Intelligent Novell Trustee Role Mining

Translating the Novell trusts to Microsoft during the NDS migration:

Under Novell, one can also set permissions (trusts) on other objects rather than only on users or groups. An intelligent role mining algorithm is integrated in so that no permissions are lost during migration from a Novell system to a Microsoft file server.

Automatic generation of all list permissions during the NDS migration

The list permissions are created in the same process. This is done according to the minimum principle analogous to Novell. The future file system and the permissions under Microsoft will operate exactly like Novell, without the users realizing anything about the migration. Access Based Enumeration (ABE) is fully supported.


Technical procedure:

  1. Analysing the account from the Trustee info by LDAP in the eDirectory: What is it? A user or a container?
    1. Users: to be admitted directly to the permission groups
    2. Containers: are checked for multiple use
      1. If they are not used multiple times in trusts: members become a direct member of the permission group
      2. If the container appears multiple times in trusts: All members become members in a role group which itself is a member of the permission groups for the directories where the container was also authorized previously under Novell.

Permissions can only be transferred if the users or accounts already exist in the AD! sets up no user accounts! The adjustment is carried out on sAMAccount. This must correspond with the CN in eDirectory. If the value does not correspond, an adjustment can be made in migRaven-> do not hesitate to ask us in that case.

The role groups which are generated in individual cases by serve as the summary of individual user groups. It is assumed that the teams which were already summarized under Novell are also useful in Microsoft. The role groups allow an easy subsequent administration after the migration on the basis of a role concept. The group names must be probably adjusted. The role groups have a name which consists of the prefix “RO _” and the old DN from Novell.

Special handling of the various containers:

  1. Group (groupOfNames) and roles (organizationalRole): Only direct members are deleted from these containers and are transferred either to permission groups or to the role groups.
  2. OU (organizationalUnit) and O (Organization): The travers members are deleted from these containers. Every user account which is below OUs becomes a member of the new permission groups or role groups.

Leave a comment development GmbH / / Tel: +49 (30) 8095010-40 / about us / terms / imprint