Replicate system role assignments for custom roles in migrator

rbac/management/relation_replicator/relation_replicator.py

@@ -52,6 +52,7 @@ class ReplicationEventType(str, Enum):
     MIGRATE_CUSTOM_ROLE = "migrate_custom_role"
     MIGRATE_TENANT_GROUPS = "migrate_tenant_groups"
     CUSTOMIZE_DEFAULT_GROUP = "customize_default_group"
+    ASSIGN_SYSTEM_ROLE_IN_MIGRATOR = "assign_system_role_in_migrator"
 
 
 class ReplicationEvent:

rbac/migration_tool/migrate.py

@@ -18,7 +18,9 @@
 import logging
 from typing import Iterable
 
+from django.db import transaction
 from kessel.relations.v1beta1 import common_pb2
+from management.group.relation_api_dual_write_group_handler import RelationApiDualWriteGroupHandler
 from management.models import Workspace
 from management.principal.model import Principal
 from management.relation_replicator.logging_replicator import LoggingReplicator
@@ -152,6 +154,19 @@ def migrate_data_for_tenant(tenant: Tenant, exclude_apps: list, replicator: Rela
         logger.info(f"Migration completed for role: {role.name} with UUID {role.uuid}.")
     logger.info(f"Migrated {roles.count()} roles for tenant: {tenant.org_id}")
 
+    public_default_roles = Role.objects.filter(platform_default=True, tenant=Tenant.objects.get(tenant_name="public"))
+
+    with transaction.atomic():
+        for group in tenant.group_set.all():
+            dual_write_handler = RelationApiDualWriteGroupHandler(
+                group, ReplicationEventType.ASSIGN_SYSTEM_ROLE_IN_MIGRATOR
+            )
+            if group.platform_default is True:
+                dual_write_handler.generate_relations_to_add_roles(public_default_roles)
+            system_roles = group.roles().filter(system=True)
+            dual_write_handler.generate_relations_to_add_roles(system_roles)
+            dual_write_handler.replicate()
+
 
 def migrate_data(exclude_apps: list = [], orgs: list = [], write_relationships: str = "False"):
     """Migrate all data for all tenants."""