Migration to persona-based role mechanism FAQs¶
This FAQ covers migration to the persona-based role mechanism in version 1.70.2 and higher.
To learn more about this role mechanism, best practices, and guidelines, see Lightrun Role Management Overview.
General¶
Will the new role mechanism be applied when upgrading to version 1.70.2?¶
Yes. The new role mechanism is automatically applied:
- SaaS deployments: From version 1.70.2 and higher.
- Single-tenant and on-premise deployments: After upgrading to version 1.70.2.
Where can I find items in the updated Identity and Access section?¶
With the introduction of the new role mechanism in version 1.70.2, several items in the Identity and Access section in the Lightrun Management Portal have been reorganized for clarity.
| Previous location (before 1.69) | New location (from 1.70.2) |
|---|---|
Permissions & Access page | Obsolete |
Permissions & Access > Groups tab | Access Groups (new page) |
Permissions & Access > Temp Access tab | Temporary Access (new page) |
Permission & Access > Roles tab | Obsolete. Roles are assigned on the user level. |
How are legacy roles and permissions migrated?¶
All existing users are automatically migrated to the new roles according to the following mapping:
| Legacy role/permission | New role | Notes |
|---|---|---|
default_user | Developer | No change. |
manager_role | Company Admin | |
account_manager | Company Admin | |
Lightrun Admin (On-prem) | Root Admin | No longer displayed in the UI. |
Standard role | Developer | Group admins also receive Group Admin. |
Privileged role | Developer | Allow users to ignore quota checkbox automatically enabled in the User details dialog. |
Ignore Quota permission | Allow users to ignore quote | - In non-RBAC environments: Moved to User details dialog. Enabled by default. - In RBAC environments: Moved to Access group dialog. |
How are manager_role and System Admin users mapped?¶
Both manager_role and System Admin users are mapped to the new Company Admin role.
Permissions and capabilities remain unchanged.
Will any environments experience breaking changes?¶
Breaking changes occur only if SCIM with RBAC is enabled and Privileged users exist in Standard groups:
- New groups may be created.
- Group admin assignments may be updated during migration.
Will legacy REST API automations break due to role name changes?¶
No. Legacy REST API automations will not break.
Role names are updated with new role names to align with the new UI and terminology.
RBAC-related¶
These questions apply only if your environment uses RBAC.
To learn more about how the new role mechanism works in an RBAC environment, see Roles in the RBAC environment.
How are Standard role mapped in the new mechanism?¶
Standard roleusers become Developers.- If a user was a
group admin, they now also receive theGroup Adminrole. - Developers now have permission to view the group page and see their group admins.
How are Group admins handled in the new mechanism?¶
Users who were previously assigned as group admins will now receive the Group Admin role.
Example:
A user with the Developer role who was also a group admin in at least one group will now have two roles: Developer and Group Admin.
What is the status of the Privileged and Standard roles?¶
- These roles are no longer used in the persona-based role mechanism.
- The only difference between them was the ability to allow users to ignore quotas.
- In the new role mechanism, this capability is represented by the
Allow users to ignore quotascheckbox. - Users who previously inherited the
Privilegedrole through group membership in the legacy role mechanism are automatically assigned to a group with theAllow users to ignore quotascheckbox selected.