Migrating Security Information
Applies to: SharePoint Foundation 2010
The content migration object model allows you to export, package, and then import user security information to the migration target. Types of security information that you can migrate includes membership information for site users, security role assignments, and object level access control lists (ACLs).
Migrating Security Information
The deployment object model supports three migration topologies:
The source and destination servers are part of the same Active Directory directory service domain.
The source and destination servers are each part of different Active Directory domains, where the source domain trusts the destination domain or vice versa. This is a typical intranet-to-extranet topology).
The source and destination servers are part of different and completely independent Active Directory domains in which there are no trust relationships. This is the typical Internet content publishing topology.
The first two topologies describe scenarios where you can deploy all security information to the destination, including the membership of the Web site, the role assignments, and the ACLs for various objects. This results in all users having the same access on the destination server farm as they did on source.
The third topology describes a scenario where you can choose to deploy no security information at all. All references to Active Directory users and groups are removed from the ACLs. The members of the SharePoint Foundation groups on the destination server are maintained there, either from the destination domain or using Forms authentication and SQL Server.
Managing Security through the Object Model
The IncludeSecurity property takes an SPIncludeSecurity enumeration value that describes how security is migrated. By default, this value is set to None, which means that no security information is exported or imported. The remaining options follow:
WssOnly Includes user memberships and role assignments such as default roles like Web Designer, or any custom roles that extend from the default roles. The ACL for each object is migrated. No user information defined in the DAP or LDAP servers is included.
All Includes user memberships and role assignments such as default roles like Web Designer, or any custom roles that extend from the default roles. The ACL for each object is migrated. In addition, user information defined in the DAP or LDAP servers is included.
Migrating Security Information: Example
Users (also called memberships) are defined at the site collection level. When an export/import operation includes users, the exported XML file always includes the full list of users for the Web site (SPWeb), even if only a list is selected within the Web site for export.
Following is an example in which three documents are migrated from one document library to another. During export, if the Central Administrator chooses to include all users, all users in the source Web site (SPWeb) are exported, for example, 5,000 users in this case. If the Central Administrator also chooses to include all users in the import, then all users are imported to the destination location, even though the destination library may require the Web Designer role to access the documents, which may apply to only 5 out of the 5,000 users.
For this migration, after import, the Central Administrator sees the following:
The three documents that were migrated from the source library to the destination library.
Created by, Created on, Modified by, and Modified on information for the documents.
5,000 users in the user list (assuming all of them are new in the destination site).
Additional Role Definitions.
New or updated ACLs, with new or updated user IDs.
To successfully migrate content between an intranet and an extranet, both environments must use the same domain or at least a one-way trusted connection; otherwise, the Central Administrator must recreate all the users in the extranet (destination) environment.
Although content migration does add user information to the extranet (destination) location, no new Active Directory accounts are created. For a user with an Active Directory account in the source location but not in the destination Active Directory, SharePoint Foundation migrates user information but creates no Active Directory account.