2pack does not work with roles


When you export a role as a 2pack and reimport in on another installation it shows the error message

It seems that in the 2pack is included the definition of AD_User_Roles for the SuperUser role. My idea is that this Role is added automatically to the new role when creating the new role object and then 2pack tries to create it again from the xml file.




Heng Sin Low
August 21, 2014, 8:45 AM

Hi Thomas,

Don't think we should export SuperUser at the first place. Unless it is really a must to have, I would like to avoid adding yet another hard coded rule.


Thomas Bayen
August 28, 2014, 3:44 PM

I do not understand your comment. My tests shows the following: Iwent to the demo server (in System Tenant) and created a role "testrole". I did nothing but creating it. There was an entry for the SuperUser automatically added. Then I created a packout configuration "roletest" and added one line of type Role to create a 2Pack file of the role. This xml file contains a record of type AD_User_Roles to say that SuperUser is member of this role. I can't load this 2Pack file on another system. That means the "Role" handler is broken!

There are some ideas to solve this issue:

  • Not write the SuperUser entry into the 2Pack file at all. It is included in every role so this information is not needed.

  • Care about this when reading the file e.g. by catching the exception and doing nothing.

I think the first is the better. My patch solves it this way.


Carlos Ruiz
August 28, 2014, 10:39 PM

Reading MRole.afterSave I see it's creating automatically role for SuperUser AND also to the user that is creating the role.
So, maybe the same problem can arise if you import the 2pack with a user different than SuperUser which has the role assigned.

I would also recommend to user MRole.SUPERUSER_USER_ID constant instead of the 100 in the patch.

Thomas Bayen
September 1, 2014, 2:04 PM

<tbayen> Or another question is: Do we even really want to export users when we export a role?
<tbayen> Is it best to ignore the user tab? I see no reason to have it and if you need you can export is as Data.
<CarlosRuiz> I have a worst problem there
<CarlosRuiz> well - to export and import role definition from dev to test to prod - can be useful
<CarlosRuiz> but maybe the solution is just to allow import on users on the same tenant
<tbayen> So you say we export all users but allow import only for the uuids we know (but not superuser and not #AD_User_ID)?
<CarlosRuiz> two issues here
<CarlosRuiz> when importing is a must to check the tenant of the user on the imported record and just import if is on the same tenant - there is a bug there importing GardenAdmin role definition on a new tenant
<CarlosRuiz> now, hengsin is wondering if is correct to export ad_user_roles records
<tbayen> Thats what I said.
<tbayen> Then the first issue is no more an issue?
<CarlosRuiz> ok - I think we can better move the ticket on that line
<CarlosRuiz> change the rolehandler to not export user-role definition
<CarlosRuiz> it can be exported using Data as usual
<CarlosRuiz> hengsin agreed too

Thomas Bayen
September 3, 2014, 2:04 PM

The patch IDEMPIERE-2137a stops the exporting of AD_User_Roles


Thomas Bayen


Thomas Bayen

Tested By



Affects versions