ˆ SharePoint 2003 Permission Migration
ˆ SharePoint 2007 to 2007/2010 to 2010 Permission Migration ˆ SharePoint 2007 to 2010 Permission Migration
SharePoint 2003 Permission Migration
Migration Manager for SharePoint provides an option of migrating permis-sions from the source SharePoint 2003 sites, portal site areas to the target SharePoint 2007/2010. By default, permission migration is enabled.
Site Permission Migration
When permission migration for a particular job is turned on, Migration Man-ager migrates permissions of the source SharePoint 2003 sites to the target SharePoint 2007/2010 sites as follows:
ˆ Migrate site as a new site collection
When the source site is migrated as a new site collection, Migra-tion Manager con gures the target site collecMigra-tion with the cor-responding permissions. Permission inheritance for sub-sites is preserved.
ˆ Migrate site as a sub-site
When the source site is migrated as a sub-site, Migration Man-ager creates the target site with the corresponding unique per-missions. The source site with inherited permissions will have unique permissions on the target SharePoint.
List Permission Migration
When permission migration for a particular job is turned on, Migration Man-ager translates the access permissions of the source SharePoint 2003 lists to the target SharePoint 2007/2010 lists as follows:
ˆ Migrate list only
If a source list is migrated separately from its parent site, Mi-gration Manager con gures the target list to inherit permis-sions from its parent site.
ˆ Migrate list with its parent site
If a source list is migrated with its parent site, Migration Man-ager con gures the target list with the corresponding permis-sions. Permission inheritance is preserved.
Mapping the Source SharePoint 2003 Permissions to the Target SharePoint 2007/2010 Permissions
Security model has been changed in SharePoint 2007/2010. SharePoint 2003 site group has speci c rights granted directly to the group, while Share-Point 2007/2010 group is associated with the Permission level.
Migration Manager creates a corresponding SharePoint 2007/2010 group with the same membership on the target site. The target group name is com-posed of the source site title and the source site group name (i.e. the Admin-istrator site group on the Unique Permissions Site will be mapped to the Unique Permissions Site Administrator SharePoint 2007/2010 group).
Migration Manager maps permissions of a source site group/user to a per-mission level, using built-in XML mapping as follows:
ˆ Standard permission sets (Reader, Contributor, Web Designer etc.) are mapped to standard SharePoint 2007/2010 permission levels (Read, Contribute, Design etc.).
ˆ Custom permission sets are mapped to a new custom permission level named Wss v2 Custom Permission Level <N> (the name of each created permission level contains a number which is incremented when creating a new custom permission level). Migration Manager maps each SharePoint 2003 right to one or more SharePoint 2007/2010 rights us-ing the built-in mappus-ing rules.
Note: The mapping rules used by Migration Manager when migrating per-missions are described in the WSS3Levels.xml le in the product installation folder (C:\Program Files\Quest Software\Migration Manager). The default mapping rules correspond to the mapping rules used by Microsoft when up-grading from SharePoint 2003 to SharePoint 2007/2010.
Appendix B: Permission Migration 185
Permission Migration Disabled
When permission migration for a particular job is turned off, Migration Man-ager does not modify the security settings of the target list and site. The target lists and sites created by the migration job inherit permissions from their parents. The target sites created by the migration job will have unique permissions. Permission inheritance for sub-sites is preserved.
SharePoint 2007 to 2007/2010 to 2010 Permission Migration
During SharePoint 2007 to 2007/2010 to 2010 migration permissions are migrated automatically.
Note: Only permissions that have been set at the site and lower levels are migrated.
Site Permission Migration
Migration Manager migrates permissions of the source SharePoint 2007/2010 site to the target SharePoint 2007/2010 site as follows:
ˆ When migrating the source root site, Migration Manager con gures the target site with the corresponding permissions.
ˆ When the source site with inherited permissions is migrated, the target site is con gured to inherit permissions from its parent. Its subsites preserve the corresponding source permissions.
ˆ When migrating the source site as a new site collection, the target site collection will have only permissions assigned by the web application policy. Migration Manager assignes the user speci ed during the job creation the Site Collection administrator rights on the target.
