0

How to manage security with migrations between environments?

Hello, 

We need some assistance in migrating security between environments, specifically security roles on artifacts (Discovers, Models, Presents, etc.) 

We are using the "Migrate Content" option, and not the export/import method (although we tested with that as well.) 

Our use case is this: We build a Discover in our dev environment (the source), then we want to migrate it to QA (the target).  We then setup security in target and apply some roles to the discover. After that we go back to source, make some adjustments to the discover and remigrate to target.  At this point, the security roles we originally set on the Discover in target is wiped out, and we need to redo the security again. 

We have tried: 

1. Setting up security in source and target exactly the same (same role names, same assignments to artifacts) but still in target they are wiped out with every re-migration.

2. Migrating with no roles applied in source. This removes all roles applied in target. 

3. Removing roles in target, setting them in source and migrating. Still no roles applied in target. 

4. Removing the artifact from target, setting security in source (same roles exist in target), and migrating, but still roles are removed in target

With this behaviour we don't see a good way to deal with security during migrations. We have to re-apply all the security in target for every migration. 

From our testing, we see this behaviour for roles on all artifacts (Discovers, Presents, Formulates, Models, Publications). And, even with Measure, Hierarchy and Member security in models. 

This behaviour introduces a whole host of problems with migrations for us: 

1. Migrations are now much more complicated and time intensive. For every artifact migrated we need to re-apply security to all artifacts in target. Imagine having to do this with >100 discovers. Migrations would take hours!

2. We need to keep some kind of external record for every role assignment to every artifact in our target environments, so we can re-apply after migrations. 

3. If we miss even a single role assignment in target, we risk exposing the wrong data to the wrong group of people. 

From this perspective, we are unsure what we are doing wrong, and how is it expected to handle security with migrations? We recently upgraded to the latest 2025 version (from the 2024 version), and we see exactly the same behaviour in both versions. 

4 replies

null
    • Jeanre_Van_Wyk
    • yesterday
    • Reported - view

    Hello  ,

     

    Thank you for the information. We'll have a look at the API to see if we can build something to help with security during migrations. 

      • Customer Solutions Architect
      • Moshe_Yossef
      • yesterday
      • Reported - view

       

      Notice I was just informed that my initial message may not be accurate - but I think if you can get it to work with the API it's a solid solution.

       do you have further feedback here?

    • Global Architect
    • Mark_Oldfield.1
    • yesterday
    • Reported - view

    Hi   

    The API suite in Pyramid within Pyramid will definitely assist in managing migration activities.

    On the area of security, and the exporting and importing of content, 

    When content is exported, its role-based security settings are exported with it. Upon import into a destination folder, the system calculates the applicable security as follows:

    • Destination Folder Roles and Security: the roles and security for the applied to the destination folder of the import are evaluated from the target system.
    • Source Content Roles and Security: the roles and security for the content items (and related content and folders) applied to the content from the source system at the time of export are evaluated from the PIE file.
    • Role and Security intersection: the roles are matched between the source and target environments by name and the security to be applied is based upon permissions that both the source and destination roles have in common. This inter-section of role/security is in place to follow the principle of least privilege on import.

    note:  the more roles and content items you have, the more time this process will take.

     

     

    hope this helps

    thanks

    Mark.

    • Jeanre_Van_Wyk
    • 17 hrs ago
    • Reported - view

    Hello Mark, 

    Thank you! This makes much more sense. And, I was able to recreate this with our migrations, and it does simplify the process overall. 

    But, I still have some questions and assumptions to confirm. 

    1. How does this work with the member and measure security for a Model? Does it take the intersection of the roles of the folder + Model object + Measure/Member roles? We assume it does. 

    2. How does this work with parent folders? 

     - We assume that for content (Discovers, Presents, etc.), it only considers the intersection between the content object and its direct parent folder. It does not include the roles for any folders above that. 

    - We assume then that if migrating an entire folder (with content) that the folder will also take an intersection of roles from the parent folder. But, the content in that folder will still retain all the roles from source. Or, does it propagate down to the content automatically. e.g., if the parent folder is missing a role, the migrated folder will also lose that role in the target, will that role be removed from the content as well? 

Login to reply

Content aside

  • Status Answered
  • 17 hrs agoLast active
  • 4Replies
  • 48Views
  • 3 Following