From 6651c02e6d919ad153992fc6d62b113a3c781173 Mon Sep 17 00:00:00 2001
From: Christopher Weibel <christopher.weibel@gsa.gov>
Date: Thu, 29 Jan 2026 12:13:19 -0500
Subject: [PATCH 1/4] Add script to copy Cloud Foundry user roles from source
 to target user

---
 cloudfoundry/copy-user-org-and-space-roles.sh | 568 ++++++++++++++++++
 1 file changed, 568 insertions(+)
 create mode 100644 cloudfoundry/copy-user-org-and-space-roles.sh

diff --git a/cloudfoundry/copy-user-org-and-space-roles.sh b/cloudfoundry/copy-user-org-and-space-roles.sh
new file mode 100644
index 0000000..54c5f7b
--- /dev/null
+++ b/cloudfoundry/copy-user-org-and-space-roles.sh
@@ -0,0 +1,568 @@
+#!/bin/bash
+# Script to copy Cloud Foundry user roles from source to target user
+set -e
+
+# Function to display usage
+usage() {
+    echo "Usage: $0 --source-user-id <user-id> --source-origin <origin> --target-user-id <user-id> --target-origin <origin> [OPTIONS]"
+    echo ""
+    echo "Required:"
+    echo "  --source-user-id    Source CF username"
+    echo "  --source-origin     UAA origin for source user"
+    echo "  --target-user-id    Target CF username"
+    echo "  --target-origin     UAA origin for target user"
+    echo ""
+    echo "Optional:"
+    echo "  --dry-run-source    Show source user roles only"
+    echo "  --dry-run-target    Show commands to setup target user roles"
+    echo "  --dry-run           Print all commands without executing (legacy mode)"
+    echo "  --delete            Delete source user after role transfer"
+    echo "  --deactivate        Deactivate source user in UAA after role transfer"
+    echo "  --verbose           Enable verbose logging"
+    echo ""
+    echo "Examples:"
+    echo "  # Show source user roles"
+    echo "  $0 --source-user-id john.doe --source-origin uaa --target-user-id jane.doe --target-origin uaa --dry-run-source"
+    echo ""
+    echo "  # Show target setup commands"
+    echo "  $0 --source-user-id john.doe --source-origin uaa --target-user-id jane.doe --target-origin uaa --dry-run-target"
+    echo ""
+    echo "  # Copy roles and delete source user"
+    echo "  $0 --source-user-id john.doe --source-origin uaa --target-user-id jane.doe --target-origin uaa --delete"
+    echo ""
+    echo "Notes:"
+    echo "- This will not copy over uaa group memberships like 'scim.read' or 'cloud_controller.admin'."
+    echo "- Log into the CF CLI and ensure you have the necessary permissions to assign roles to the target user."
+    echo "- Current limit is a hard coded maximum of 5000 roles per user due to CF API pagination."
+    exit 1
+}
+
+# Initialize variables
+SOURCE_USER_ID=""
+SOURCE_ORIGIN=""
+TARGET_USER_ID=""
+TARGET_ORIGIN=""
+DRY_RUN=false
+DRY_RUN_SOURCE=false
+DRY_RUN_TARGET=false
+DELETE=false
+DEACTIVATE=false
+VERBOSE=false
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --source-user-id)
+            SOURCE_USER_ID="$2"
+            shift 2
+            ;;
+        --source-origin)
+            SOURCE_ORIGIN="$2"
+            shift 2
+            ;;
+        --target-user-id)
+            TARGET_USER_ID="$2"
+            shift 2
+            ;;
+        --target-origin)
+            TARGET_ORIGIN="$2"
+            shift 2
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        --dry-run-source)
+            DRY_RUN_SOURCE=true
+            shift
+            ;;
+        --dry-run-target)
+            DRY_RUN_TARGET=true
+            shift
+            ;;
+        --delete)
+            DELETE=true
+            shift
+            ;;
+        --deactivate)
+            DEACTIVATE=true
+            shift
+            ;;
+        --verbose)
+            VERBOSE=true
+            shift
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [[ -z "$SOURCE_USER_ID" || -z "$SOURCE_ORIGIN" || -z "$TARGET_USER_ID" || -z "$TARGET_ORIGIN" ]]; then
+    echo "Error: Missing required parameters"
+    usage
+fi
+
+# Validate mutually exclusive options
+if [[ "$DELETE" == true && "$DEACTIVATE" == true ]]; then
+    echo "Error: Cannot both delete and deactivate source user"
+    exit 1
+fi
+
+# Logging function
+log() {
+    if [[ "$VERBOSE" == true ]]; then
+        echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >&2
+    fi
+}
+
+# Function to execute or print commands based on dry-run mode
+execute_command() {
+    local cmd="$1"
+    echo "Command: $cmd"
+    if [[ "$DRY_RUN" == false ]]; then
+        eval "$cmd"
+    fi
+}
+
+# Function to get user GUID from CF API
+get_user_guid() {
+    local user_id="$1"
+    local origin="$2"
+    
+    cf curl "/v3/users?origins=${origin}&usernames=${user_id}" | jq -r '.resources[0].guid // empty'
+}
+
+# Function to check if user exists
+check_user_exists() {
+    local user_id="$1"
+    local origin="$2"
+    local user_guid
+    
+    user_guid=$(get_user_guid "$user_id" "$origin")
+    if [[ -z "$user_guid" || "$user_guid" == "null" ]]; then
+        return 1
+    else
+        return 0
+    fi
+}
+
+# Function to get org name from space
+get_org_name_from_space() {
+    local space_guid="$1"
+    local space_info org_guid
+    
+    space_info=$(cf curl "/v3/spaces/$space_guid")
+    org_guid=$(echo "$space_info" | jq -r '.relationships.organization.data.guid // empty')
+    
+    if [[ -n "$org_guid" ]]; then
+        query_org_name "$org_guid"
+    fi
+}
+
+# Function to query org name
+query_org_name() {
+    local org_guid="$1"
+    if [[ -n "$org_guid" ]]; then
+        cf curl "/v3/organizations/$org_guid" | jq -r '.name // empty'
+    fi
+}
+
+# Function to query space name
+query_space_name() {
+    local space_guid="$1"
+    if [[ -n "$space_guid" ]]; then
+        cf curl "/v3/spaces/$space_guid" | jq -r '.name // empty'
+    fi
+}
+
+# Function to add organization_user role via CF API
+add_organization_user_role() {
+    local user_guid="$1"
+    local org_guid="$2"
+    local org_name="$3"
+    
+    local payload=$(cat <<EOF
+{
+  "type": "organization_user",
+  "relationships": {
+    "user": {
+      "data": {
+        "guid": "$user_guid"
+      }
+    },
+    "organization": {
+      "data": {
+        "guid": "$org_guid"
+      }
+    }
+  }
+}
+EOF
+)
+    
+    if [[ "$DRY_RUN" == true || "$DRY_RUN_TARGET" == true ]]; then
+        echo "cf curl -X POST '/v3/roles' -d '$payload'"
+    else
+        echo "Adding organization_user role for $TARGET_USER_ID in org $org_name..."
+        local response=$(cf curl -X POST "/v3/roles" -d "$payload")
+        local status_code=$(echo "$response" | jq -r '.errors[0].code // empty')
+        
+        if [[ -n "$status_code" ]]; then
+            # Check if it's a duplicate role error (10008)
+            if [[ "$status_code" == "10008" ]]; then
+                echo "  User already has organization_user role in $org_name"
+            else
+                echo "  Error: Failed to add organization_user role: $response"
+                return 1
+            fi
+        else
+            echo "  Successfully added organization_user role in $org_name"
+        fi
+    fi
+}
+
+# Function to get all user roles via API
+get_user_roles_via_api() {
+    local user_guid="$1"
+    
+    # Get all roles with increased page size to avoid pagination
