Migrating essentials

You must consider several factors to develop a complete understanding of migrating user accounts of IBM® Data Server Manager to IBM Db2® Data Management Console.

Deprecated or discontinued functionalties
  • User management feature.
  • Normal authentication. (User profiles stored as repository data).
  • Local authorization. (User privileges stored as JSON file).
  • LDAP authentication manual mode.
  • LDAP authentication RACF® mode.
  • LDAP authentication advanced mode multiple base DN.
  • LDAP authentication advanced mode multiple LDAP groups.
  • Repository authentication with Kerberos.

New features

  • Db2 group, role, and authority authorization methods when using repository authentication.
  • LDAP secure connection support.
  • Web GUI for authentication configuration.

Migration restrictions

Before you start to migrate user accounts, you must be aware of the restrictions.

  • Normal authentication and local authorization is no longer supported in IBM Db2 Data Management Console. Both authentication and authorization of IBM Db2 Data Management Console must be delegated to either repository database or LDAP server.
  • Only two details of a user account can be migrated. User name (the login name) and user privilege (the role, either administrator role or user role). Other details of user profile will not be migrated, including user passwords.
  • IBM Db2 Data Management Console cannot directly handle your security systems. So manual operations are required. Make sure you have the necessary privileges to handle the security systems or you can contact support.
  • User profile data and user privilege data in IBM Data Server Manager might require repair.
  • Repository database may also delegate its authentication to other security systems. You must handle the user accounts in the delegated systems. Currently, a script for adding users to repository database and delegating authentication to the OS is provided for Linux® operating system.
  • If a repository database authentication was enabled in IBM Data Server Manager and authorization was NOT performed by Db2 UDF, some Db2 user accounts with high privileges would automatically have the permission to login and have the administrator role assigned, for example 'db2inst1'. However, these user accounts may not be migrated to IBM Db2 Data Management Console. In this authorization mode, only user accounts that have the role explicitly assigned in IBM Data Server Manager will be migrated.
  • LDAP multiple base DN is not supported. You must use a single common base DN. LDAP multiple groups is currently not supported. You must prepare a single administrator group and a single user group which contains all the administrator accounts and non-administrator accounts.
  • At least one administrator account is required in IBM Db2 Data Management Console, even after you delegate authentication to repository database or LDAP server.
  • Setup administrator account of IBM Data Server Manager will not be migrated. Only the new setup administrator account created in IBM Db2 Data Management Console will be used for user migration. Once the migration is done, the setup administrator account will be disabled. and you will be able to login only with the user accounts of the delegated security system.
  • Migration of user accounts must be performed after upgrade. The service of IBM Db2 Data Management Console must be running or should have been started at least once.
  • User accounts cannot be migrated if lightweight mode is selected when upgrading from IBM Data Server Manager to IBM Db2 Data Management Console.