how catalog determine the role for a user

Document ID : KB000093158
Last Modified Date : 26/04/2018
Show Technical Document Details
Question:
 Is there a way for us to extract a list of users and their roles in Service Catalog?
Environment:
Service Catalog 12.9, 14.1 and 17.1 
Answer:
There is no direct way or took to extract a list of users and their corresponding roles in catalog system .  But  here is how catalog authenticates a user and determine her/his role in catalog : 

1. catalog will first check if this user exists in ca_contact table in MDB . If it cannot find this user in ca_contact table , it will stop there . 

2. If it can find this user in ca_contact table , it will send this user's credential over to EEM for authentication . If the user's credential can be successfully authenticated by EEM , then it will let that user get into catalog GUI by checking the following to determine what kind role this user can get in catalog GUI : 
     1) it checks usm_contact_domain_role table to see if this user has explicit role recorded in that table . If there is a record existed in usm_contact_domain_role for this user , then the user will be able to get into catalog GUI with the role specified in that table. 

      2) if that user doesn't exist in usm_contact_domain_role table ,catalog will let the user get in catalog GUI with the default role which is set by your catalog system. The default role is specified in Administration -> Configuration -> User Default -> User Default Role (requires restart of CA Service Catalog) in catalog GUI . 

Note : 

To explicitly specify  a catalog role for a user ,  you can login in catalog GUI as a user with service delivery administrator role , go to Administration -> Users -> search and locate the user and then edit its catalog profile : in "User Setting" section , when you explicitly grant a role to the user and save it , it will generate/update a record in usm_contact_domain_role table . 

So , in short , the user's role information is stored in usm_contact_domain_role table . If there is no record in this table for a user , then this user will have the default role specified in your catalog system .