19.7 Migrating to CPRS

Migration to CPRS does not change the resource settings. It only changes the mode of permission reconciliation.This section explains how to migrate resource configurations to CPRS.

19.7.1 Prerequisites

Before migrating the resources, review the following considerations:

19.7.2 Managing Existing Permissions for AD and LDAP Drivers

Managing existing permissions involves migrating the existing resources and creating CPRS settings for those resources in the identity applications. The procedure is similar for AD and LDAP drivers. The following procedure uses LDAP driver as an example.

  1. Navigate to Administration > Configuration > Permission Reconciliation and enable Permission Reconciliation.

  2. In the Permission Reconciliation Settings Edit page, select an entitlement. For example: LDAP_Groups.

  3. Select an existing resource. For example: Group_Membership_PCRS.

    NOTE:You can select one or more resources for a multivalued entitlement.

  4. Click Save.

  5. Compute and publish permissions for Group_Membership_PCRS entitlement.

19.7.3 Managing Permissions for a MDAD Driver

  1. Set Add Logical System information to Entitlement Values to Yes in Global Configuration Values using iManager or Designer.

    Enabling this option makes all the existing resources for an entitlement invalid. Therefore, you need to recreate the resources and publish the assignments.

  2. Navigate to Administration > Resource and create new resources that have Logical System with entitlements.

  3. In the Permission Reconciliation Settings Edit page, select an entitlement. For example, MDAD_Groups.

  4. Select a Logical System and map the newly created resource with the new entitlement values.

    NOTE:You can select one or more resource for a multivalued entitlement.

  5. Click Save.

  6. Compute and publish permissions for MDAD_Groups entitlement.

19.7.4 Post Migration Activities

Few eDirectory objects created during PCRS are not cleaned up during CPRS package upgrade. Manually remove the following eDirectory objects from the driver object path after entitlement package upgrade:

  • PermissionOnboarding

  • Group_values

  • PermissionEntMapping

  • PermissionNameToFile

  • StaticValueEntitlementMap

  • EntitlementLLIDMapping (Only for MDAD)

HINT:Use idapps.out and driverset log files to trace the CPRS actions and events.