policydeploy -migrate Function Migrate a PMD to Advanced Policy Management
This function migrates a PMD to the advanced policy management environment. When you migrate a PMD to advanced policy management, you create policies from the rules in the PMD, create a host group and hosts in the DMS, and assign the policies to the host group.
capamsc141
This function migrates a PMD to the advanced policy management environment. When you migrate a PMD to advanced policy management, you create policies from the rules in the PMD, create a host group and hosts in the DMS, and assign the policies to the host group.
This function has the following format:
policydeploy -migrate pmdName@hostName [-dms name] [-policydir directory] \ [-exportfilter "class, class..."] [-hgcreate] [-pcreate name] [-addpmdfilter]\ [-unsubs] [-delete] [-auto]
- pmdName@hostNameDefines the name of the PMD to migrate.
- -dmsname(Optional) Defines the name of the DMS that the rules in the PMD will be migrated to. If you do not specify the DMS name, the DMS name is retrieved from thePrivileged Access Managerdatabase on the local host.If you do not specify a DMS name and there is more than one DMS name specified in thePrivileged Access Managerdatabase on the local host, the rules in the PMD are migrated to all specified DMSs.
- -policydirdirectory(Optional) Defines the directory in which the policy file is stored. If you do not specify a directory, the policy file is stored in your current working directory.The name of the policy file ispmdName_hostName_policy.
- -exportfilter "class,class..."(Optional) Specifies thePrivileged Access Managerclasses to export from the PMD database. If you do not specify any classes, all classes in the PMD database are exported.The following points apply to the -exportfilter parameter:
If you export rules that modify resources in a particular class, and the class has a corresponding resource group,
Privileged Access Manager
also exports the rules that modify resources in that resource group.If you export rules that modify resources in a particular resource group,
Privileged Access Manager
also exports the rules that modify the member resource of the resource group.If you export rules that modify resources in a particular class and that class has a PACL,
Privileged Access Manager
also exports the rules that modify resources in the PROGRAM class.If you export rules that modify resources in a particular class and that class has a CALACL,
Privileged Access Manager
also exports the rules that modify resources in the CALENDAR class.If you export rules that modify resources in a particular class, and one of the resources in that class is a member of a CONTAINER resource group,
Privileged Access Manager
exports the rules that modify resources in the CONTAINER class and the rules that modify the resources that are members of each CONTAINER resource group.- -hgcreate(Optional) Creates a host group (GHNODE object) on the DMS that corresponds topmdName, creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers ofpmdName, and joins the hosts to the host group.
- -pcreatename(Optional) Creates a POLICY object on the DMS that contains the rules in the policy file that was exported frompmdName, and assigns the POLICY object to the host group on the DMS that corresponds topmdName. If you specifyname, the created POLICY object is namedname_POLICY#01; if you do not specify name, the created POLICY object is namedpmdName_POLICY#01.
- -addpmdfilter(Optional) Applies a filter file topmdName.The filter file is named filter.flt and is located in the same directory aspmdName.You use the filter file to create a password PMD. The filter file lets only user password commands be sent to the subscribers ofpmdName.
- -unsubs(Optional) Unsubscribes endpoint subscribers frompmdName.
- -delete(Optional) DeletespmdNameafter the policydeploy -migrate function has finished executing.
- -auto(Optional) Specifies to execute both the -hgcreate and -pcreate options. This option does the following:
- Exports the rules in pmdName
- Creates a host group (GHNODE object) on the DMS that corresponds topmdName
- Creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers ofpmdName
- Joins the hosts to the host group
- Creates a POLICY object on the DMS that contains the rules in the policy file that was exported frompmdName
- Assigns the POLICY object to the host group on the DMS that corresponds topmdName
Example: Migrate Rules and Create a Host Group
This example migrates the rules from Master PMD on host A to DMS__ on host B, saves the policy file to the C:\Data\policies_MasterPMD_hostA directory, creates a host group named MasterPMD on DMS__, creates hosts on DMS__ that correspond to the endpoint subscribers of Master PMD, and joins the hosts to the MasterPMD host group:
policydeploy -migrate MasterPMD@hostA -dms DMS__@hostB -policydir "C:\Data\policies_MasterPMD_hostA" -hgcreate