Merge Realm Roles

Question

We have multiple Realm roles created for our data domains in the below fashion

Data Domain 1
- Realm Role - Data Owner
- Realm Role - Data Steward
Data Domain 2
- Realm Role - Data Owner
- Realm Role - Data Steward

How can I merge Data Domain 1 and Data Domain 2 into one single New Domain and merge the corresponding Realm Roles?

I.e.

Data Domain 1
- Realm Role - Data Owner
- Realm Role - Data Steward = New Data Domain
Data Domain 2 New Realm Role - Data Owner
- Realm Role - Data Owner New Realm Role - Data Steward
- Realm Role - Data Steward

Lisa Kovalskaia · Accepted Answer

​@Raja KoushikThank you for the feedback! There’s another option you might consider. If you create a new Ataccama Group and makeboth Data Domain 1 and Data Domain 2 Groups its children, and map your existing domains’ realm roles to this new parent Group, then thanks to the oversight mechanism members of the new parent Group will have access to anything shared with either of the child Groups. In this case, there’s no need to reshare anything or switch stewardship. End users will continue using the twoData Domain Groups to share and assign ownership, whilethe new ‘metadomain” Group will provide cross-domain visibility.This option simplifies the merge, but of course the Groups hierarchy needs to matchthe way your organization will think about the data domainsand the relationships between them. A “soft merge” is a good ideaif reflects the business transformation you’re going through.I’m sure there’s space to explore the use case further from the product design perspective. You’re very welcome to share your use case and suggestionson the dedicated Community sectionhttps://community.ataccama.com/ideas. Thank you!

Lisa Kovalskaia · Answer

​@Raja Koushikhi, here’s how I’d go about it:Create new realm roles in KeycloakAssign users with the new domain roles. Do not remove existing realm roles from users so that they continue to work with the Ataccama app with their existing roles. If you have a large number of users you might consider using Keycloak APIs i.e.POST /admin/realms/{realm}/groups/{group-id}/role-mappings/realmCreate new Group in Ataccama, map new realm roles to Governance Roles within the group.Filter out assets that have Stewardship assigned to one of the pre-existing domain Groups, and reassign Stewardship to the new Group. You can use mass actions in Ataccama to do that.Reshare all relevant assets from the pre-existing domain Groups to the new Group. You can manage sharing via mass actions too.Check monitoring project notification settings and remap them to new Group or realm rolesas needed.If you have any custom metadata properties that reference Groups, you’d need to export relevant assets and update this propertyvia a ONE Desktop plan (or manually).Now remove the obsolete realm roles from users in Keycloak.I would keep the obsolete Groups in Ataccama Global Settings, and keep their realm roles mappings. Groups could be renamed for clarity and a description can be added to point to the new domain Group that replaced them.It may be useful in case they were mentioned somewhere in comments, tasks. I can also imagine some edge cases might emerge later and it would be back to have an easy way to refer/revert back.Does this make sense? If you have any additional questions or concerns regarding your specific setup, please let me know!

Sign up

Login to the Ataccama Community

Scanning file for viruses.

This file cannot be downloaded