Role Mining Novell Trustees

1. Converting all Novell Rights Information

Under Novell one can place permissions (trusts) on other objects than only on users or groups. We integrated into intelligent role mining mechanism into migRaven, which guaranties no information is lost, but which is best practice.

1.1. This is how it works:

  1. The group type for the permission group is defined in migRaven: Domain local, global, or universal groups are available for selection
  2. Definition of the name concept for the permission groups

1.2. Transferring the rights from Novell to Microsoft:

  1. Trustee information is imported into migRaven
  2. A balancing is done over the LDAP for the eDirectory: Every trustee is released over LDAP and handled individually.

1.3. Translation of the Novell Trusts to Microsoft:

Please Note: Permissions can only be transferred, if the corresponding user already exists in the AD! migRaven does not create any user accounts! The balancing takes place over the sAMAccount. This must correspond to the CN in the eDirectory. In case that the value does not correspond to an adaptation to migRaven is needed -> Please contact us in this case.

  1. Analysis of the accounts from the trustee-info via LDAP in the eDirectory: What is it? A user or a container?
  2. Users are directly transferred into the permission groups.
  3. Containers are resolved and checked for multiple applications.
  4. If rights are only used once: Members become direct members of the permission group.
  5. Container applies multiple times to trusts: All members come in a role group, which itself is a member of the permission group for the directories, where, previously under.

List permissions are created in this operating process, too. This takes place as the minimal principle analogue to Novell. The future file system under Microsoft behaves exactly as under Novell. Inheritance of permissions does not need to be closed and ABE is fully supported. The user does not want to observe any difference after the migration.

The objective is to carry out a very clean transition. Here the AG-DL-P or the A-DL-P principle is implemented, depending on what makes sense in the individual case.

We recommend a double group strategy. The first group reuses a group of accounts in the same constellation at different places (Role: for example a group, which all employees of a department "purchase" are in). In this way, the user permissions can be provided (and withdrawn) very quickly over multiple indices.

Please Note: Permissions provided by migRaven are always structured in permission groups.

Permanent link to this post: