Migrating RBAC in IQ Bot

When you migrate learning instances that are associated with custom roles, you must also migrate the roles to enable users in the destination environment to access the learning instances. Before you start your migration, review the comparison matrix for in RBAC IQ Bot 11.3.5.x with Automation 360 IQ Bot.

Comparing RBAC

The following table compares RBAC provided in IQ Bot 11.3.5.x with Automation 360 IQ Bot:
Feature Supported in IQ Bot 11.3.5.x Supported in Automation 360 IQ Bot
Separation of permissions to learning instances by departments using custom roles Yes Yes
Assigning roles to learning instances on creation Yes Yes
Support for system roles:
  • Automation 360 IQ Bot administrator
  • IQ Bot services
  • IQ Bot Validator
Yes Yes
Changing assigned role for learning instances Yes No
User can have different access levels to different learning instances Yes No
Transfer of roles when learning instances are moved from one environment to another No

However, you can use the Assign Roles functionality to assign roles to the learning instance.

No
All permissions of IQ Bot are implemented Yes No
The following permissions are not implemented:
  • Edit learning instance
  • Delete learning instance
  • Send learning instance to production
  • Import domain

Requirements before migrating RBAC

  • Ensure that you do not associate the role of a user who can create a learning instance with any of the IQ Bot system roles. Instead, associate these users with a custom role.
  • If a user who can create a learning instance has a custom role, a correct role corresponding to the department must be assigned to ensure a seamless RBAC operation on the learning instance. However, ensure that these users do not have any other role assigned other than the custom role for creating a learning instance and the corresponding department role.
  • User who can create a learning instance must not be associated with any non IQ Bot roles. This restriction is not applicable to other users with custom roles.
  • All users who can create a learning instance must not be assigned to one custom role (for creating learning instance). Instead, these users must be assigned to department-specific custom role (for creating learning instance).
  • Ensure that the View ALL learning instances permission is not used in the custom role because it provides users with access to IQ Bot services.
  • Ensure that any role other than the department role is not assigned to a learning instance, as this can increase the risk of unauthorized users accessing the learning instance.
  • Users with the Launch validator permission in the custom role can only view IQ Bot if there is at least one learning instance with documents to validate.

Plan your migration

RBAC functionality such as setup and features for custom roles differ between IQ Bot 11.3.5.x and Automation 360 IQ Bot. So keep the following in mind for migration:
  • You can migrate RBAC to Automation 360 IQ Bot only from IQ Bot 11.3.5 or later versions.
  • You can migrate IQ Bot 11.3.5.x to both Automation 360 IQ Bot On-Premises and Cloud.
  • When you migrate RBAC, all the custom and user roles are also migrated from Control Room 11.3.5.x to Automation 360.
  • Ensure you segregate the learning instances for RBAC use cases between departments, organization units, and so on.

Choose your RBAC migration path

Choose your RBAC migration path based on the IQ Bot version you are currently using and the Automation 360 IQ Bot deployment model that meets your business requirements:

If you are performing the migration steps using APIs, see IQ Bot roles migration APIs (A-People login required)