Add script to copy Cloud Foundry user roles from source to target user by cweibel · Pull Request #378 · cloud-gov/cg-scripts

cweibel · 2026-01-29T17:23:22Z

Changes proposed in this pull request:

Adds a script to copy the org and space permissions from one CF user to another.
Based partially on the existing cf-get-user-roles.sh script
Works for users with the same username but different origins
Requires the executor of the script to be logged into the CF CLI with enough permissions to create users
There are several dry-mode variations to see the permissions of the source user and also list out the commands that would be run against the target user.
There is a --delete option which will delete the source user if the target user is successfully updated. This option needs to be specified at run time and is not the default. Beware there is no "undo" for this.
I have a particular user case in mind, however this script is being kept generic on purpose so it can be used potentially for other support-style purposes to adhoc copy permissions from one account to another.
This will not copy UAA group memberships. For example this script cannot copy cloud_controller.admin or cloud_controller.global_auditor roles. It can only copy roles that are set by using cf set-org-role and cf set-space-role commands
Copies over the odd edge case of organization_users memberships. This is not accessible via cf set-org-role and must be set with a cf curl command. The cg-ui and Stratos projects also had to account for this.
Part of https://github.com/cloud-gov/private/issues/2765

None. Adds a new script which operators can use.

cloudfoundry/copy-user-org-and-space-roles.sh

Co-authored-by: Peter Burkholder <peter.burkholder@gsa.gov> Signed-off-by: Chris Weibel <christopher.weibel@gmail.com>

Add script to copy Cloud Foundry user roles from source to target user

6651c02

cweibel requested a review from a team as a code owner January 29, 2026 17:23