Migration to CPRS does not change the resource settings. It only changes the mode of permission reconciliation.This section explains how to migrate resource configurations to CPRS.
Before migrating the resources, review the following considerations:
Upgrade from Identity Manager Engine 4.6.x to 4.7
For more information, see Upgrading Identity Manager Engine (Linux) or Upgrading the Identity Manager Engine (Windows) based on your platform
Upgrade Identity Applications from 4.6.x to 4.7
For more information, see Upgrading Identity Applications (Linux) or Upgrading Identity Applications and Identity Reporting (Windows) based on your platform.
Upgrade the driver packages.
NOTE:The existing MDAD resources become invalid after the driver is upgraded.
For more information, see Upgrading the Driver Packages for Identity Applications (Linux) or Upgrading the Driver Packages for Identity Applications (Windows) based on your platform.
Managing existing permissions involves migrating the existing resources and creating CPRS settings for those resources in the identity applications. The procedure is similar for AD and LDAP drivers. The following procedure uses LDAP driver as an example.
Navigate to Administration > Configuration > Permission Reconciliation and enable Permission Reconciliation.
In the Permission Reconciliation Settings Edit page, select an entitlement. For example: LDAP_Groups.
Select an existing resource. For example: Group_Membership_PCRS.
NOTE:You can select one or more resources for a multivalued entitlement.
Click Save.
Compute and publish permissions for Group_Membership_PCRS entitlement.
Set Add Logical System information to Entitlement Values to Yes in Global Configuration Values using iManager or Designer.
Enabling this option makes all the existing resources for an entitlement invalid. Therefore, you need to recreate the resources and publish the assignments.
Navigate to Administration > Resource and create new resources that have Logical System with entitlements.
In the Permission Reconciliation Settings Edit page, select an entitlement. For example, MDAD_Groups.
Select a Logical System and map the newly created resource with the new entitlement values.
NOTE:You can select one or more resource for a multivalued entitlement.
Click Save.
Compute and publish permissions for MDAD_Groups entitlement.
Few eDirectory objects created during PCRS are not cleaned up during CPRS package upgrade. Manually remove the following eDirectory objects from the driver object path after entitlement package upgrade:
PermissionOnboarding
Group_values
PermissionEntMapping
PermissionNameToFile
StaticValueEntitlementMap
EntitlementLLIDMapping (Only for MDAD)
HINT:Use idapps.out and driverset log files to trace the CPRS actions and events.