+    cf curl "/v3/roles?user_guids=${user_guid}&per_page=5000" | jq -r '
+        .resources[] |
+        .type + "|" + 
+        (.relationships.organization.data.guid // "") + "|" + 
+        (.relationships.space.data.guid // "")
+    '
+}
+
+# Display script header
+if [[ "$DRY_RUN_SOURCE" == false && "$DRY_RUN_TARGET" == false ]]; then
+    echo "========================================="
+    echo "Cloud Foundry User Role Transfer Script"
+    echo "========================================="
+    echo "Source User: $SOURCE_USER_ID (Origin: $SOURCE_ORIGIN)"
+    echo "Target User: $TARGET_USER_ID (Origin: $TARGET_ORIGIN)"
+    echo "Dry Run: $DRY_RUN"
+    echo "Delete Source User: $DELETE"
+    echo "Deactivate Source User: $DEACTIVATE"
+    echo "========================================="
+    echo ""
+fi
+
+log "Starting role discovery process"
+
+# Arrays to store roles and role information
+declare -a ORG_ROLES
+declare -a SPACE_ROLES
+declare -a ORG_USER_ROLES
+declare -a SOURCE_ORG_ROLES
+declare -a SOURCE_SPACE_ROLES
+declare -a SOURCE_ORG_USER_ROLES
+
+# Verify users exist
+log "Verifying source user exists"
+if ! check_user_exists "$SOURCE_USER_ID" "$SOURCE_ORIGIN"; then
+    echo "Error: Source user '$SOURCE_USER_ID' with origin '$SOURCE_ORIGIN' not found"
+    exit 1
+fi
+
+SOURCE_USER_GUID=$(get_user_guid "$SOURCE_USER_ID" "$SOURCE_ORIGIN")
+log "Source user GUID: $SOURCE_USER_GUID"
+
+# Verify target user exists (skip for dry-run-source)
+if [[ "$DRY_RUN_SOURCE" == false ]]; then
+    log "Verifying target user exists"
+    if ! check_user_exists "$TARGET_USER_ID" "$TARGET_ORIGIN"; then
+        echo "Error: Target user '$TARGET_USER_ID' with origin '$TARGET_ORIGIN' not found"
+        exit 1
+    fi
+    TARGET_USER_GUID=$(get_user_guid "$TARGET_USER_ID" "$TARGET_ORIGIN")
+    log "Target user GUID: $TARGET_USER_GUID"
+fi
+
+# Get all roles for source user
+log "Getting user roles via API"
+ROLES_OUTPUT=$(get_user_roles_via_api "$SOURCE_USER_GUID")
+
+# Process roles and build command arrays
+while IFS='|' read -r role_type org_guid space_guid; do
+    # Skip empty lines
+    if [[ -z "$role_type" ]]; then
+        continue
+    fi
+    
+    # Get org name
+    org_name=""
+    if [[ -n "$org_guid" ]]; then
+        org_name=$(query_org_name "$org_guid")
+    elif [[ -n "$space_guid" ]]; then
+        # For space roles, get org name via the space
+        org_name=$(get_org_name_from_space "$space_guid")
+    fi
+
+
+    # Get space name if space_guid exists
+    space_name=""
+    if [[ -n "$space_guid" ]]; then
+        space_name=$(query_space_name "$space_guid")
+        
+        # For space roles, if we don't have org_name yet, get it from the space
+        if [[ -z "$org_name" ]]; then
+            # Get the organization info from the space
+            space_info=$(cf curl "/v3/spaces/$space_guid")
+            org_guid_from_space=$(echo "$space_info" | jq -r '.relationships.organization.data.guid // empty')
+            if [[ -n "$org_guid_from_space" ]]; then
+                org_name=$(query_org_name "$org_guid_from_space")
+            fi
+        fi
+    fi
+    
+    # Map role types to CF CLI role names
+    case "$role_type" in
+        "organization_manager")
+            cli_role="OrgManager"
+            ;;
+        "organization_billing_manager")
+            cli_role="BillingManager"
+            ;;
+        "organization_auditor")
+            cli_role="OrgAuditor"
+            ;;
+        "organization_user")
+            cli_role="organization_user"
+            ;;
+        "space_manager")
+            cli_role="SpaceManager"
+            ;;
+        "space_developer")
+            cli_role="SpaceDeveloper"
+            ;;
+        "space_auditor")
+            cli_role="SpaceAuditor"
+            ;;
+        "space_supporter")
+            cli_role="SpaceSupporter"
+            ;;
+        *)
+            log "Unknown role type: $role_type"
+            continue
+            ;;
+    esac
+    
+    # Build command arrays based on role type
+    if [[ -z "$space_guid" ]]; then
+        # Organization role
+        if [[ "$role_type" == "organization_user" ]]; then
+            ORG_USER_ROLES+=("$org_guid:$org_name")
+            SOURCE_ORG_USER_ROLES+=("$org_name:$cli_role")
+        else
+            ORG_ROLES+=("cf set-org-role \"$TARGET_USER_ID\" \"$org_name\" $cli_role --origin \"$TARGET_ORIGIN\"")
+            SOURCE_ORG_ROLES+=("$org_name:$cli_role")
+        fi
+    else
+        # Space role
+        SPACE_ROLES+=("cf set-space-role \"$TARGET_USER_ID\" \"$org_name\" \"$space_name\" $cli_role --origin \"$TARGET_ORIGIN\"")
+        SOURCE_SPACE_ROLES+=("$org_name:$space_name:$cli_role")
+    fi
+done <<< "$ROLES_OUTPUT"
+
+# Handle dry-run-source mode
+if [[ "$DRY_RUN_SOURCE" == true ]]; then
+    echo "========================================="
+    echo "Source User Roles"
+    echo "========================================="
+    echo "User: $SOURCE_USER_ID (Origin: $SOURCE_ORIGIN)"
+    echo "GUID: $SOURCE_USER_GUID"
+    echo ""
+    
+    if [[ ${#SOURCE_ORG_ROLES[@]} -gt 0 ]]; then
+        echo "Organization Roles:"
+        for role_info in "${SOURCE_ORG_ROLES[@]}"; do
+            IFS=':' read -r org role <<< "$role_info"
+            echo "  - $org: $role"
+        done
+    else
+        echo "No organization roles found"
+    fi
+    
+    if [[ ${#SOURCE_ORG_USER_ROLES[@]} -gt 0 ]]; then
+        echo ""
+        echo "Organization User Roles:"
+        for role_info in "${SOURCE_ORG_USER_ROLES[@]}"; do
+            IFS=':' read -r org role <<< "$role_info"
+            echo "  - $org: $role"
+        done
+    fi
+    
+    echo ""
+    
+    if [[ ${#SOURCE_SPACE_ROLES[@]} -gt 0 ]]; then
+        echo "Space Roles:"
+        for role_info in "${SOURCE_SPACE_ROLES[@]}"; do
+            IFS=':' read -r org space role <<< "$role_info"
+            echo "  - $org/$space: $role"
+        done
+    else
+        echo "No space roles found"
+    fi
+    
+    exit 0
+fi
+
+# Handle dry-run-target mode
+if [[ "$DRY_RUN_TARGET" == true ]]; then
+    echo "========================================="
+    echo "Target User Setup Commands"
+    echo "========================================="
+    echo "Target User: $TARGET_USER_ID (Origin: $TARGET_ORIGIN)"
+    echo ""
+    
+    if [[ ${#ORG_ROLES[@]} -gt 0 ]]; then
+        echo "# Organization role commands:"
+        for cmd in "${ORG_ROLES[@]}"; do
+            echo "$cmd"
+        done
+    else
+        echo "# No organization roles to assign"
+    fi
+    
+    echo ""
+    
+    if [[ ${#ORG_USER_ROLES[@]} -gt 0 ]]; then
+        echo "# Organization user role commands (via API):"
+        for role_info in "${ORG_USER_ROLES[@]}"; do
+            IFS=':' read -r org_guid org_name <<< "$role_info"
+            echo "# Add organization_user role for org: $org_name"
+        done
+    fi
+    
+    echo ""
+    
+    if [[ ${#SPACE_ROLES[@]} -gt 0 ]]; then
+        echo "# Space role commands:"
+        for cmd in "${SPACE_ROLES[@]}"; do
+            echo "$cmd"
+        done
+    else
+        echo "# No space roles to assign"
+    fi
+    
+    # Show post-transfer actions if specified
