10.5 Creating and Modifying an Identity Map

Micro Focus Storage Manager for Active Directory uses an identity map to make associations between the users, groups, and containers that are the owners and trustees of the Novell or Micro Focus network data and the corresponding data owners on the Microsoft network target.

You create a single identity map for each eDirectory tree that you are migrating.

IMPORTANT:You must create an identity map so that file and folder rights, trustee assignments, and other metadata are maintained during the migration. If you do not want to maintain these rights, trustee assignments, and other metadata, you can skip this section and migrate through using the Data Only option from the Migration Wizards menu.

10.5.1 Creating an Identity Map

  1. In SMAdmin, click the Home tab.

  2. Click Cross-Empire Data Migration > eDirectory to Active Directory.

  3. Click Identity Map Management > Edit Identity Map.

    The following page appears:

    The page displays an initial identity map with a small number of suggested entries that you can append.

  4. Do one of the following:

Importing Identity Associations through Delimited Text

If you have a delimited text CSV file that associates eDirectory user and group objects with Active directory user and group objects, you can import it into the identity map using the Import Identity Map from Delimited Text option.

The CSV file can have entries using either typeful or typeless Fully Distinguished Names (FDNs).

  1. Select Load > Import Identity Map from Delimited Text.

  2. Click Browse.

  3. Select the CSV file, then click Open.

    The following page appears and specifies whether the names in the CSV file are formatted properly.

  4. (Conditional) If incorrect options in the Source Type or Target Type fields are displayed, select the correct options.

  5. Click Next.

    The following page appears and specifies whether the user and group objects exist in eDirectory and Active Directory.

  6. Click Next.

  7. Click Finish.

  8. Click Apply to save the updated identity map.

  9. (Conditional) If you have additional users to import from another delimited text CSV file, select the new CSV file and repeat the procedures in this section.

  10. (Conditional) If you need to add additional users that were not listed in the CSV file, proceed to Creating Object Associations.

Creating Object Associations

  1. Click Identity Map Entry Wizard.

  2. Leave the User to User option selected and click Next.

  3. In the Matching Criteria region of the page, use the target drop-down menu to specify if the target accounts to locate are SAM accounts or Common Name (CN) accounts.

    If you need to match using both account types on your target server, you can choose one option now and then run the wizard again and choose the other option. You might need to run the wizard multiple times in order to add all of the users, groups, and containers to the identity map.

  4. In the Source Scope region, browse to and select the source container with the users you want included in the identity map.

  5. In the Target Scope region, browse to and select the target container with the users you want included in the identity map.

  6. Click Next.

  7. (Conditional) Deselect any names you do not want appended to the identity map file.

  8. Click Next.

  9. Click Finish.

    The identity map is appended with the new entries.

  10. Click OK to save the updated identity map.

  11. Repeat Step 4 and Step 5 and select the account type you did not select previously.

  12. Repeat Step 6 through Step 10.

10.5.2 Importing a Source Path List

Depending on the size of your network, you might need to specify a significant number of different source paths as you build your identity map. You can easily import a list of your UNC paths from a text file so that these paths are accessible from a drop-down menu. Additionally, the search is filtered so that it can locate the specific UNC path as you type.

  1. Using a text editor, create a file with UNC paths for each server and volume that you want to import, then save the file.

  2. In SMAdmin, click the Home tab.

  3. Click Cross-Empire Data Migrations > eDirectory to Active Directory.

  4. Select Source Management > Source Path Cache.

  5. Click Load, browse to and select the text file, then click Open.

  6. Click OK.

10.5.3 Adding Source Entries to the Identity Map

Once the identity map has been created, you can add new users or groups at any time.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migrations > eDirectory to Active Directory.

  3. Select Identity Map Management > Edit Identity Map.

  4. Select Manage Map Entries > Add Source Entries.

  5. In the Add Source Objects page, use the Search Base, Browse button, Search Scope, and Name Mask fields to locate and select the container you want to use for your search.

    If you wish to limit your search to a selected set of object types, under the Class heading, deselect those object types you do not want included in the search.

  6. Click OK.

  7. On the Add Source Object page, click Search.

    By default, all located objects are selected.

  8. Deselect the objects you do not want to append to the identity map.

  9. Click OK.

10.5.4 Adding or Modifying Target Entries to the Identity Map

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migrations > eDirectory to Active Directory.

  3. Select Identity Map Management > Edit Identity Map.

  4. In the Identity Map page, select the listing for the source entry to which you want to add a target or that you want to modify.

  5. Use one of the tabs in the right panel of the Identity Map page to locate and select the desired target.

  6. Specify the object as the new target object.

    For example, if you were using the Browse Targets tab in the example above, you could right-click or drag the object to place it in the Target SAM Account field of the selected source object.

  7. Click Apply to save the modified identity map.

10.5.5 Saving a Local Instance of the Identity Map

When working with identity maps, you might find that you want to experiment with different associations. In such cases, you should have multiple identity maps. To save an identity map that differs from the original, you must save it locally.

  1. Click Save.

  2. Save the XML formatted identity map file to a location you prefer.

10.5.6 Loading a Saved Identity Map

This action retrieves saved versions of identity maps.

