We also had to deal with this problem. As mentioned before Caché itself does not support this automatically due to CACHESYS nature.
First of all I think, that any attempt to write reliable "scripts to export users, roles etc periodically from the master instance into files and import them into the other(s)" fails. Whatever you choose for the backup interval (day/hour/10min), it may fail in the worst moment. You will have to ensure the file is transferred correctly/file systems on both machines are up and ready, etc.
Of course, this may work (whether manually or automatically) on sites with a relatively small number of users/roles and a relatively small number of changes.
Assumptions in our installations:
1) we do not allow edit user/roles via SMP
- there is plenty of reasons for it
2) we use our own user/roles management system
- we need more complex functionality than SMP/Caché security offers
- we have to deal with hundreds of changes in users/roles daily in the production system
- we add/change/disable/enable users/roles there on the fly based on different sources
- for example : on the basis of completed tests in EDU environment by end users, interfacing the central system for processing role requests
- almost nothing is done manually by application administrators
- this is "pretty much alive"
3) we have our own datastructures for rules/roles/rights
- we can simply let them mirror by appropriate mapping
4) we only write the most important informations into users/roles using API in Security.Users/Security.Roles classes
- every change is automatically updated into Caché security (users/roles/privileges/resources)
Principle of our solution:
1) we keep "MirrorQueue" of all changed users/roles in the system
- we can do this, while we have full control over changes in our own user/roles management system and we can log it
- this "MirrorQueue" is simply mirrored
2) when mirror/backup goes up we use ZMIRROR hooks (e.g. NotifyBecomePrimary())
- we simply scan "MirrorQueue" and apply all changes users/roles (using the same API in Security.Users/Security.Roles classes)
3) when mirror/backup is up (and became primary) all our user/role data are synchronised
Feel free to ask for further details.