policydeploy -migrate Function Migrate a PMD to Advanced Policy Management

This function migrates a PMD to the advanced policy management environment. When you migrate a PMD to advanced policy management, you create policies from the rules in the PMD, create a host group and hosts in the DMS, and assign the policies to the host group.
capamsc141
This function migrates a PMD to the advanced policy management environment. When you migrate a PMD to advanced policy management, you create policies from the rules in the PMD, create a host group and hosts in the DMS, and assign the policies to the host group.
This function has the following format:
policydeploy -migrate pmdName@hostName [-dms name] [-policydir directory] \ [-exportfilter "class, class..."] [-hgcreate] [-pcreate name] [-addpmdfilter]\ [-unsubs] [-delete] [-auto]
  • pmdName
    @
    hostName
    Defines the name of the PMD to migrate.
  • -dms
    name
    (Optional) Defines the name of the DMS that the rules in the PMD will be migrated to. If you do not specify the DMS name, the DMS name is retrieved from the 
    Privileged Access Manager
    database on the local host.
    If you do not specify a DMS name and there is more than one DMS name specified in the 
    Privileged Access Manager
    database on the local host, the rules in the PMD are migrated to all specified DMSs.
  • -policydir
    directory
    (Optional) Defines the directory in which the policy file is stored. If you do not specify a directory, the policy file is stored in your current working directory.
    The name of the policy file is
    pmdName
    _
    hostName
    _policy.
  • -exportfilter "
    class
    ,
    class
    ..."
    (Optional) Specifies the 
    Privileged Access Manager
    classes to export from the PMD database. If you do not specify any classes, all classes in the PMD database are exported.
    The following points apply to the -exportfilter parameter:
If you export rules that modify resources in a particular class, and the class has a corresponding resource group, 
Privileged Access Manager
also exports the rules that modify resources in that resource group.
If you export rules that modify resources in a particular resource group, 
Privileged Access Manager
also exports the rules that modify the member resource of the resource group.
If you export rules that modify resources in a particular class and that class has a PACL, 
Privileged Access Manager
also exports the rules that modify resources in the PROGRAM class.
If you export rules that modify resources in a particular class and that class has a CALACL, 
Privileged Access Manager
also exports the rules that modify resources in the CALENDAR class.
If you export rules that modify resources in a particular class, and one of the resources in that class is a member of a CONTAINER resource group, 
Privileged Access Manager
exports the rules that modify resources in the CONTAINER class and the rules that modify the resources that are members of each CONTAINER resource group.
  • -hgcreate
    (Optional) Creates a host group (GHNODE object) on the DMS that corresponds to
    pmdName
    , creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers of
    pmdName
    , and joins the hosts to the host group.
  • -pcreate
    name
    (Optional) Creates a POLICY object on the DMS that contains the rules in the policy file that was exported from
    pmdName
    , and assigns the POLICY object to the host group on the DMS that corresponds to
    pmdName
    . If you specify
    name
    , the created POLICY object is named
    name
    _POLICY#01; if you do not specify name, the created POLICY object is named
    pmdName
    _POLICY#01.
  • -addpmdfilter
    (Optional) Applies a filter file to
    pmdName.
    The filter file is named filter.flt and is located in the same directory as
    pmdName
    .
    You use the filter file to create a password PMD. The filter file lets only user password commands be sent to the subscribers of
    pmdName
    .
  • -unsubs
    (Optional) Unsubscribes endpoint subscribers from
    pmdName
    .
  • -delete
    (Optional) Deletes
    pmdName
    after the policydeploy -migrate function has finished executing.
  • -auto
    (Optional) Specifies to execute both the -hgcreate and -pcreate options. This option does the following:
    • Exports the rules in pmdName
    • Creates a host group (GHNODE object) on the DMS that corresponds to
      pmdName
    • Creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers of
      pmdName
    • Joins the hosts to the host group
    • Creates a POLICY object on the DMS that contains the rules in the policy file that was exported from
      pmdName
    • Assigns the POLICY object to the host group on the DMS that corresponds to
      pmdName
Example: Migrate Rules and Create a Host Group
This example migrates the rules from Master PMD on host A to DMS__ on host B, saves the policy file to the C:\Data\policies_MasterPMD_hostA directory, creates a host group named MasterPMD on DMS__, creates hosts on DMS__ that correspond to the endpoint subscribers of Master PMD, and joins the hosts to the MasterPMD host group:
policydeploy -migrate MasterPMD@hostA -dms DMS__@hostB -policydir "C:\Data\policies_MasterPMD_hostA" -hgcreate