role mapping data that was uploaded, and the Bulk_Request_Final_Step_Message.png file that shows the message I am getting after upload.
However, the user-to-role map data uploaded in this .xls file neither gets reflected in the Roles page, nor any tasks are created for underlying entitlement mapping for these users.
@ReshamDas looks like the xls file you have used is incorrect. Can you please try with the attached format?
Also, please make sure you have attached the workflow (preferably the auto approval workflow) under Global configurations > Request > Bulk > Auto Approve Workflow for Multiuser request upload
Thank you for the solution provided. The auto approval workflow on Global configurations > Request > Bulk > Auto Approve Workflow for Multiuser request upload was not enabled, hence the tasks were not getting created post Excel upload from ARS Multi User Access Request page.
Once I enabled it from Global Configuration, it worked perfectly, triggering entitlement add tasks, completing which added the user to the role.
Thank you @rushikeshvartak for confirming that user-to-role association does not work properly from the Admin (Roles) page on bulk csv import. As per guidance of Naveen, I have been able to achieve the goal using ARS Multi User File Upload.
Please refer to my comment in the post below...
With the "upload Role Associations" functionality, tasks are getting created as expected(tasks with the status "No Action Required" in case the entitlements in the role are already assigned to an account. The 'AssignedFromRoles' column in the 'account_entitlements1' table is also populated with the respective role keys...You can also find a sample .csv file in my response as well...
Are you facing any challenges specifically if the 'accountkey' is not populated in the 'role_user_account' table? I tested removing a role and 'remove access' tasks are also being created as expected for all the entitlements in the role.
I attempted to import the role-user association data through "Upload Role Associations" with the attached csv file, in lines to the sample file you shared in your comment.
However, even after importing it, the tasks for entitlement add was not created in 'Pending Tasks' or ' Completed Tasks'. Just the user got mapped to the role.
Yes, the user already had accounts in each endpoints prior to uploading the roles. PFA Bulk_User_Role_Association_User_Accounts.png that displays all the roles this REST_Test_1 user has currently. However, PFA Bulk_User_Role_Association_User_Account_Entitlements.png that shows that none of these accounts are mapped to the corresponding entitlements that was mentioned and uploaded through the attached .csv file (PFA Role_User_Association_import_TEST_3.csv).