  1. Select Load > Import Identity Map File.

  2. Select the file, then click Open.

10.5.7 Generating a Migration Preview Report

Before performing a Cross-Empire Data Migration, you should generate a preview report. The report indicates any concerns that might need to be addressed such as objects which have file rights but which have not yet been mapped in the identity map.

The preview report uses your identity map, and searches file and folder rights assignments and ownership of the actual data which you will be migrating to indicate which objects actually have ownership or rights, and if an object is mapped in the identity map.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migrations > eDirectory to Active Directory.

  3. Select Source Paths > Generate Preview Report.

  4. In the Base Path field, specify an initial UNC path for a server and volume to browse.

    For example, \\server_name\volume_name\ or \\ip_address\volume_name.

    After you enter a path, you can click the Browse button to browse to the folder you want, such as the Users folder.

  5. Drag the selected folder to the Path pane.

  6. From the Path Scan Options drop-down menu, choose one of the following:

    • Scan Folders Only: Select this option to view the trustee assignments and owners of folders.

    • Scan File Owners: Select this option to view the trustee assignments and owners of folders, along with the owners of files.

    • Scan File Owners and Trustees: Select this option to view the trustee assignments and owners of folders, as well as the trustee assignments and owners of files.

      Depending on the number of files and folders on your Novell or Micro Focus network, the Scan File Owners and Trustees option can take a significant amount of time to generate. We recommend using one of the other options first.

  7. From the Report Type drop-down menu, choose one of the following:

    • Anomaly Report: Depending on which of the File Scan Options is selected, this generates a report of all of the folders and files that have trustees or owners that are not mapped to a target object in the identity map.

    • Full Report: Depending on which of the File Scan Options are selected, this generates a report of all of the folders and files, along with their corresponding owners and trustees, and indicates whether they are mapped to a target object in the identity map or not.

      Depending on the number of files and folders on your Novell or Micro Focus network, generating a full report can take a significant amount of time. We recommend generating an Anomaly report instead.

  8. Click Preview Paths.

  9. Use the tabbed reports to preview targets according to trustees, owners, and unique IDs.

    For example, in the graphic above, the Trustee Entries tab displays the source IDs that have a trustee assignment to a folder but a target ID has not yet been created in the identity map.

    The Owner Entries tab displays owners of files and folders that do not have a corresponding target in the identity map.

    The Unique IDs tab displays a single entry for each ID that is mapped in the identity report.

  10. Click Add Entries to add the entries to the identity map.

    The entries are added to the identity map and you can now add target entries by following the procedures in Section 10.5.4, Adding or Modifying Target Entries to the Identity Map.

10.5.8 Adding Entries from Preview Reports

In Step 10, you added entries to the identity map by using the Preview Migration Source Path page’s Add Entries button. You can also use the Add Entries from Preview Report option to retrieve any preview report that you have generated for the directory tree you are working with, and add those entries to the identity map.

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migrations > eDirectory to Active Directory.

  3. Select Source Paths > Add Entries from Preview Report.

  4. From the Browse Migration Preview Reports dialog box, select the preview report you want to add, then click OK.

    At this point, you can view the preview report according to the tabbed options.

  5. Click Add to add the entries to the identity map.

    The entries are added to the identity map and you can now add target entries to each by following the procedures under Section 10.5.4, Adding or Modifying Target Entries to the Identity Map.

10.5.9 Review Rights and Trustee Assignment Mappings

Despite the inherent differences in rights, trustee assignments, and permissions between Novell or Micro Focus and Microsoft networks, the Cross-Empire Data Migration subsystem of Storage Manager for Active Directory does its best to match the Novell or Micro Focus rights and trustee assignments with the equivalent Microsoft permissions and advanced permissions.

When you generate a Preview Report, you should pay particular attention to the actual rights in the Assigned Rights column and the proposed file and folder rights listed in the Target Rights column.

You can modify the rights mappings by using the File System Rights Map. When you do this, you specify a mapping between one particular set of rights on the Novell or Micro Focus servers to one particular set of rights on the Microsoft Windows servers. As an example, the default mapping is to map the Novell or Micro Focus NSS rights RWECMF to the Windows NTFS rights MELRW. As a further example, perhaps when files have this set of rights you do not want to grant the E (erase) right to files on the target. You could modify the mapping using the procedures below to change the mapping of Novell or Micro Focus NSS rights RWECMF to the Windows NTFS rights MLRW. When you do this, you change the mapping for every file that has that exact set of rights, but it does not change the E mapping in any other set of rights. For instance, if you had trustees that had RWCEF, that mapping would not be changed because you changed the mapping for RWCEMF.

To view or modify these rights:

  1. In SMAdmin, click the Home tab.

  2. Select Cross-Empire Data Migrations > eDirectory to Active Directory.

  3. Select Identity Map Management > File System Rights Map.

  4. In the NSS Rights column, click the rights to see the equivalent NTFS permissions and advanced permissions.

    The default permissions are indicated in green.

  5. Select or deselect permissions as needed.

  6. Click Apply to save the settings.