streamline usermgmt

cli/cmd/user/create.go

@@ -1,8 +1,6 @@
 package user
 
 import (
-	"strings"
-
 	"github.com/gravitl/netmaker/cli/functions"
 	"github.com/gravitl/netmaker/models"
 	"github.com/spf13/cobra"
@@ -15,17 +13,7 @@ var userCreateCmd = &cobra.Command{
 	Long:  `Create a new user`,
 	Run: func(cmd *cobra.Command, args []string) {
 		user := &models.User{UserName: username, Password: password, PlatformRoleID: models.UserRoleID(platformID)}
-		if len(networkRoles) > 0 {
-			netRolesMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
-			for netID, netRoles := range networkRoles {
-				roleMap := make(map[models.UserRoleID]struct{})
-				for _, roleID := range strings.Split(netRoles, " ") {
-					roleMap[models.UserRoleID(roleID)] = struct{}{}
-				}
-				netRolesMap[models.NetworkID(netID)] = roleMap
-			}
-			user.NetworkRoles = netRolesMap
-		}
+
 		if len(groups) > 0 {
 			grMap := make(map[models.UserGroupID]struct{})
 			for _, groupID := range groups {

cli/cmd/user/roles.go

@@ -42,9 +42,6 @@ var userRoleListCmd = &cobra.Command{
 			table.SetHeader(h)
 			for _, d := range data {
 				e := []string{d.ID.String(), strconv.FormatBool(d.Default), strconv.FormatBool(d.DenyDashboardAccess), strconv.FormatBool(d.FullAccess)}
-				if !platformRoles {
-					e = append(e, d.NetworkID.String())
-				}
 				table.Append(e)
 			}
 			table.Render()
@@ -88,15 +85,8 @@ var userRoleGetCmd = &cobra.Command{
 		default:
 			table := tablewriter.NewWriter(os.Stdout)
 			h := []string{"ID", "Default Role", "Dashboard Access", "Full Access"}
-
-			if d.NetworkID != "" {
-				h = append(h, "Network")
-			}
 			table.SetHeader(h)
 			e := []string{d.ID.String(), strconv.FormatBool(d.Default), strconv.FormatBool(!d.DenyDashboardAccess), strconv.FormatBool(d.FullAccess)}
-			if !platformRoles {
-				e = append(e, d.NetworkID.String())
-			}
 			table.Append(e)
 			table.Render()
 		}

cli/cmd/user/update.go

@@ -1,8 +1,6 @@
 package user
 
 import (
-	"strings"
-
 	"github.com/gravitl/netmaker/cli/functions"
 	"github.com/gravitl/netmaker/models"
 	"github.com/spf13/cobra"
@@ -18,17 +16,7 @@ var userUpdateCmd = &cobra.Command{
 		if platformID != "" {
 			user.PlatformRoleID = models.UserRoleID(platformID)
 		}
-		if len(networkRoles) > 0 {
-			netRolesMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
-			for netID, netRoles := range networkRoles {
-				roleMap := make(map[models.UserRoleID]struct{})
-				for _, roleID := range strings.Split(netRoles, ",") {
-					roleMap[models.UserRoleID(roleID)] = struct{}{}
-				}
-				netRolesMap[models.NetworkID(netID)] = roleMap
-			}
-			user.NetworkRoles = netRolesMap
-		}
+
 		if len(groups) > 0 {
 			grMap := make(map[models.UserGroupID]struct{})
 			for _, groupID := range groups {

controllers/node.go

@@ -283,44 +283,45 @@ func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
 		}
 
 		if !userPlatformRole.FullAccess {
-			nodesMap := make(map[string]struct{})
-			networkRoles := user.NetworkRoles[models.NetworkID(networkName)]
-			for networkRoleID := range networkRoles {
-				userPermTemplate, err := logic.GetRole(networkRoleID)
-				if err != nil {
-					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
-					return
-				}
-				if userPermTemplate.FullAccess {
-					break
-				}
-				if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
-					if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok {
-						for _, node := range nodes {
-							if _, ok := nodesMap[node.ID.String()]; ok {
-								continue
-							}
-							if node.IsIngressGateway {
-								nodesMap[node.ID.String()] = struct{}{}
-								filteredNodes = append(filteredNodes, node)
-							}
-						}
-					} else {
-						for gwID, scope := range rsrcPerms {
-							if _, ok := nodesMap[gwID.String()]; ok {
-								continue
-							}
-							if scope.Read {
-								gwNode, err := logic.GetNodeByID(gwID.String())
-								if err == nil && gwNode.IsIngressGateway {
-									filteredNodes = append(filteredNodes, gwNode)
-								}
-							}
-						}
-					}
-				}
-
-			}
+			// TODO: Migrate
+			//nodesMap := make(map[string]struct{})
+			// networkRoles := userPlatformRole.NetworkRoles[models.NetworkID(networkName)]
+			// for networkRoleID := range networkRoles {
+			// 	userPermTemplate, err := logic.GetRole(networkRoleID)
+			// 	if err != nil {
+			// 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+			// 		return
+			// 	}
+			// 	if userPermTemplate.FullAccess {
+			// 		break
+			// 	}
+			// 	if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
+			// 		if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok {
+			// 			for _, node := range nodes {
+			// 				if _, ok := nodesMap[node.ID.String()]; ok {
+			// 					continue
+			// 				}
+			// 				if node.IsIngressGateway {
+			// 					nodesMap[node.ID.String()] = struct{}{}
+			// 					filteredNodes = append(filteredNodes, node)
+			// 				}
+			// 			}
+			// 		} else {
+			// 			for gwID, scope := range rsrcPerms {
+			// 				if _, ok := nodesMap[gwID.String()]; ok {
+			// 					continue
+			// 				}
+			// 				if scope.Read {
+			// 					gwNode, err := logic.GetNodeByID(gwID.String())
+			// 					if err == nil && gwNode.IsIngressGateway {
+			// 						filteredNodes = append(filteredNodes, gwNode)
+			// 					}
+			// 				}
+			// 			}
+			// 		}
+			// 	}
+
+			// }
 		}
 	}
 	if len(filteredNodes) > 0 {

controllers/user.go

@@ -553,13 +553,6 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 
 		}
 		if servercfg.IsPro {
-			// user cannot update his own roles and groups
-			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
-				err = errors.New("user cannot update self update their network roles")
-				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
-				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
-				return
-			}
 			// user cannot update his own roles and groups
 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
 				err = errors.New("user cannot update self update their groups")

logic/acls.go

@@ -354,12 +354,13 @@ func listPoliciesOfUser(user models.User, netID models.NetworkID) []models.Acl {
 				acls = append(acls, acl)
 				continue
 			}
-			for netRole := range user.NetworkRoles {
-				if _, ok := srcMap[netRole.String()]; ok {
-					acls = append(acls, acl)
-					continue
-				}
-			}
+			// TODO: MIGRATE
+			// for netRole := range user.NetworkRoles {
+			// 	if _, ok := srcMap[netRole.String()]; ok {
+			// 		acls = append(acls, acl)
+			// 		continue
+			// 	}
+			// }
 			for userG := range user.UserGroups {
 				if _, ok := srcMap[userG.String()]; ok {
 					acls = append(acls, acl)

logic/auth.go

@@ -148,9 +148,6 @@ func CreateUser(user *models.User) error {
 	if err := IsGroupsValid(user.UserGroups); err != nil {
 		return errors.New("invalid groups: " + err.Error())
 	}
-	if err := IsNetworkRolesValid(user.NetworkRoles); err != nil {
-		return errors.New("invalid network roles: " + err.Error())
-	}
 
 	var err = ValidateUser(user)
 	if err != nil {
@@ -295,16 +292,11 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 	if err := IsGroupsValid(userchange.UserGroups); err != nil {
 		return userchange, errors.New("invalid groups: " + err.Error())
 	}
-	if err := IsNetworkRolesValid(userchange.NetworkRoles); err != nil {
-		return userchange, errors.New("invalid network roles: " + err.Error())
-	}
-	// Reset Gw Access for service users
-	go UpdateUserGwAccess(*user, *userchange)
+
 	if userchange.PlatformRoleID != "" {
 		user.PlatformRoleID = userchange.PlatformRoleID
 	}
 	user.UserGroups = userchange.UserGroups
-	user.NetworkRoles = userchange.NetworkRoles
 	err := ValidateUser(user)
 	if err != nil {
 		return &models.User{}, err

logic/gateway.go

@@ -188,30 +188,7 @@ func CreateIngressGateway(netid string, nodeid string, ingress models.IngressReq
 	if err != nil {
 		return models.Node{}, err
 	}
-	// create network role for this gateway
-	CreateRole(models.UserRolePermissionTemplate{
-		ID:        models.GetRAGRoleID(node.Network, host.ID.String()),
-		UiName:    models.GetRAGRoleName(node.Network, host.Name),
-		NetworkID: models.NetworkID(node.Network),
-		Default:   true,
-		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
-			models.RemoteAccessGwRsrc: {
-				models.RsrcID(node.ID.String()): models.RsrcPermissionScope{
-					Read:      true,
-					VPNaccess: true,
-				},
-			},
-			models.ExtClientsRsrc: {
-				models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-					Read:     true,
-					Create:   true,
-					Update:   true,
-					Delete:   true,
-					SelfOnly: true,
-				},
-			},
-		},
-	})
+
 	err = SetNetworkNodesLastModified(netid)
 	return node, err
 }

logic/user_mgmt.go

@@ -46,8 +46,6 @@ var IsNetworkRolesValid = func(networkRoles map[models.NetworkID]map[models.User
 	return nil
 }
 
