those are the same thing.
Agreed. But I would like to, say as BLAdmin:BLAdmins set the execution override to Bill:SuperCoolRole. I have found no method to do this except as the user:role that you would like the override to run as.
My use case: Using AO configured with an adapter that has credentials in the BLAdmins role (local user mapping), execute a job as a DBA role (Automation Principle) that has network access.
While this seems pretty straight forward, have someone in the role click execution override and never touch it again, we have been "bitten" by cases where the job had been changed and lost this attribute. Another possible solution was to run another instance of the adapter with alternate credentials, however we have to add a server (or pair for redundancy) for each that we add as you can only leverage one set of credentials on a server because all adapters get the credentials of the last adapter that established credentials.
Does that make sense?
being able to set the execution override to some role that is not you is a security issue.
can you put the BLAdmin or other user in the role(s) you want to set exo as, switch to that role (Utility.assumeRole) and then set the exo ?
That is an excellent idea that I had not considered. I figured that it was a security concern to apply this to a role that you were not a member of, but had not taken this a step further and looked at Utility.assumeRole. This should work, however this will take me a bit of time to test. I'll try to post results within a week.
Thanks, Bill for the push in the right direction. The Utility.assumeRole method worked for me. Here are a few notes that I will provide in case anyone else ever has a similar use case from Atrium Orchestrator.
For BLCLI commands, I added a <user-role> element to <bladelogic-request> (In this case for WindowsAdmins) as follows:
<command terminate-on-exit="false" timeout-secs="36000" executable-type="cli"><![CDATA[Server listAllServers]]></command>
For NSH commands, this was implemented a bit differently using chrole as follows:
<command terminate-on-exit="false" timeout-secs="15" executable-type="nsh">
<command script-directory=""><![CDATA[chrole WindowsAdmins]]></command>
<command terminate-on-exit="false" timeout-secs="36000" executable-type="nsh">
<command script-directory=""><![CDATA[agentinfo server000001]]></command>
One additional thing that I noted when configuring the adapter to leverage a user with multiple roles was that I had to add an environment variable to the startup (Linux server.sh) script so that the initial adapter credential acquisition would complete without errors as follows:
# BLADELOGIC MULTIPLE ROLES
Thanks again for the information, Bill!!!