+    echo ""
+    echo "# Post-transfer actions:"
+    if [[ "$DELETE" == true ]]; then
+        echo "cf delete-user \"$SOURCE_USER_ID\" --origin \"$SOURCE_ORIGIN\" -f"
+    elif [[ "$DEACTIVATE" == true ]]; then
+        echo "uaac user deactivate \"$SOURCE_USER_ID\" --origin \"$SOURCE_ORIGIN\""
+    fi
+    
+    exit 0
+fi
+
+# Execute role assignments
+echo ""
+echo "========================================="
+echo "Role Assignment Commands"
+echo "========================================="
+
+# Track success for post-transfer actions
+SUCCESS=true
+
+# Execute organization role assignments
+if [[ ${#ORG_ROLES[@]} -gt 0 ]]; then
+    echo "Organization Roles:"
+    for cmd in "${ORG_ROLES[@]}"; do
+        if [[ "$DRY_RUN" == false ]]; then
+            if ! eval "$cmd"; then
+                echo "Error: Failed to execute: $cmd"
+                SUCCESS=false
+            fi
+        else
+            execute_command "$cmd"
+        fi
+    done
+else
+    echo "No organization roles found for $SOURCE_USER_ID"
+fi
+
+echo ""
+
+# Execute organization_user role assignments
+if [[ ${#ORG_USER_ROLES[@]} -gt 0 ]]; then
+    echo "Organization User Roles:"
+    for role_info in "${ORG_USER_ROLES[@]}"; do
+        IFS=':' read -r org_guid org_name <<< "$role_info"
+        
+        # Add organization_user role
+        if ! add_organization_user_role "$TARGET_USER_GUID" "$org_guid" "$org_name"; then
+            SUCCESS=false
+        fi
+    done
+else
+    echo "No organization_user roles found for $SOURCE_USER_ID"
+fi
+
+echo ""
+
+# Execute space role assignments
+if [[ ${#SPACE_ROLES[@]} -gt 0 ]]; then
+    echo "Space Roles:"
+    for cmd in "${SPACE_ROLES[@]}"; do
+        if [[ "$DRY_RUN" == false ]]; then
+            if ! eval "$cmd"; then
+                echo "Error: Failed to execute: $cmd"
+                SUCCESS=false
+            fi
+        else
+            execute_command "$cmd"
+        fi
+    done
+else
+    echo "No space roles found for $SOURCE_USER_ID"
+fi
+
+echo ""
+echo "========================================="
+echo "Post-Transfer Actions"
+echo "========================================="
+
+# Only perform post-transfer actions if role assignment was successful
+if [[ "$SUCCESS" == true || "$DRY_RUN" == true ]]; then
+    # Handle delete option
+    if [[ "$DELETE" == true ]]; then
+        echo "Deleting user $SOURCE_USER_ID..."
+        DELETE_CMD="cf delete-user \"$SOURCE_USER_ID\" --origin \"$SOURCE_ORIGIN\" -f"
+        execute_command "$DELETE_CMD"
+    fi
+    
+    # Handle deactivate option
+    if [[ "$DEACTIVATE" == true ]]; then
+        echo "Deactivating user $SOURCE_USER_ID..."
+        DEACTIVATE_CMD="uaac user deactivate \"$SOURCE_USER_ID\" --origin \"$SOURCE_ORIGIN\""
+        #execute_command "$DEACTIVATE_CMD"
+    fi
+else
+    echo "Skipping post-transfer actions due to role assignment failures"
+    exit 1
+fi
+
+echo ""
+echo "========================================="
+echo "Script completed!"
+echo "========================================="
+
+# Summary
+if [[ "$DRY_RUN" == false && "$DRY_RUN_SOURCE" == false && "$DRY_RUN_TARGET" == false ]]; then
+    echo ""
+    echo "Summary:"
+    echo "- Organization roles assigned: ${#ORG_ROLES[@]}"
+    echo "- Organization user roles assigned: ${#ORG_USER_ROLES[@]}"
+    echo "- Space roles assigned: ${#SPACE_ROLES[@]}"
+    if [[ "$DELETE" == true ]]; then
+        echo "- Source user deleted: $SOURCE_USER_ID"
+    elif [[ "$DEACTIVATE" == true ]]; then
+        echo "- Source user deactivated: $SOURCE_USER_ID"
+    fi
+fi
\ No newline at end of file

