After you define the security principal half maps for the
source and destination environments, you can combine them to create
a security principal data map.
If a user or group has administrative privileges in the
source environment, ensure that the corresponding user or group in
the destination environment also has administrative privileges. If
the security principal does not have appropriate privileges, problems
occur when you access objects.
To create a security principal data map for a source-destination
pair:
- In the FileNet® Deployment Manager tree
view pane, expand the Source-Destination Pairs node, and then double-click
the source-destination pair.
- If security principal data is not to be used when data
is converted for import, clear the Use check
box for the security principal map.
If you clear this
check box, the security principal data map is not used and, therefore,
you do not need to populate the data map. You can skip steps 3 and
4.
Clear the Use check box only if you
are sure that all referenced principals have the same names and IDs
in both environments. Typically, the principals have the same names
and IDs only if the environments use the same LDAP provider. If you
are not sure, leave this check box checked.
- Click the Map Data radio button
for Security Principal Map to create a security principal data map. FileNet Deployment Manager maps the
user or group in the destination environment that corresponds to
each user or group in the source environment and updates the data
map of the security principals to reflect these mappings.
- If the data map contains users or groups that FileNet Deployment Manager cannot map, complete
one of the following steps if you want to resolve the unmapped entries:
- Modify the users and groups in the source and destination
environments to eliminate the inconsistencies. Then, re-create the
half maps and the data map.
- Re-create the security principal half maps with different
selection criteria and then re-create the data map.
- Edit the security principal data map to add matching labels
for any unmapped users or groups. For more information, see Viewing or updating a data map.
- Edit the security principal half maps directly to add matching
labels for any unmapped users or groups. Then, re-create the security
principal data map. For more information, see Editing labels in a half map.
Tip: If you use labels to resolve unmapped entries,
be aware that
FileNet Deployment Manager supports
both one-to-one and many-to-one correspondence between mapped security
principals. That is, you can use a label for a single, or multiple,
source security principals and a single destination security principal.
For more information, see
Creating a security principal data map.
FileNet Deployment Manager does not support one-to-many
correspondence between mapped security principals. If you attempt
such a mapping, an error occurs.
Many-to-one security principal mappingsFor security
principals, in addition to one-to-one mappings, FileNet Deployment Manager also allows many-to-one
mappings. When a many-one-mapping of a security principal occurs,
multiple users or groups on the source system are mapped to a single
user or group on the target system. In FileNet P8, each security principal
has unique access rights when it is associated with an object. When
multiple source security principals are mapped to a single target
security principal, the access rights of the resulting security principal
for an object in the target system is the combined result of the previous
access rights of the security principals in the source system. As
a result, the access rights of the target security principal to various
objects in the target system might change when other source security
principals that are mapped to the same target security principal
also have access to the same objects.
Many-to-one mappings
of security principals are useful in the following situations:
- One or more users or groups were deleted from the LDAP system,
but were not deleted from the object store. To prevent these deleted
users or groups from causing an error during asset conversion, you
can map them to a single user or group on the target environment.
- Multiple users or groups on the source environment must be combined
to a single user or group on the target environment.
Tip: Ensure that you do not map source administrative
users (including the GCD administrator) to a target user or group
that has 'Deny' access.
During asset conversion,
FileNet Deployment Manager examines object store
and security principal data maps for duplicates according to the
following sequence:
- Object store data maps are examined for any many-to-one or one-to-many
mappings. If any of these mappings exist, an error dialog displays,
an error is added to the log, and the asset conversion operation is
canceled.
- Security principal data maps are examined for any one-to-many
mappings. If any of these mappings exist, an error dialog displays,
an error is added to the log, and the asset conversion operation
is canceled.
- Security principal data maps are examined for any many-to-one
mappings. If any of these mappings exist, a warning is added to the
log. In addition, if the Enable warning window for many-to-one principal
mapping preference is enabled, a warning is displayed. For more information
about FileNet Deployment
Manager preferences, see Set preferences.
Important: Service data maps are not checked
for duplicates.