Role Mining Novell Trustees

1. Converting all Novell Rights Information

Under Novell one can place permissions (Trusts) on other objects than only on users or groups. We integrated an intelligent role mining mechanism into migRaven, which guarantees that no information is lost, but all translated into suitable permission group structures, which corresponds with Microsoft Best Practice.

1.1. This is how it works:

  1. The group type for the permission group is defined in migRaven: Domain local, global, or universal groups are available for selection
  2. Definition of the name concept for the permission groups

1.2. Transferring the rights from Novell to Microsoft:

  1. Trustee information is imported in migRaven
  2. A balancing is done over the LDAP for the eDirectory: Every trustee information is released over LDAP and handled individually.

1.3. Translation of the Novell-Trusts to Microsoft:

Please Note: Permissions can only be transferred, if the corresponding user already exists in the AD! migRaven does not create any user accounts! The balancing takes place over the sAMAccount. This must correspond to the CN in the eDirectory. In case that the value does not correspond, an adaptation to migRaven is needed -> Please contact us in this case.

  1. Analysis of the accounts from the trustee-info per LDAP in the eDirectory: What is it? A user or a container?
  2. Users are directly transferred into the permission groups.
  3. Containers are resolved and checked for multiple applications.
  4. If rights are only used once: Members become direct members of the permission group.
  5. Container applies multiple times in Trusts: All members come in a role group, which itself is a member of the permission group for the directories, where, previously under Novell even the Container was authorised.

List permissions are created in this operating process, too. This takes place as per the minimal principle analogue to Novell. The future file system under Microsoft behaves exactly as under Novell. Inheritance of permissions does not need to be interrupted and ABE is fully supported. The user will not observe any difference after the migration.

The objective is to carry out a very clean transition. Here the A-G-DL-P or the A-DL-P principle is implemented, depending on what makes sense in the individual case.

We recommend a double group strategy. The first group reuses a group of accounts in the same constellation at different places (Role: for example a group, which all employees of a department “purchase” are in).  In this way, the user permissions can be provided (and withdrawn) very quickly over multiple indices.


Please Note: Permissions provided by migRaven are always structured in permission groups.

Permanentlink zu diesem Beitrag:

Schreibe einen Kommentar