For some time now, I am trying to lock down the possibility of users (mainly the people running tests) doing accidental changes on objects in TEST instances, where this shouldn't happen.
So, the plan is very simple. Create a SysAdminNODev security role that has all the rights of the SysAdmin, just without the Dev, since you know the DEV privilege is hardcoded into this role, and only it. To do this, just create a new security role from System administration -> Setup -> Security -> Security roles. Name it as you want, I prefer SysAdminNODev. Then run this job.
It will add do the following:
a) add all the roles as SubRoles to your newly created role and;
b) add all the users to it (exclude yourself);
c) optional, if you have all the users assigned already the SysAdmin role, just remove that from them.
static void assignAllRolesAsSubRoles(Args _args)
{
SecurityUserRole userRole;
SecuritySubRole subRole;
SecurityRole role;
RecId customRecId;
RecId adminRecId;
ttsBegin;
select role
where role.AotName == 'SysAdminNoDEV';
if (role.RecId == 0)
{
throw error("Your role is not defined");
}
else
{
customRecId = role.RecId;
info (strFmt('%1', role.RecId));
}
select role
where role.AotName == '-SYSADMIN-';
if (role.RecId == 0)
{
throw error("Admin role is not defined");
}
else
{
adminRecId = role.RecId;
}
while select role
where role.RecId != adminRecId &&
role.RecId != customRecId
{
subRole.clear();
subRole.SecurityRole = customRecId;
subRole.SecuritySubRole = role.RecId;
subRole.insert();
}
while select forupdate userRole
where userRole.User != 'Iuly' &&
userRole.SecurityRole == adminRecId
{
userRole.SecurityRole = customRecId;
userRole.update();
}
ttsCommit;
}
No comments:
Post a Comment