-var UpdateUserGwAccess = func(currentUser, changeUser models.User) {}
-
 var UpdateRole = func(r models.UserRolePermissionTemplate) error { return nil }
 
 var InitialiseRoles = userRolesInit
@@ -83,9 +81,6 @@ func ListPlatformRoles() ([]models.UserRolePermissionTemplate, error) {
 		if err != nil {
 			continue
 		}
-		if userRole.NetworkID != "" {
-			continue
-		}
 		userRoles = append(userRoles, userRole)
 	}
 	return userRoles, nil

logic/users.go

@@ -45,7 +45,6 @@ func ToReturnUser(user models.User) models.ReturnUser {
 		PlatformRoleID: user.PlatformRoleID,
 		AuthType:       user.AuthType,
 		UserGroups:     user.UserGroups,
-		NetworkRoles:   user.NetworkRoles,
 		RemoteGwIDs:    user.RemoteGwIDs,
 		LastLoginTime:  user.LastLoginTime,
 	}
@@ -56,9 +55,6 @@ func SetUserDefaults(user *models.User) {
 	if user.RemoteGwIDs == nil {
 		user.RemoteGwIDs = make(map[string]struct{})
 	}
-	if len(user.NetworkRoles) == 0 {
-		user.NetworkRoles = make(map[models.NetworkID]map[models.UserRoleID]struct{})
-	}
 	if len(user.UserGroups) == 0 {
 		user.UserGroups = make(map[models.UserGroupID]struct{})
 	}

migrate/migrate.go

@@ -363,30 +363,11 @@ func syncUsers() {
 				networkNodes := logic.GetNetworkNodesMemory(nodes, netI.NetID)
 				for _, networkNodeI := range networkNodes {
 					if networkNodeI.IsIngressGateway {
-						h, err := logic.GetHost(networkNodeI.HostID.String())
+
+						_, err := logic.GetHost(networkNodeI.HostID.String())
 						if err == nil {
-							logic.CreateRole(models.UserRolePermissionTemplate{
-								ID:        models.GetRAGRoleID(networkNodeI.Network, h.ID.String()),
-								UiName:    models.GetRAGRoleName(networkNodeI.Network, h.Name),
-								NetworkID: models.NetworkID(netI.NetID),
-								NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
-									models.RemoteAccessGwRsrc: {
-										models.RsrcID(networkNodeI.ID.String()): models.RsrcPermissionScope{
-											Read:      true,
-											VPNaccess: true,
-										},
-									},
-									models.ExtClientsRsrc: {
-										models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-											Read:     true,
-											Create:   true,
-											Update:   true,
-											Delete:   true,
-											SelfOnly: true,
-										},
-									},
-								},
-							})
+							// TODO: MIGRATE
+
 						}
 
 					}
@@ -414,9 +395,6 @@ func syncUsers() {
 			if logic.IsOauthUser(&user) == nil {
 				user.AuthType = models.OAuth
 			}
-			if len(user.NetworkRoles) == 0 {
-				user.NetworkRoles = make(map[models.NetworkID]map[models.UserRoleID]struct{})
-			}
 			if len(user.UserGroups) == 0 {
 				user.UserGroups = make(map[models.UserGroupID]struct{})
 			}
@@ -437,21 +415,12 @@ func syncUsers() {
 					if err != nil {
 						continue
 					}
-					h, err := logic.GetHost(gwNode.HostID.String())
-					if err != nil {
-						continue
-					}
-					r, err := logic.GetRole(models.GetRAGRoleID(gwNode.Network, h.ID.String()))
+
+					_, err = logic.GetHost(gwNode.HostID.String())
 					if err != nil {
 						continue
 					}
-					if netRoles, ok := user.NetworkRoles[models.NetworkID(gwNode.Network)]; ok {
-						netRoles[r.ID] = struct{}{}
-					} else {
-						user.NetworkRoles[models.NetworkID(gwNode.Network)] = map[models.UserRoleID]struct{}{
-							r.ID: {},
-						}
-					}
+
 				}
 				logic.UpsertUser(user)
 			}

models/user_mgmt.go

@@ -120,7 +120,6 @@ type UserRolePermissionTemplate struct {
 	Default             bool                                        `json:"default"`
 	DenyDashboardAccess bool                                        `json:"deny_dashboard_access"`
 	FullAccess          bool                                        `json:"full_access"`
-	NetworkID           NetworkID                                   `json:"network_id"`
 	NetworkLevelAccess  map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
 	GlobalLevelAccess   map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
 }
@@ -131,9 +130,11 @@ type CreateGroupReq struct {
 }
 
 type UserGroup struct {
-	ID           UserGroupID                           `json:"id"`
-	NetworkRoles map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
-	MetaData     string                                `json:"meta_data"`
+	ID             UserGroupID                           `json:"id"`
+	PlatformRoleID UserRoleID                            `json:"platform_role_id"`
+	NetworkRoles   map[NetworkID]map[UserRoleID]struct{} `json:"network_roles"`
+	RoleOnNetworks map[UserRoleID]map[NetworkID]struct{} `json:"role_on_networks"`
+	MetaData       string                                `json:"meta_data"`
 }
 
 // User struct - struct for Users

pro/controllers/users.go

@@ -111,7 +111,6 @@ func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
 	if user.PlatformRoleID == "" {
 		user.PlatformRoleID = models.ServiceUser
 	}
-	user.NetworkRoles = in.NetworkRoles
 	err = logic.CreateUser(&user)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
@@ -516,8 +515,6 @@ func ListRoles(w http.ResponseWriter, r *http.Request) {
 	var err error
 	if platform == "true" {
 		roles, err = logic.ListPlatformRoles()
-	} else {
-		roles, err = proLogic.ListNetworkRoles()
 	}
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
@@ -598,11 +595,7 @@ func updateRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	currRole, err := logic.GetRole(userRole.ID)
-	if err != nil {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
-		return
-	}
+
 	err = proLogic.ValidateUpdateRoleReq(&userRole)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
@@ -615,7 +608,8 @@ func updateRole(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// reset configs for service user
-	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
+	// TODO: MIGRATE
+	//go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
 }
 
@@ -632,7 +626,7 @@ func deleteRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
 	}
-	role, err := logic.GetRole(models.UserRoleID(rid))
+	_, err := logic.GetRole(models.UserRoleID(rid))
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
@@ -642,7 +636,8 @@ func deleteRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
+	// TODO: MIGRATE
+	//go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
 }
 
@@ -834,7 +829,7 @@ func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
 	userGws := make(map[string][]models.UserRemoteGws)
 	networks := []models.Network{}
 	networkMap := make(map[string]struct{})
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, node := range userGwNodes {
 		network, err := logic.GetNetwork(node.Network)
 		if err != nil {
@@ -876,7 +871,7 @@ func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request)
 	}
 	userGws := []models.UserRAGs{}
 
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, node := range userGwNodes {
 		if node.Network != network {
 			continue
@@ -931,7 +926,7 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	if _, ok := userGwNodes[remoteGwID]; !ok {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
 		return
@@ -1075,7 +1070,7 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, extClient := range allextClients {
 		node, ok := userGwNodes[extClient.IngressGatewayID]
 		if !ok {

pro/initialize.go

@@ -127,14 +127,11 @@ func InitPro() {
 	logic.DeleteRole = proLogic.DeleteRole
 	logic.NetworkPermissionsCheck = proLogic.NetworkPermissionsCheck
 	logic.GlobalPermissionsCheck = proLogic.GlobalPermissionsCheck
-	logic.DeleteNetworkRoles = proLogic.DeleteNetworkRoles
-	logic.CreateDefaultNetworkRolesAndGroups = proLogic.CreateDefaultNetworkRolesAndGroups
 	logic.FilterNetworksByRole = proLogic.FilterNetworksByRole
 	logic.IsGroupsValid = proLogic.IsGroupsValid
 	logic.IsGroupValid = proLogic.IsGroupValid
 	logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid
 	logic.InitialiseRoles = proLogic.UserRolesInit
-	logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess
 	logic.CreateDefaultUserPolicies = proLogic.CreateDefaultUserPolicies
 }
 

pro/logic/security.go

@@ -66,21 +66,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
 	// check if user has scope for target resource
 	// TODO - differentitate between global scope and network scope apis
 	// check for global network role
-	if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok {
-		for netRoleID := range netRoles {
-			err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
-			if err == nil {
-				return nil
-			}
-		}
-	}
-	netRoles := user.NetworkRoles[models.NetworkID(netID)]
-	for netRoleID := range netRoles {
-		err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
-		if err == nil {
-			return nil
-		}
-	}
+
 	for groupID := range user.UserGroups {
 		userG, err := GetUserGroup(groupID)
 		if err == nil {

pro/logic/user_mgmt.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/gravitl/netmaker/database"
-	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/mq"
@@ -17,6 +16,7 @@ import (
 
 var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:                  models.ServiceUser,
+	UiName:              "Network User",
 	Default:             true,
 	FullAccess:          false,
 	DenyDashboardAccess: true,
@@ -24,41 +24,11 @@ var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
 
 var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:         models.PlatformUser,
+	UiName:     "Network Admin",
 	Default:    true,
 	FullAccess: false,
 }
 
-var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:         models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)),
-	Default:    true,
-	FullAccess: true,
-	NetworkID:  models.AllNetworks,
-}
-
-var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{
-	ID:         models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)),
-	Default:    true,
-	FullAccess: false,
-	NetworkID:  models.AllNetworks,
-	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
-		models.RemoteAccessGwRsrc: {
-			models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
-				Read:      true,
-				VPNaccess: true,
-			},
-		},
-		models.ExtClientsRsrc: {
-			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-				Read:     true,
-				Create:   true,
-				Update:   true,
-				Delete:   true,
-				SelfOnly: true,
-			},
-		},
-	},
-}
-
 func UserRolesInit() {
 	d, _ := json.Marshal(logic.SuperAdminPermissionTemplate)
 	database.Insert(logic.SuperAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
@@ -68,142 +38,7 @@ func UserRolesInit() {
 	database.Insert(ServiceUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
 	d, _ = json.Marshal(PlatformUserUserPermissionTemplate)
 	database.Insert(PlatformUserUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
-	d, _ = json.Marshal(NetworkAdminAllPermissionTemplate)
-	database.Insert(NetworkAdminAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
-	d, _ = json.Marshal(NetworkUserAllPermissionTemplate)
-	database.Insert(NetworkUserAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
-
-}
-
-func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) {
-	if netID.String() == "" {
-		return
-	}
-	var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
-		ID:                 models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)),
-		Default:            true,
-		NetworkID:          netID,
-		FullAccess:         true,
-		NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
-	}
-
-	var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
-		ID:                  models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)),
-		Default:             true,
-		FullAccess:          false,
-		NetworkID:           netID,
-		DenyDashboardAccess: false,
-		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
-			models.RemoteAccessGwRsrc: {
-				models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
-					Read:      true,
-					VPNaccess: true,
-				},
-			},
-			models.ExtClientsRsrc: {
-				models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-					Read:     true,
-					Create:   true,
-					Update:   true,
-					Delete:   true,
-					SelfOnly: true,
-				},
-			},
-		},
-	}
-	d, _ := json.Marshal(NetworkAdminPermissionTemplate)
-	database.Insert(NetworkAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
-	d, _ = json.Marshal(NetworkUserPermissionTemplate)
-	database.Insert(NetworkUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
-
-	// create default network groups
-	var NetworkAdminGroup = models.UserGroup{
-		ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)),
-		NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
-			netID: {
-				models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)): {},
-			},
-		},
-		MetaData: "The network group was automatically created by Netmaker.",
-	}
-	var NetworkUserGroup = models.UserGroup{
-		ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)),
-		NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
-			netID: {
-				models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)): {},
-			},
-		},
-		MetaData: "The network group was automatically created by Netmaker.",
-	}
-	d, _ = json.Marshal(NetworkAdminGroup)
-	database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
-	d, _ = json.Marshal(NetworkUserGroup)
-	database.Insert(NetworkUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
-
-}
-
-func DeleteNetworkRoles(netID string) {
-	users, err := logic.GetUsersDB()
-	if err != nil {
-		return
-	}
-	defaultUserGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)
-	defaultAdminGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)
-	for _, user := range users {
-		var upsert bool
-		if _, ok := user.NetworkRoles[models.NetworkID(netID)]; ok {
-			delete(user.NetworkRoles, models.NetworkID(netID))
-			upsert = true
-		}
-		if _, ok := user.UserGroups[models.UserGroupID(defaultUserGrp)]; ok {
-			delete(user.UserGroups, models.UserGroupID(defaultUserGrp))
-			upsert = true
-		}
-		if _, ok := user.UserGroups[models.UserGroupID(defaultAdminGrp)]; ok {
-			delete(user.UserGroups, models.UserGroupID(defaultAdminGrp))
-			upsert = true
-		}
-		if upsert {
-			logic.UpsertUser(user)
-		}
-	}
-	database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultUserGrp)
-	database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultAdminGrp)
-	userGs, _ := ListUserGroups()
-	for _, userGI := range userGs {
-		if _, ok := userGI.NetworkRoles[models.NetworkID(netID)]; ok {
-			delete(userGI.NetworkRoles, models.NetworkID(netID))
-			UpdateUserGroup(userGI)
-		}
-	}
-
-	roles, _ := ListNetworkRoles()
-	for _, role := range roles {
-		if role.NetworkID.String() == netID {
-			database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, role.ID.String())
-		}
-	}
-}
 
-// ListNetworkRoles - lists user network roles permission templates
-func ListNetworkRoles() ([]models.UserRolePermissionTemplate, error) {
-	data, err := database.FetchRecords(database.USER_PERMISSIONS_TABLE_NAME)
-	if err != nil && !database.IsEmptyRecord(err) {
-		return []models.UserRolePermissionTemplate{}, err
-	}
-	userRoles := []models.UserRolePermissionTemplate{}
-	for _, dataI := range data {
-		userRole := models.UserRolePermissionTemplate{}
-		err := json.Unmarshal([]byte(dataI), &userRole)
-		if err != nil {
-			continue
-		}
-		if userRole.NetworkID == "" {
-			continue
-		}
-		userRoles = append(userRoles, userRole)
-	}
-	return userRoles, nil
 }
 
 func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error {
@@ -242,9 +77,6 @@ func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error {
 			}
 		}
 	}
-	if userRole.NetworkID == "" {
-		return errors.New("only network roles are allowed to be created")
-	}
 	return nil
 }
 
@@ -253,9 +85,7 @@ func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error {
 	if err != nil {
 		return err
 	}
-	if roleInDB.NetworkID != userRole.NetworkID {
-		return errors.New("network id mismatch")
-	}
+
 	if roleInDB.Default {
 		return errors.New("cannot update default role")
 	}
@@ -338,34 +168,11 @@ func DeleteRole(rid models.UserRoleID, force bool) error {
 	if err != nil {
 		return err
 	}
-	if role.NetworkID == "" {
-		return errors.New("cannot delete platform role")
-	}
-	// allow deletion of default network roles if network doesn't exist
-	if role.NetworkID == models.AllNetworks {
-		return errors.New("cannot delete default network role")
-	}
-	// check if network exists
-	exists, _ := logic.NetworkExists(role.NetworkID.String())
-	if role.Default {
-		if exists && !force {
-			return errors.New("cannot delete default role")
-		}
-	}
+
 	for _, user := range users {
 		for userG := range user.UserGroups {
-			ug, err := GetUserGroup(userG)
+			_, err := GetUserGroup(userG)
 			if err == nil {
-				if role.NetworkID != "" {
-					for netID, networkRoles := range ug.NetworkRoles {
-						if _, ok := networkRoles[rid]; ok {
-							delete(networkRoles, rid)
-							ug.NetworkRoles[netID] = networkRoles
-							UpdateUserGroup(ug)
-						}
-
-					}
-				}
 
 			}
 		}
@@ -374,18 +181,9 @@ func DeleteRole(rid models.UserRoleID, force bool) error {
 			err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
 			return err
 		}
-		if role.NetworkID != "" {
-			for netID, networkRoles := range user.NetworkRoles {
-				if _, ok := networkRoles[rid]; ok {
-					delete(networkRoles, rid)
-					user.NetworkRoles[netID] = networkRoles
-					logic.UpsertUser(user)
-				}
 
-			}
-		}
 	}
-	return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String())
+	return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, role.ID.String())
 }
 
 func ValidateCreateGroupReq(g models.UserGroup) error {
@@ -393,13 +191,11 @@ func ValidateCreateGroupReq(g models.UserGroup) error {
 	// check if network roles are valid
 	for _, roleMap := range g.NetworkRoles {
 		for roleID := range roleMap {
-			role, err := logic.GetRole(roleID)
+			_, err := logic.GetRole(roleID)
 			if err != nil {
 				return fmt.Errorf("invalid network role %s", roleID)
 			}
-			if role.NetworkID == "" {
-				return errors.New("platform role cannot be used as network role")
-			}
+
 		}
 	}
 	return nil
@@ -409,14 +205,11 @@ func ValidateUpdateGroupReq(g models.UserGroup) error {
 	for networkID := range g.NetworkRoles {
 		userRolesMap := g.NetworkRoles[networkID]
 		for roleID := range userRolesMap {
-			netRole, err := logic.GetRole(roleID)
+			_, err := logic.GetRole(roleID)
 			if err != nil {
 				err = fmt.Errorf("invalid network role")
 				return err
 			}
-			if netRole.NetworkID == "" {
-				return errors.New("platform role cannot be used as network role")
-			}
 		}
 	}
 	return nil
@@ -556,153 +349,6 @@ func GetUserRAGNodesV1(user models.User) (gws map[string]models.Node) {
 	return
 }
 