From c5d62c8c3a464acb0e0eba9d225689398f3b21d8 Mon Sep 17 00:00:00 2001
From: Chris Weibel <christopher.weibel@gmail.com>
Date: Thu, 29 Jan 2026 15:38:17 -0500
Subject: [PATCH 2/4] Update cloudfoundry/copy-user-org-and-space-roles.sh

Co-authored-by: Peter Burkholder <peter.burkholder@gsa.gov>
Signed-off-by: Chris Weibel <christopher.weibel@gmail.com>
---
 cloudfoundry/copy-user-org-and-space-roles.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cloudfoundry/copy-user-org-and-space-roles.sh b/cloudfoundry/copy-user-org-and-space-roles.sh
index 54c5f7b..b603dc1 100644
--- a/cloudfoundry/copy-user-org-and-space-roles.sh
+++ b/cloudfoundry/copy-user-org-and-space-roles.sh
@@ -184,7 +184,8 @@ add_organization_user_role() {
     local org_guid="$2"
     local org_name="$3"
     
-    local payload=$(cat <<EOF
+    local payload=""
+    payload=$(cat <<EOF
 {
   "type": "organization_user",
   "relationships": {

From c1aa9d2ceb623be2439989670c018c1d69f8e39b Mon Sep 17 00:00:00 2001
From: Christopher Weibel <christopher.weibel@gsa.gov>
Date: Thu, 29 Jan 2026 15:57:34 -0500
Subject: [PATCH 3/4] Add suggestions for exit and local assignments

---
 cloudfoundry/copy-user-org-and-space-roles.sh | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/cloudfoundry/copy-user-org-and-space-roles.sh b/cloudfoundry/copy-user-org-and-space-roles.sh
index b603dc1..787a15a 100644
--- a/cloudfoundry/copy-user-org-and-space-roles.sh
+++ b/cloudfoundry/copy-user-org-and-space-roles.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # Script to copy Cloud Foundry user roles from source to target user
-set -e
+set -e -u -o pipefail
 
 # Function to display usage
 usage() {
@@ -208,8 +208,11 @@ EOF
         echo "cf curl -X POST '/v3/roles' -d '$payload'"
     else
         echo "Adding organization_user role for $TARGET_USER_ID in org $org_name..."
-        local response=$(cf curl -X POST "/v3/roles" -d "$payload")
-        local status_code=$(echo "$response" | jq -r '.errors[0].code // empty')
+        local response=""
+        local status_code=""
+        
+        response=$(cf curl -X POST "/v3/roles" -d "$payload")
+        status_code=$(echo "$response" | jq -r '.errors[0].code // empty')
         
         if [[ -n "$status_code" ]]; then
             # Check if it's a duplicate role error (10008)
@@ -347,8 +350,9 @@ while IFS='|' read -r role_type org_guid space_guid; do
             cli_role="SpaceSupporter"
             ;;
         *)
+            echo "Error: Unknown role type detected: $role_type" >&2
             log "Unknown role type: $role_type"
-            continue
+            exit 1
             ;;
     esac
     

From 846c4f734fde26dafce2bc8d841c15364158e975 Mon Sep 17 00:00:00 2001
From: Christopher Weibel <christopher.weibel@gsa.gov>
Date: Thu, 29 Jan 2026 16:05:45 -0500
Subject: [PATCH 4/4] Turn on deactivate

---
 cloudfoundry/copy-user-org-and-space-roles.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cloudfoundry/copy-user-org-and-space-roles.sh b/cloudfoundry/copy-user-org-and-space-roles.sh
index 787a15a..720f094 100644
--- a/cloudfoundry/copy-user-org-and-space-roles.sh
+++ b/cloudfoundry/copy-user-org-and-space-roles.sh
@@ -546,7 +546,7 @@ if [[ "$SUCCESS" == true || "$DRY_RUN" == true ]]; then
     if [[ "$DEACTIVATE" == true ]]; then
         echo "Deactivating user $SOURCE_USER_ID..."
         DEACTIVATE_CMD="uaac user deactivate \"$SOURCE_USER_ID\" --origin \"$SOURCE_ORIGIN\""
-        #execute_command "$DEACTIVATE_CMD"
+        execute_command "$DEACTIVATE_CMD"
     fi
 else
     echo "Skipping post-transfer actions due to role assignment failures"