List Permission Migration
Migration Manager migrates permissions of the source SharePoint 2007/2010 lists to the target SharePoint 2007/2010 lists as follows:
ˆ If a source list / document library is migrated separately from its parent site, Migration Manager con gures the target list/document library to inherit permissions from its parent site.
If migration is performed between two SharePoint farms located in different AD forests with no trusts between them, the users of the source forest and their permissions are migrated to the target.
Note: The users of the source forest will not be able to access the target SharePoint if no trusts between the source and target forests are created.
When the trusts are set, all users will access the target SharePoint.
You can also replace the source user accounts with the target ones using the STSADM -o migrateuser command. The target users will be con gured with the corresponding source permissions (for more information, please refer to: http://technet.microsoft.com/en-us/library/cc262141.aspx).
SharePoint 2007 to 2010 Permission Migration
Migration Manager allows users to preserve SharePoint security settings (users, groups, roles, permissions) during migration. A user can specify whether to migrate (by default) or skip permissions during job creation.
Permission Levels
ˆ Migration Manager migrates all permission levels (built-in and custom) from the source SharePoint 2007 site, regardless of whether permission levels are inherited or unique
ˆ Migration Manager recreates all source permission levels, including their names, descriptions and rights mask on the target SharePoint 2010 site ˆ Source SharePoint 2007 permission levels are migrated to the nearest
parent site with the unique permission level scope
Note: SharePoint 2010 UI does not allow users to break permission level inheritance on subsites. See the Permissions for sub-webs section for details:
http://technet.microsoft.com/en-us/library/ff607713.aspx. Migra-tion Manager does not break permission level inheritance and always
Appendix B: Permission Migration 187
migrates SharePoint 2007 permission levels to the root site of the target site collection.
ˆ If a site with unique permission levels already exists on the target (it is not created by MMSP), source permission levels are added to the existing scope.
Permission level mapping and con ict resolution:
ˆ If the incoming SharePoint 2007 permission level matches (name and rights mask) an existing SharePoint 2010 level, it is mapped to it ˆ If the incoming SharePoint 2007 permission level matches an existing
2010 level by name, but has a different rights mask, the incoming permission level is mapped to a new 2010 level named Original Name N (N=1,2,...).
ˆ If the incoming SharePoint 2007 permission level does not match any existing 2010 level by name, it is created with its original name and rights mask.
Users and Groups
Migration Manager migrates all SharePoint users and groups which have any permissions for SharePoint objects (sites, document libraries, lists, folders,
les and items) below the selected migration root:
ˆ By default each SharePoint 2007 user is added as is (original user name and domain) to the target SharePoint 2010 site collection users list. A mapping rules can be used to map source user to a target user or source domain to a target domain. Refer to the Mapping of Domains and Users section for more detailed information.
ˆ If a SharePoint group with the same name already exists in the tar-get site collection (created manually by site admin), Migration Manager maps the incoming 2007 group to a new one named Original Group Name N (N=1,2,...);
ˆ If the same SharePoint 2007 group is migrated to a target 2010 site col-lection multiple times (as part of multiple migration jobs), it is mapped to a single SharePoint 2010 group
ˆ If permission migration is not enabled for migration job, Migration Man-ager only migrates users who created or edited items and documents on the source site(s).
Permissions
ˆ Each uniquely secured SharePoint 2007 object (sites, document li-braries, lists, folders, les and items) retains its ACL in SharePoint 2010.
ˆ If a SharePoint 2007 object inherits permissions from its parent, it will inherit permissions in SharePoint 2010 as well.
Note: If the root SharePoint object (site or list) of a migra-tion job inherits permissions, Migramigra-tion Manager makes it a uniquely secured object in SharePoint 2010 and sets the same effective permissions the object had in SharePoint 2007.
ˆ If an object already exists on the target, the source permissions are added to the existing object's ACL. E.g. when a SharePoint 2007 site is migrated to an existing SharePoint 2010 site, the target site ACL will be a combination of migrated and pre-existing permissions.
ˆ If an object with inherited permissions already exists on the target, permissions inheritance will be broken and current permissions will be extended with the source permissions during migration.
Appendix B: Permission Migration 189