After you define the security principal half maps for
the source and destination environments, you can combine them to create
a security principal data map.
If a user or group has administrative
privileges in the source environment, ensure that the corresponding
user or group in the destination environment also has administrative
privileges. If the security principal does not have appropriate privileges,
problems occur when you access objects.
To create a security principal data map for a source-destination
pair:
- In the FileNet® Deployment
Manager tree
view pane, expand the Source-Destination Pairs node, and then double-click
the source-destination pair.
- If security principal data is not to be used when data
is converted for import, clear the Use check
box for the security principal map.
If you clear this
check box, the security principal data map is not used and, therefore,
does not must be populated. You can skip steps 3 and 4.
Clear
the Use check box only if you are sure that
all referenced principals have the same names and IDs in both environments.
Typically, the principals have the same names and IDs only if the
environments use the same LDAP provider. If you are not sure, leave
this check box checked.
- Click the Map Data radio button
for Security Principal Map to create a security principal data map. FileNet Deployment
Manager maps the
user or group in the destination environment that corresponds to
each user or group in the source environment and updates the data
map of the security principals to reflect these mappings.
- If the data map contains users or groups that FileNet Deployment
Manager cannot map, complete
one of the following steps if you want to resolve the unmapped entries:
- Modify the users and groups in the source and destination
environments to eliminate the inconsistencies. Then, re-create the
half maps and the data map.
- Re-create the security principal half maps with different
selection criteria and then re-create the data map.
- Edit the security principal data map to add matching labels
for any unmapped users or groups. For more information, see Update a data mapViewing or updating a data map.
- Edit the security principal half maps directly to add matching
labels for any unmapped users or groups. Then, re-create the security
principal data map. For more information, see Edit labels
in a half map.
Tip: If you use labels to
resolve unmapped entries, be aware that
FileNet Deployment
Manager supports both one-to-one
and many-to-one correspondence between mapped security principals.
That is, you can use a label for a single, or multiple, source
security principals and a single destination security principal.
For more information, see
Many-to-one
security principal mappings.
FileNet Deployment
Manager does not support one-to-many
correspondence between mapped security principals. If you attempt
such a mapping, an error occurs.
Many-to-one security principal mappingsFor security
principals, in addition to one-to-one mappings, FileNet Deployment Manager also allows many-to-one
mappings. When a many-one-mapping of a security principal occurs,
multiple users or groups on the source system are mapped to a single
user or group on the target system. In FileNet P8, each security principal
has unique access rights when it is associated with an object. When
multiple source security principals are mapped to a single target
security principal, the access rights of the resulting security principal
for an object in the target system is the combined result of the previous
access rights of the security principals in the source system. As
a result, the access rights of the target security principal to various
objects in the target system might change when other source security
principals that are mapped to the same target security principal
also have access to the same objects.
Many-to-one mappings
of security principals are useful in the following situations:
- One or more users or groups were deleted from the LDAP system,
but were not deleted from the object store. To prevent these deleted
users or groups from causing an error during asset conversion, you
can map them to a single user or group on the target environment.
- Multiple users or groups on the source environment must be combined
to a single user or group on the target environment.
Tip: Ensure that you do not map source administrative
users (including the GCD administrator) to a target user or group
that has 'Deny' access.
During asset conversion,
FileNet Deployment
Manager examines object store
and security principal data maps for duplicates according to the
following sequence:
- Object store data maps are examined for any many-to-one or one-to-many
mappings. If any of these mappings exist, an error dialog displays,
an error is added to the log, and the asset conversion operation is
canceled.
- Security principal data maps are examined for any one-to-many
mappings. If any of these mappings exist, an error dialog displays,
an error is added to the log, and the asset conversion operation
is canceled.
- Security principal data maps are examined for any many-to-one
mappings. If any of these mappings exist, a warning is added to the
log. In addition, if the Enable warning dialog box for many-to-one
principal mapping preference is enabled, a warning dialog displays.
For more information about FileNet Deployment
Manager preferences, see Set preferences.
Important: Service data maps are not checked
for duplicates.
Workplace and Workplace XT user preferencesDo
not deploy Workplace or Workplace XT
user preferences objects if you are mapping more than one source security
principal to a single destination security principal. User preferences
embed the SID of the user to which they apply in their folder containment
name. Because the Content Platform Engine server
enforces unique containment names within a folder, an error results
if more than one of those mapped principals contains a user preference
in the deployment data set. Although the user preference objects are
imported successfully, the referential containment relationships that
file them in the Preferences folder cause an import error. As a result,
only a single user preferences object is filed in the Preferences
folder on the target environment; the remaining user preferences
objects are unfiled.
If you imported more than one user preference
that is mapped to the same security principal at the destination and
you want to change the preference document that is filed in the Preferences
folder, use IBM® Administration
Console for Content Platform Engine as
follows:
- Verify that the user preferences document that you want to use
is present, but unfiled. Find it by creating a query or by viewing
the Unfiled Documents container.
- From the Preferences folder, unfile the user preferences document
that you do not want to use.
- File the user preferences document that you want to use in the
Preferences folder.