What is best way to export and import security permissions across environments?

Question

We have large number of publications and currently we manually apply the CMS permissions across multiple environments (UAT and PROD mainly). This is tedious and often times error prone.

We are trying to export and import the CMS permissions across multiple environments, so this could be done once manually and ported to other environments using some sort of tool.

Environment: Tridion 2011 SP1 + IIS 7.5 + SQL Server 2008 r2

In Old PowerTools (VBScript) there used to be some tool to manage Access management which could be handy, still error prone. We are not interested to use the OLD powertools for obvious reasons and it is recurring operation function so DB option is ruled out as well.

We are considering to build a tool using Core Service, that could export and Import the permissions. We have the same Groups, Publications and Folder structure across these environments.

Has anyone tried this before? What are the experiences or practices that other fellow Tridioneers used in large implementations.?

Any view points are greatly appreciated.

Answer 1

I created a security migration tool in Tridion 5.2 but the solution approach will still apply to current versions of Tridion

Summary

The solution used a set of simple vbscript export page templates to extract the security information as xml and store it in a set of components.

I then used Tridion Content Porter to move these security components, page templates and tbbs's to the target CMS's

Using set of simple import page templates to open the security xml components to apply the security setting to the target cms.

The tcmid's will be different in the target cms so the import functions must use webdav urls and build dictionaries of tcmid's for trustees etc

Details

Export Security Groups

• iterate selected Groups

• append group xml

• save xml in component

Export Publication Rights

• getlistpublications

• iterate list of publications

• get each publication xml

• remove "//tcm:CategoriesXSD" node

• appendChild publication xml

• remove unwanted "//tcm:Trustee" nodes

• save xml in component

Export Folder Permissions

• recursively iterate folders

• append Folder XML

• remove trustee nodes that are inherited ("IsInheritanceRoot")

• save xml in component

Export Structure Group Permissions

• recursively iterate Structure groups

• append structure group XML

• remove metadata node "//tcm:Metadata"

• filter out unwanted Trustees

• save xml in component

Import Security Groups

• load xml from security component

• iterate group nodes

• create groups if they don't already exist

Import Publication rights

• load xml from security component

• update xml tcmid's

• iterate publications

• load publication xml

• build xml updategram

• update publication xml

Import Folder Permissions

• load xml from security component

• update xml tcmid's

• for each folder node

• build updategram xml

• open folder

• update folder xml

Import Structure Group Permissions

• load xml from security component

• update xml tcmid's

• for each structure group node

• build updategram xml

• open structure group

• update structure group

Answer 2

I once wrote a tool that allowed you to describe your desired permissions settings as JSON, and apply them via the API. To be honest, if you were to write a DTAP-security tool, I'd follow a similar approach. Start by being able to express your desired settings in an open, text-based format, then write a tool that imports them. Once you have this, you can easily build a tool that exports them.