set groupreassignauth separately

Nivedithaa Mahendran · Nivedithaa Mahendran · commit cc1c0ce0a41d · 2026-03-26T15:41:29.000+05:30
diff --git a/src/mas/devops/users.py b/src/mas/devops/users.py
@@ -273,6 +273,64 @@ def get_or_create_user(self, payload):
 
         raise Exception(f"{response.status_code} {response.text}")
 
+    def set_user_group_reassignment_auth(self, user_id, groupreassign, manage_api_key):
+        """
+        Set group reassignment authorization for a user via Manage API.
+
+        This method updates the grpreassignauth field for a user's maxuser record,
+        which controls which security groups the user can reassign to other users.
+
+        Args:
+            user_id (str): The unique identifier of the user.
+            groupreassign (list): List of group objects in format [{"groupname": "GROUP1"}, {"groupname": "GROUP2"}, ...]
+            manage_api_key (dict): API key record with 'apikey' field for authentication.
+
+        Returns:
+            dict: Updated user record.
+
+        Raises:
+            Exception: If the update fails.
+        """
+        if not groupreassign or len(groupreassign) == 0:
+            self.logger.debug(f"No group reassignment authorization to set for user {user_id}")
+            return
+
+        self.logger.info(f"Setting group reassignment authorization for user {user_id} with {len(groupreassign)} groups")
+
+        # Use Manage API to update the user's grpreassignauth
+        url = f"{self.manage_api_url_internal}/maximo/api/os/masapiuser/{user_id}"
+        querystring = {
+            "lean": 1,
+            "ccm": 1
+        }
+        headers = {
+            "Content-Type": "application/json",
+            "apikey": manage_api_key["apikey"]
+        }
+
+        payload = {
+            "maxuser": [
+                {
+                    "grpreassignauth": groupreassign
+                }
+            ]
+        }
+
+        response = requests.patch(
+            url,
+            json=payload,
+            headers=headers,
+            params=querystring,
+            cert=self.manage_internal_client_pem_file_path,
+            verify=self.manage_internal_ca_pem_file_path
+        )
+
+        if response.status_code == 200:
+            self.logger.info(f"Successfully set group reassignment authorization for user {user_id}")
+            return response.json()
+
+        raise Exception(f"Failed to set group reassignment authorization: {response.status_code} {response.text}")
+
     def update_user(self, payload):
         """
         Update an existing user's details.
@@ -972,7 +1030,7 @@ def get_all_manage_groups(self):
             params=querystring,
             # verify=self.manage_internal_ca_pem_file_path,
             cert=self.manage_internal_client_pem_file_path,
-            verify=False
+            verify=self.manage_internal_ca_pem_file_path
         )
 
         if response.status_code != 200:
@@ -1434,8 +1492,7 @@ def create_initial_user_for_saas(self, user, user_type, groupreassign=None):
                         {
                             "groupname": "USERMANAGEMENT"
                         }
-                    ],
-                    "grpreassignauth": groupreassign
+                    ]
                 }
                 is_workspace_admin = True
                 application_role = "ADMIN"
@@ -1499,6 +1556,8 @@ def create_initial_user_for_saas(self, user, user_type, groupreassign=None):
             maxadmin_manage_api_key = self.create_or_get_manage_api_key_for_user(MASUserUtils.MAXADMIN, temporary=True)
             for manage_security_group in manage_security_groups:
                 self.add_user_to_manage_group(user_id, manage_security_group, maxadmin_manage_api_key)
+            if Version(self.mas_version) >= Version('9.1') and user_type == "PRIMARY" and groupreassign is not None:
+                self.set_user_group_reassignment_auth(user_id, groupreassign, maxadmin_manage_api_key)
 
             # # Grant authorization to reassign users to/from ALL security groups (PRIMARY users only)
             # if user_type == "PRIMARY":
diff --git a/test/src/test_users.py b/test/src/test_users.py
@@ -1729,6 +1729,7 @@ def test_create_initial_user_for_saas(
     manage_api_key = "manage_api_key"  # pragma: allowlist secret
     user_utils.create_or_get_manage_api_key_for_user = MagicMock(return_value=manage_api_key)
     user_utils.add_user_to_manage_group = MagicMock()
+    user_utils.set_user_group_reassignment_auth = MagicMock()
 
     user_given_name = "billy"
     user_family_name = "bobby"
@@ -1790,11 +1791,6 @@ def test_create_initial_user_for_saas(
                     {
                         "groupname": "USERMANAGEMENT"
                     }
-                ],
-                "grpreassignauth": [
-                    {
-                        "groupname": "USERMANAGEMENT"
-                    }
                 ]
             }
         else:  # SECONDARY

Original file line number	Diff line number	Diff line change
`@@ -1729,6 +1729,7 @@ def test_create_initial_user_for_saas(`
`1729`	`1729`	`manage_api_key = "manage_api_key" # pragma: allowlist secret`
`1730`	`1730`	`user_utils.create_or_get_manage_api_key_for_user = MagicMock(return_value=manage_api_key)`
`1731`	`1731`	`user_utils.add_user_to_manage_group = MagicMock()`
	`1732`	`+ user_utils.set_user_group_reassignment_auth = MagicMock()`
`1732`	`1733`
`1733`	`1734`	`user_given_name = "billy"`
`1734`	`1735`	`user_family_name = "bobby"`
`@@ -1790,11 +1791,6 @@ def test_create_initial_user_for_saas(`
`1790`	`1791`	`{`
`1791`	`1792`	`"groupname": "USERMANAGEMENT"`
`1792`	`1793`	`}`
`1793`		`- ],`
`1794`		`- "grpreassignauth": [`
`1795`		`- {`
`1796`		`- "groupname": "USERMANAGEMENT"`
`1797`		`- }`
`1798`	`1794`	`]`
`1799`	`1795`	`}`
`1800`	`1796`	`else: # SECONDARY`