-func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
-	gws = make(map[string]models.Node)
-	userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
-	logger.Log(3, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
-	_, allNetAccess := userGwAccessScope["*"]
-	nodes, err := logic.GetAllNodes()
-	if err != nil {
-		return
-	}
-	for _, node := range nodes {
-		if node.IsIngressGateway && !node.PendingDelete {
-			if allNetAccess {
-				gws[node.ID.String()] = node
-			} else {
-				gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
-				scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
-				if !ok {
-					if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
-						continue
-					}
-				}
-				if scope.VPNaccess {
-					gws[node.ID.String()] = node
-				}
-
-			}
-		}
-	}
-	return
-}
-
-// GetUserNetworkRoles - get user network roles
-func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
-	gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
-	platformRole, err := logic.GetRole(user.PlatformRoleID)
-	if err != nil {
-		return
-	}
-	if platformRole.FullAccess {
-		gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
-		return
-	}
-	if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
-		gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
-	}
-	if len(user.UserGroups) > 0 {
-		for gID := range user.UserGroups {
-			userG, err := GetUserGroup(gID)
-			if err != nil {
-				continue
-			}
-			for netID, roleMap := range userG.NetworkRoles {
-				for roleID := range roleMap {
-					role, err := logic.GetRole(roleID)
-					if err == nil {
-						if role.FullAccess {
-							gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
-								models.AllRemoteAccessGwRsrcID: {
-									Create:    true,
-									Read:      true,
-									Update:    true,
-									VPNaccess: true,
-									Delete:    true,
-								},
-								models.AllExtClientsRsrcID: {
-									Create: true,
-									Read:   true,
-									Update: true,
-									Delete: true,
-								},
-							}
-							break
-						}
-						if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
-							if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
-								if len(gwAccess[netID]) == 0 {
-									gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
-								}
-								gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
-								break
-							} else {
-								for gwID, scope := range rsrcsMap {
-									if scope.VPNaccess {
-										if len(gwAccess[netID]) == 0 {
-											gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
-										}
-										gwAccess[netID][gwID] = scope
-									}
-								}
-							}
-
-						}
-
-					}
-				}
-			}
-		}
-	}
-	for netID, roleMap := range user.NetworkRoles {
-		for roleID := range roleMap {
-			role, err := logic.GetRole(roleID)
-			if err == nil {
-				if role.FullAccess {
-					gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
-						models.AllRemoteAccessGwRsrcID: {
-							Create:    true,
-							Read:      true,
-							Update:    true,
-							VPNaccess: true,
-							Delete:    true,
-						},
-						models.AllExtClientsRsrcID: {
-							Create: true,
-							Read:   true,
-							Update: true,
-							Delete: true,
-						},
-					}
-					break
-				}
-				if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
-					if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
-						if len(gwAccess[netID]) == 0 {
-							gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
-						}
-						gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
-						break
-					} else {
-						for gwID, scope := range rsrcsMap {
-							if scope.VPNaccess {
-								if len(gwAccess[netID]) == 0 {
-									gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
-								}
-								gwAccess[netID][gwID] = scope
-							}
-						}
-					}
-
-				}
-
-			}
-		}
-	}
-
-	return
-}
-
 func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) {
 
 	nodesMap := make(map[string]struct{})
@@ -710,17 +356,7 @@ func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filter
 	defer func() {
 		filteredNodes = logic.AddStaticNodestoList(filteredNodes)
 	}()
-	if len(user.NetworkRoles) > 0 {
-		for _, netRoles := range user.NetworkRoles {
-			for netRoleI := range netRoles {
-				allNetworkRoles[netRoleI] = struct{}{}
-			}
-		}
-	}
-	if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
-		filteredNodes = nodes
-		return
-	}
+
 	if len(user.UserGroups) > 0 {
 		for userGID := range user.UserGroups {
 			userG, err := GetUserGroup(userGID)
@@ -744,7 +380,8 @@ func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filter
 		if err != nil {
 			continue
 		}
-		networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
+		// TODO: MIGRATE
+		networkNodes := logic.GetNetworkNodesMemory(nodes, "netmaker")
 		if userPermTemplate.FullAccess {
 			for _, node := range networkNodes {
 				if _, ok := nodesMap[node.ID.String()]; ok {
@@ -794,15 +431,7 @@ func FilterNetworksByRole(allnetworks []models.Network, user models.User) []mode
 	}
 	if !platformRole.FullAccess {
 		allNetworkRoles := make(map[models.NetworkID]struct{})
-		if len(user.NetworkRoles) > 0 {
-			for netID := range user.NetworkRoles {
-				if netID == models.AllNetworks {
-					return allnetworks
-				}
-				allNetworkRoles[netID] = struct{}{}
 
-			}
-		}
 		if len(user.UserGroups) > 0 {
 			for userGID := range user.UserGroups {
 				userG, err := GetUserGroup(userGID)
@@ -861,13 +490,11 @@ func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID
 			}
 		}
 		for netRoleID := range netRoles {
-			role, err := logic.GetRole(netRoleID)
+			_, err := logic.GetRole(netRoleID)
 			if err != nil {
 				return fmt.Errorf("failed to fetch role %s ", netRoleID)
 			}
-			if role.NetworkID == "" {
-				return fmt.Errorf("cannot use platform as network role %s", netRoleID)
-			}
+
 		}
 	}
 	return nil
@@ -884,7 +511,6 @@ func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) {
 		Password: newPass,
 	}
 	user.UserGroups = in.UserGroups
-	user.NetworkRoles = in.NetworkRoles
 	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
 	if user.PlatformRoleID == "" {
 		user.PlatformRoleID = models.ServiceUser
@@ -892,80 +518,6 @@ func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) {
 	return user, nil
 }
 
-func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess,
-	changeNetworkAccess map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope, netID string) {
-	networkChangeMap := make(map[models.RsrcID]models.RsrcPermissionScope)
-	for rsrcType, RsrcPermsMap := range currNetworkAccess {
-		if rsrcType != models.RemoteAccessGwRsrc {
-			continue
-		}
-		if _, ok := changeNetworkAccess[rsrcType]; !ok {
-			for rsrcID, scope := range RsrcPermsMap {
-				networkChangeMap[rsrcID] = scope
-			}
-		} else {
-			for rsrcID, scope := range RsrcPermsMap {
-				if _, ok := changeNetworkAccess[rsrcType][rsrcID]; !ok {
-					networkChangeMap[rsrcID] = scope
-				}
-			}
-		}
-	}
-
-	extclients, err := logic.GetAllExtClients()
-	if err != nil {
-		slog.Error("failed to fetch extclients", "error", err)
-		return
-	}
-	userMap, err := logic.GetUserMap()
-	if err != nil {
-		return
-	}
-	for _, extclient := range extclients {
-		if extclient.Network != netID {
-			continue
-		}
-		if _, ok := networkChangeMap[models.AllRemoteAccessGwRsrcID]; ok {
-			if user, ok := userMap[extclient.OwnerID]; ok {
-				if user.PlatformRoleID != models.ServiceUser {
-					continue
-				}
-				err = logic.DeleteExtClientAndCleanup(extclient)
-				if err != nil {
-					slog.Error("failed to delete extclient",
-						"id", extclient.ClientID, "owner", user.UserName, "error", err)
-				} else {
-					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
-						slog.Error("error setting ext peers: " + err.Error())
-					}
-				}
-			}
-			continue
-		}
-		if _, ok := networkChangeMap[models.RsrcID(extclient.IngressGatewayID)]; ok {
-			if user, ok := userMap[extclient.OwnerID]; ok {
-				if user.PlatformRoleID != models.ServiceUser {
-					continue
-				}
-				err = logic.DeleteExtClientAndCleanup(extclient)
-				if err != nil {
-					slog.Error("failed to delete extclient",
-						"id", extclient.ClientID, "owner", user.UserName, "error", err)
-				} else {
-					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
-						slog.Error("error setting ext peers: " + err.Error())
-					}
-				}
-			}
-
-		}
-
-	}
-	if servercfg.IsDNSMode() {
-		logic.SetDNS()
-	}
-}
-
 func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) {
 	networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
 	for netID, networkUserRoles := range currNetworkRoles {
@@ -1023,79 +575,6 @@ func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[mo
 
 }
 
-func UpdateUserGwAccess(currentUser, changeUser models.User) {
-	if changeUser.PlatformRoleID != models.ServiceUser {
-		return
-	}
-
-	networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
-	for netID, networkUserRoles := range currentUser.NetworkRoles {
-		if _, ok := changeUser.NetworkRoles[netID]; !ok {
-			for netRoleID := range networkUserRoles {
-				if _, ok := networkChangeMap[netID]; !ok {
-					networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
-				}
-				networkChangeMap[netID][netRoleID] = struct{}{}
-			}
-		} else {
-			for netRoleID := range networkUserRoles {
-				if _, ok := changeUser.NetworkRoles[netID][netRoleID]; !ok {
-					if _, ok := networkChangeMap[netID]; !ok {
-						networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
-					}
-					networkChangeMap[netID][netRoleID] = struct{}{}
-				}
-			}
-		}
-	}
-	for gID := range currentUser.UserGroups {
-		if _, ok := changeUser.UserGroups[gID]; ok {
-			continue
-		}
-		userG, err := GetUserGroup(gID)
-		if err == nil {
-			for netID, networkUserRoles := range userG.NetworkRoles {
-				for netRoleID := range networkUserRoles {
-					if _, ok := networkChangeMap[netID]; !ok {
-						networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
-					}
-					networkChangeMap[netID][netRoleID] = struct{}{}
-				}
-			}
-		}
-	}
-	if len(networkChangeMap) == 0 {
-		return
-	}
-	// TODO - cleanup gw access when role and groups are updated
-	//removedGwAccess
-	extclients, err := logic.GetAllExtClients()
-	if err != nil {
-		slog.Error("failed to fetch extclients", "error", err)
-		return
-	}
-	for _, extclient := range extclients {
-		if extclient.OwnerID == currentUser.UserName {
-			if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok {
-				err = logic.DeleteExtClientAndCleanup(extclient)
-				if err != nil {
-					slog.Error("failed to delete extclient",
-						"id", extclient.ClientID, "owner", changeUser.UserName, "error", err)
-				} else {
-					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
-						slog.Error("error setting ext peers: " + err.Error())
-					}
-				}
-			}
-
-		}
-	}
-	if servercfg.IsDNSMode() {
-		logic.SetDNS()
-	}
-
-}
-
 func CreateDefaultUserPolicies(netID models.NetworkID) {
 	if netID.String() == "" {
 		return