IBM FileNet P8, Version 5.2.1            

Creating a security principal data map

After you define the security principal half maps for the source and destination environments, you can combine them to create a security principal data map.

If a user or group has administrative privileges in the source environment, ensure that the corresponding user or group in the destination environment also has administrative privileges. If the security principal does not have appropriate privileges, problems occur when you access objects.

To create a security principal data map for a source-destination pair:

  1. In the FileNet® Deployment Manager tree view pane, expand the Source-Destination Pairs node, and then double-click the source-destination pair.
  2. If security principal data is not to be used when data is converted for import, clear the Use check box for the security principal map.

    If you clear this check box, the security principal data map is not used and, therefore, you do not need to populate the data map. You can skip steps 3 and 4.

    Clear the Use check box only if you are sure that all referenced principals have the same names and IDs in both environments. Typically, the principals have the same names and IDs only if the environments use the same LDAP provider. If you are not sure, leave this check box checked.

  3. Click the Map Data radio button for Security Principal Map to create a security principal data map. FileNet Deployment Manager maps the user or group in the destination environment that corresponds to each user or group in the source environment and updates the data map of the security principals to reflect these mappings.
  4. If the data map contains users or groups that FileNet Deployment Manager cannot map, complete one of the following steps if you want to resolve the unmapped entries:
    • Modify the users and groups in the source and destination environments to eliminate the inconsistencies. Then, re-create the half maps and the data map.
    • Re-create the security principal half maps with different selection criteria and then re-create the data map.
    • Edit the security principal data map to add matching labels for any unmapped users or groups. For more information, see Viewing or updating a data map.
    • Edit the security principal half maps directly to add matching labels for any unmapped users or groups. Then, re-create the security principal data map. For more information, see Editing labels in a half map.
      Tip: If you use labels to resolve unmapped entries, be aware that FileNet Deployment Manager supports both one-to-one and many-to-one correspondence between mapped security principals. That is, you can use a label for a single, or multiple, source security principals and a single destination security principal. For more information, see Creating a security principal data map. FileNet Deployment Manager does not support one-to-many correspondence between mapped security principals. If you attempt such a mapping, an error occurs.
Many-to-one security principal mappings

For security principals, in addition to one-to-one mappings, FileNet Deployment Manager also allows many-to-one mappings. When a many-one-mapping of a security principal occurs, multiple users or groups on the source system are mapped to a single user or group on the target system. In FileNet P8, each security principal has unique access rights when it is associated with an object. When multiple source security principals are mapped to a single target security principal, the access rights of the resulting security principal for an object in the target system is the combined result of the previous access rights of the security principals in the source system. As a result, the access rights of the target security principal to various objects in the target system might change when other source security principals that are mapped to the same target security principal also have access to the same objects.

Many-to-one mappings of security principals are useful in the following situations:
  • One or more users or groups were deleted from the LDAP system, but were not deleted from the object store. To prevent these deleted users or groups from causing an error during asset conversion, you can map them to a single user or group on the target environment.
  • Multiple users or groups on the source environment must be combined to a single user or group on the target environment.
Tip: Ensure that you do not map source administrative users (including the GCD administrator) to a target user or group that has 'Deny' access.
During asset conversion, FileNet Deployment Manager examines object store and security principal data maps for duplicates according to the following sequence:
  1. Object store data maps are examined for any many-to-one or one-to-many mappings. If any of these mappings exist, an error dialog displays, an error is added to the log, and the asset conversion operation is canceled.
  2. Security principal data maps are examined for any one-to-many mappings. If any of these mappings exist, an error dialog displays, an error is added to the log, and the asset conversion operation is canceled.
  3. Security principal data maps are examined for any many-to-one mappings. If any of these mappings exist, a warning is added to the log. In addition, if the Enable warning window for many-to-one principal mapping preference is enabled, a warning is displayed. For more information about FileNet Deployment Manager preferences, see Set preferences.
Important: Service data maps are not checked for duplicates.


Last updated: October 2015
deploy_mgr_howto_security_principal_data_map.htm

© Copyright IBM Corporation 2015.