Instructions: introducing to IDM system

1. Create project and read in directories

Create new project - read in directories and authorizations

In migRaven, one always works with projects. A project is a logical unit, which is to be processed, for example a share or a directory below a share. Best is the point which is mounted in case of users or integrated into the DFS. Thus one ensures that all Authorizations - including the list of authorizations - are correctly created by migRaven, Via the title "Administer projects", you arrive at the point, where new projects can be created, processed or deleted.

The prerequisite for creating new projects is at least the domain was scanned once.

Project Start

Best Practice: Create a new project by share.

If you define the individual shares as independent projects, then you have time to process it in peace and copy the data into new directories "Step by Step" and then assign to the users.

For example Project1: "\\ server \ data \ management \ accounting"

Project2: "\\ server \ data \ management \ purchase" etc.

Then enter the UNC path till the directory (project) to be scanned. Please check once again if this path is attainable, above all with your login data.

Please consider: According to your Windows login, MigRaven can only scan the directories, which you may access, therefore you must execute the program always as administrator.

Scan depth and threads for scan:

These settings have significant effects on the size of the database and the speed of the scan.

Scan depth:

The scan depth should be as low as you can to select and set the authorizations in the folders. (The more deep a scan is, the longer it takes to scan and the larger becomes the database.)

Threads for scanning:

The more threads you select, the higher the process load is. Recommendation: max. 2 threads / core. You immediately experience while scanning there are too many threads. This makes the java process noticeable.

2. Identify all relevant directories in migRaven

3. Export all directories, which should be authorized in future

4. Complete the list in Excel

5. Import the list in migRaven

6. Prepare new groups in migRaven

In this step the groups are formed and nested by migRaven within the database.

In addition to this, the following must be determined in the group configuration:

  • The type of group
  • The naming of the groups
  • How far should the list be right
  • The storage location of the (OU) groups

The last step does not take place in the AD and / or on the file system, whichever

  • The groups of migRaven are automatically created and nested in AD and
  • The actual implementation takes place in the file system.

Hereby one complies with the group configuration (domain local or universal groups, list authorizations or not, etc.)

7. Create and nest new groups in the AD

In this step, the groups are finally created and nested in the AD.

migRaven carries out the following steps:

  • The groups are created LIVE in the AD,
  • The authorization groups with the list groups are nested and
  • The users / groups are included in the authorization groups.
  • The authorization / list groups are automatically stored in OU, which must be defined in the group configuration.

If these steps are completed, it has been completed in the next step through migRaven, Please be cautious of the fact that only the number of group memberships of the users increase. Please focus on the size of the Kerberos token.

Deploy Groups

8. Write new authorizations in the directories

In this step, the new directories are created and rights are created.

Following steps are processed:

  • The directories are created, for which authorizations are provided.
  • Directories are provided for which list rights are only available for this folder.
  • Underlying directories are created according to our configuration with authorization groups. The groups are created for the authorization end point, but receive here only list right.
  • In case of authorized directories, several authorization groups can be entered, one with read-execute-rights, one with read-write-rights and one with modify-rights. Authorization groups with full control rights should have exceptions.
  • These rights are transmitted to the secondary directories.
  • Secondary directories can get further authorization groups.

9. Result control

Control whether the newly generated authorizations correspond with the expectations in the green meadow

After successfully generating the "Green Meadow" through migRaven, the result should be verified. This is just possible when one generates a new project with the newly created directory tree.

Green meadow
In the "View" area of migRaven, the result can then be considered.

10. Export the relevant data and import to your IDM (for example FIM, Varonis, Omada)

Permanent link to this post: