With the Security Map wizard you can map the security policies for user and group accounts, also called security principals, in one domain to the same or different accounts in another domain. The mapping process is accomplished by updating the security principals contained in a specified XML import file according to the valid principals defined in the current realm.
NOTE You cannot change from one directory server type to another when mapping accounts. For example, mapping accounts in the Active Directory to accounts in Sun Java™ System Directory Server is not supported.
The input requirements for the Security Map wizard are (1) a properly formatted import file and (2) a properly formatted security map file. The following sections describe the requirements and behavior of the wizard in greater detail:
FileNet P8 supports the use of XML script files for exporting and importing object store information, including security principals.
Prior to FileNet P8 version 3.5.1, the export file generated by Enterprise Manager consisted of a single XML file called the export manifest file. As of FileNet P8 version 3.5.1, Enterprise Manager generated multiple XML files which were listed in a single TXT file, still called the export manifest. With release 4.0, Enterprise Manager generates an Export Descriptor File, which is an XML file containing the list of export XML files. The Security Mapping Wizard accepts pre-3.5.1 (single) XML files, and the Export Manifest TXT files generated by 3.5.1 and subsequent 3.5.x releases, as well as the 4.0-generated XML Export Descriptor XML file as valid input.
When you export object store information in Enterprise Manager, you can also export the security policy information:
For each security principal that is defined in the XML, the following information is also exported:
The exported information is saved to one or more XML files which are listed in the .txt manifest file. The Security Map wizard then uses the import file to update the security principal information contained in the manifest according to the valid principals defined in the security map file or the current realm.
A security map identifies how security principals in one domain should be mapped to principals in another domain. When you use the Security Map wizard, you can instruct the wizard to create a new map file using the valid principals for the current realm, or specify that a previously generated security map should be used.
The Security Map wizard creates the security map by building a list of the security principals defined in the imported XML and then determining the "best match" for each principal by processing the principals contained in the preexisting map file, or by generating a new map using the valid principals for the current realm. For each security principal encountered in the XML file, the wizard attempts to locate the best matching principal according to the following steps:
Name
to resolve the principal.ShortName
and iterate through the valid realms until
a match is found and the principal is resolved. If no match is found, proceed
to Step 3.DisplayName
and iterate through the valid realms until
a match is found and the principal is resolved. If no match is found, proceed
to Step 4.The wizard provides options which allow you to edit the map and override any entries, as well save the map for future use.
The basic usage scenario and processing behavior of the Security Map wizard is as follows:
A properly formatted security map file contains the following elements:
<SecurityPrincipalMap>
- identifies that this is a security
map file.<PrincipalMap>
- a security principal, which identifies
the accounts for the principal on the source and destination domains.<SourcePrincipal>
- a description of the security principal
as it exists on the source domain.<DestinationPrincipal>
- a description of the security
principal as it exists on the destination domain.<SID>
- for each source or destination principal, the
wizard uses this GUID to obtain the corresponding valid security principal
in the map file or current realm.<Name>
- for each role source or destination principal,
the fully qualified domain name for the account.<ShortName>
- for each source or destination principal,
the short name for the account.<DisplayName>
- for each source or destination principal,
the user friendly display name for the account.<PrincipalType>
- for each source or destination principal,
identifies whether the Access
Control Entry (ACE) for the account is allowed or denied. NOTE The wizard only imports direct Aces; inherited Aces are ignored. For more
information, see About
access rights.The following code fragment demonstrates how these elements should appear in a security map file Microsoft® Windows authentication:
<SecurityPrincipalMap>
<PrincipalMap>
<SourcePrincipal>
<SID>S-1-5-21-588586621-1056035706-3148668796-1105</SID>
<Name>guest@ALASKA1.LOCAL</Name>
<ShortName>guest</ShortName>
<DisplayName>Guest
User</DisplayName>
<PrincipalType>1</PrincipalType>
</SourcePrincipal>
<DestinationPrincipal>
<SID>S-1-5-21-588586621-1056035706-3148668796-1407</SID>
<Name>visitor@ALASKA1.LOCAL</Name>
<ShortName>visitor</ShortName>
<DisplayName>Visitor</DisplayName>
<PrincipalType>1</PrincipalType>
</DestinationPrincipal>
</PrincipalMap>
<PrincipalMap>
<SourcePrincipal>
<SID>S-1-3-0</SID>
<Name>#CREATOR-OWNER</Name>
<ShortName />
<DisplayName
/>
<PrincipalType>0</PrincipalType>
</SourcePrincipal>
<DestinationPrincipal>
<SID>S-1-3-0</SID>
<Name>#CREATOR-OWNER</Name>
<ShortName />
<DisplayName
/>
<PrincipalType
/>
</DestinationPrincipal>
</PrincipalMap>
<PrincipalMap>
<SourcePrincipal>
<SID>S-1-5-21-588586621-1056035706-3148668796-500</SID>
<Name>Administrator@ALASKA1.LOCAL</Name>
<ShortName>Administrator</ShortName>
<DisplayName>Administrator</DisplayName>
<PrincipalType>0</PrincipalType>
</SourcePrincipal>
<DestinationPrincipal>
<SID>S-1-5-21-588586621-1056035706-3148668796-1133</SID>
<Name>ADMIN_SYSTEM@ALASKA1.LOCAL</Name>
<ShortName>ADMIN_SYSTEM</ShortName>
<DisplayName>System
Administrator</DisplayName>
<PrincipalType>0</PrincipalType>
</DestinationPrincipal>
</PrincipalMap>
</SecurityPrincipalMap>
Security principals appear in the exported XML files (listed in the export manifest) as owner
and access permission settings on a per object or object type basis. In addition
to the properties identified in the previous section, the AccessType
(same as PrincipalType
), InheritableDepth
,
AccessMask
,
and PermissionSource
attributes are also present as part of the security policy definition for an
object. The following code fragment demonstrates how a security policy and security
principal definitions might appear in an XML import file under Windows authentication:
...
<PropertyTemplateObjectSecurity>
<Owner>
<SID>S-1-5-21-588586621-1056035706-3148668796-138</SID>
<Name>bsmith@ALASKA1.LOCAL</Name>
<ShortName>bsmith</ShortName>
<DisplayName>Bob
Smith</DisplayName>
<PrincipalType>0</PrincipalType>
</Owner>
<Permissions>
<AccessPermission>
<Grantee>
<SID>S-1-5-11</SID>
<Name>#AUTHENTICATED-USERS</Name>
</Grantee>
<AccessType>1</AccessType>
<InheritableDepth>0</InheritableDepth>
<AccessMask>131073</AccessMask>
<PermissionSource>1</PermissionSource>
</AccessPermission>
<AccessPermission>
<Grantee>
<SID>S-1-5-21-588586621-1056035706-3148668796-138</SID>
<Name>bsmith@ALASKA1.LOCAL</Name>
<ShortName>bsmith</ShortName>
<DisplayName>Bob
Smith</DisplayName>
<PrincipalType>0</PrincipalType>
</Grantee>
<AccessType>1</AccessType>
<InheritableDepth>0</InheritableDepth>
<AccessMask>995587</AccessMask>
<PermissionSource>0</PermissionSource>
</AccessPermission>
</Permissions>
</PropertyTemplateObjectSecurity>
...
To run the Security Map wizard using Enterprise Manager: