Mapping Notes Groups to SharePoint Groups 

Notes Migrator for SharePoint has always had a number of capabilities for migrating the security of your Notes applications to the equivalent security constructs in SharePoint.  In particular we have had two distinct "group mapping" options:

  • Map Domino Directory Groups in your application's ACL to Domain Groups (usually AD groups)
  • Generate SharePoint Groups (with members) from Roles in your application's ACL

In both of the above cases, the tool sets the permissions correctly for the site, list, or document you are provisioning. 

With Notes Migrator for SharePoint 5.2, we now support a third option:

  • Generate SharePoint Groups (with members) from Domino Directory Groups in your application's ACL

In other words, as indicated in the dotted line below, we are now crossing the line between domain-level groups (in the directory) and application-level groups (roles).

image

Why are we doing this?  Believe it or not, this has been a very popular request almost since SharePoint 2007 shipped.  As organizations transition from Notes/Domino to the Microsoft platform, they are finding that Active Directory is much more locked-down than Domino Directory ever was.  Organizations no longer want to clutter AD with lots of groups that are used just for one or two applications, so the teams doing migrations and rebuilding applications now need to transition to SharePoint Groups (which are scoped to just one Site Collection) instead of domain-level groups.

 

This feature is now complete in beta 2 of Notes Migrator for SharePoint 5.2 (http://sharepointforall.com/content/NMSP52Beta.aspx). 

You can enable the feature by checking the "Generate SharePoint Groups from ACL Groups" checkbox in individual migration jobs or in the Database property sheet in the Migration Console.  Of course you can also set this in a Class Rule and automatically apply it to all applications belonging to a single class.

image image

To set the members of the new SharePoint Groups, the tool will do lookups in the Domino Directory to get the group members.  It will even recursively expand any sub groups as needed.  The Domino server that is used to resolve groups should be configured via the "Configure Group Resolution Server" button on the Notes tab of the Options dialog.

image

Finally, if both "Map Notes ACL Roles to Domain Groups" and "Map document-level Reader/Writer fields" are checked, then any Domino groups listed in Reader names and Author Names fields of individual groups will also be converted to SharePoint Groups (even if they are not listed in the ACL), as described above.

 
Posted on 27-May-09 by Steve Walch
2 Comments  |  Trackback Url  |  Link to this post | Bookmark this post with:        
Tags: Migration projects, Notes Migrator for SharePoint, Version 5.2
 

Links to this post

Comments

Wednesday, 22 Jul 2009 02:24 by Mehul Bhuva
Hi Steve, It means that users now need not migrate their users/roles from Domino directory users to Active Directory. They can by-pass this step and directly migrate groups/users/roles to a particular Sharepoint site collection. In this case the users/groups wont be available in the Active directory. And since MOSS is tightly bound to AD, this might cause some problems like maintaining User profiles and Synchronizing these migrated users. Can u share some insight on the same.
Wednesday, 5 Aug 2009 07:12 by Steve Walch
The still have to migrate their user accounts to AD, of course. But yes, this new feature could eliminatre the need to migrate any groups. The real issue here is that different organizations will have different ideas about which groups should remain in AD and which should become site-specific groups. Both have their advantages in terms of who can re-use them, who has access to maintain them, etc.
Name:
URL:
Email:
Comments: