[DOCS-10005] OM 3.4 importing users/roles Created: 17/Mar/17  Updated: 03/Aug/17  Resolved: 02/Aug/17

Status: Closed
Project: Documentation
Component/s: Ops Manager
Affects Version/s: ops-manager-3.4
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Annette Morrissey (Inactive) Assignee: Anthony Sansone (Inactive)
Resolution: Done Votes: 0
Labels: docs-cloudmgr-opsmgr-security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 6 years, 30 weeks, 6 days ago
Story Points: 0.3

 Description   

Can we clarify in the docs that existing roles/users are not overwritten by newly imported deployments if Sync = Yes and Enforce Consistent Set = No.

From the docs:
https://docs.opsmanager.mongodb.com/current/tutorial/add-monitored-deployment-to-automation/#imports-mongodb-users-and-roles

If the Enforce Consistent Set value for the Ops Manager group is No, non-imported users and roles are not managed by Ops Manager group but remain in the MongoDB deployment. To manage these users and roles, you must connect directly to the MongoDB deployment.

The question was raised by a customer - when adding a deployment for automation are duplicate roles overwritten by the new deployment.

The answer is no, the roles are not overwritten. Can we make that explicit in the docs?



 Comments   
Comment by Dennis Kuczynski [ 13/Jul/17 ]

annette.morrissey Yes, whatever ends up in the AutomationConfig auth.usersWanted and roles structures should be reflected by any managed automation processes.

I may have just misunderstood the intent of the docs change.

tony.sansone By "All non-imported and existing users and roles remain int he MongoDB deployment." Do you just mean that all non-imported users are left alone and that conflicting users will match what ends up in the automation config?

Comment by Annette Morrissey (Inactive) [ 13/Jul/17 ]

Hi Dennis /tony.sansone

This arose from one of the customers questions on the case

when I import the next cluster and Ops Manager sees that , for example, the infoAppAccount role exists and has Synced = Yes and also exists in the imported deployment, will it drop and recreate the role, causing all accounts to loose their grants on the role?

Myself and barry.mcconville worked on the case. Our understanding was that users in the "usersWanted" list would be maintained, not overwritten. Is this incorrect?

Thanks
Annette

Comment by Dennis Kuczynski [ 16/Jun/17 ]

I just confirmed. If a user or role exists in the automation config, (Sync Yes) – the automation agent should adjust the users and roles on the mongods to match the value in the automation config. So duplicates should be overwritten.

annette.morrissey what was observed in that support ticket?

Comment by Dennis Kuczynski [ 16/Jun/17 ]

tony.sansone and annette.morrissey This sounds like a bug. If a User or Role is set to Sync it should reflect the value in the automation configuration. Let me check the current behavior.

Generated at Thu Feb 08 07:59:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.