Security mapping has always been one of the strongest parts of Notes Migrator for SharePoint and a great differentiator for us.  Someone who is familiar with our rich capabilities in this area will probably be surprised to see how many things we found to add to the list in this release. 

The good part is that while we nearly doubled the capabilities here, we think we actually improved the usability at the same time.  Most people should be able to get by with a few easy-to-understand checkboxes and only a few will need to go into the Advanced areas.  But for those that need it, they will have more power than ever! 

1. First some cosmetic changes. We organized our increasingly confusing array of security mapping checkboxes into dialog groups and have renamed them to be clearer. Hopefully this will make these options easier to understand:

2. One subtle but very useful new feature is the ability to do both “Map Notes Groups to Domain Groups” and “Expand Notes Groups to SharePoint Groups” (they were mutually exclusive before). If you do this, the tool will first try to find a mapping for the group name in the directory or mapping file. If it finds a mapping, it will map to the Domain group. If it doesn’t, it will provision a SharePoint group instead.

3. Similar changes for the security settings on the Database Record and Class Records:

The rest of the changes are in the Advance Security Settings dialog. This is now a tabbed interface and includes a number of new things…

4. For ACL Entry mapping, we introduce a new mode of mapping. “Set explicit SharePoint permissions” is the way we used to do things. “Add to existing SharePoint groups” is the new option.

MOTIVATION: SharePoint has a built in way of managing security via SharePoint groups. Standard site templates all have predefined Owners, Members, and Visitors groups. Even though this is not as fined-grained as Notes security, many customers have requested that we provision security by adding people to one of these built-in groups rather than setting permissions directly on site members.

When “Add to existing SharePoint groups” is selected we now have a full set of mappings (on the third tab) for various ACL levels to SharePoint Groups. The combo boxes will let you select from existing Site groups or the abstract {Owners} {Members} or {Visitors} groups. You can also just type in a new group name. New mappings are similar to the existing ACL Level to SharePoint permission mappings (now on the second tab).

Note that existing jobs will be set to “Set explicit SharePoint permissions” for backward compatibility.

5. If you choose Set explicit SharePoint permissions (the old method) the Permission Mapping tab still applies.

6. Related to (but actually distinct from) the above feature is a new set of options for allowing the renaming of SharePoint Groups we are explicitly provisioning. This works with the existing SharePoint Group Provisioning options (“Expand Notes Roles to SharePoint Groups” and “Expand Notes Groups to SharePoint Groups”) but now gives you a chance to change the group names along the way. Also you can still specify a prefix for the new group name.

In the Group Mapping Dialog, you can enter the specific group mappings you want. Note the use of wildcards in the Notes names.

By mapping a role or Notes group to an existing SharePoint Group, you are effectively saying “add the members to that group”. Otherwise we will create a new SharePoint Group with the desired name. If we are mapping to SharePoint group that is not in the mapping table, we will create a new SharePoint Group with the old Notes role or group name (as we did before).

The “Prevent creation of new SharePoint Groups” option at the bottom of this dialog allows you to limit the number of new groups that are created as a side effect of the user mapping process. If you check this option, only the groups listed in the above mapping table will be used.

7. When migrating document level security (reader/writer fields), you can now disable the automatic adding of users to the site collection that were not already present. In prior versions, the tool added such users with “Limited Access” permission to the site so it could give them access to teh appropriate documents, but now administrators can decide not to allow that.

FAQ: How do the group assignment (#4) and group mapping (#5) relate to the existing user/group mapping process? Not at all! The mapping files and directory lookup options are for Domain groups and are controlled by global options. SharePoint Group names are application/site specific groups and are controlled by the job settings described here.