Merge Realm Roles

​@Raja Koushik hi, here’s how I’d go about it:

1. Create new realm roles in Keycloak
2. Assign users with the new domain roles. Do not remove existing realm roles from users so that they continue to work with the Ataccama app with their existing roles. If you have a large number of users you might consider using Keycloak APIs i.e. POST /admin/realms/{realm}/groups/{group-id}/role-mappings/realm
3. Create new Group in Ataccama, map new realm roles to Governance Roles within the group.
4. Filter out assets that have Stewardship assigned to one of the pre-existing domain Groups, and reassign Stewardship to the new Group. You can use mass actions in Ataccama to do that.
5. Reshare all relevant assets from the pre-existing domain Groups to the new Group. You can manage sharing via mass actions too.
6. Check monitoring project notification settings and remap them to new Group or realm roles as needed. 
7. If you have any custom metadata properties that reference Groups, you’d need to export relevant assets and update this property via a ONE Desktop plan (or manually).
8.  Now remove the obsolete realm roles from users in Keycloak.
9. I would keep the obsolete Groups in Ataccama Global Settings, and keep their realm roles mappings. Groups could be renamed for clarity and a description can be added to point to the new domain Group that replaced them. It may be useful in case they were mentioned somewhere in comments, tasks. I can also imagine some edge cases might emerge later and it would be back to have an easy way to refer/revert back.

Does this make sense? If you have any additional questions or concerns regarding your specific setup, please let me know!

Hi ​@Lisa Kovalskaia , thank you so much for sharing the detailed steps, I was thinking in the same direction but wanted to see if there was an easier way to do it. Perhaps food for thought for ​@Ataccama.

​@Cansu - This is probably a feature Ataccama can consider in the future.

Thanks

Raja

​@Raja Koushik Thank you for the feedback! There’s another option you might consider. If you create a new Ataccama Group and make both Data Domain 1 and Data Domain 2 Groups its children, and map your existing domains’ realm roles to this new parent Group, then thanks to the oversight mechanism members of the new parent Group will have access to anything shared with either of the child Groups. In this case, there’s no need to reshare anything or switch stewardship. End users will continue using the two Data Domain Groups to share and assign ownership, while the new ‘metadomain”  Group will provide cross-domain visibility.

This option simplifies the merge, but of course the Groups hierarchy needs to match the way your organization will think about the data domains and the relationships between them. A “soft merge” is a good idea if reflects the business transformation you’re going through.

I’m sure there’s space to explore the use case further from the product design perspective. You’re very welcome to share your use case and suggestions on the dedicated Community section https://community.ataccama.com/ideas. Thank you!