4 Replies Latest reply on Sep 3, 2021 5:51 AM by Nico Heinze

    Moving to LDAP

    John Lyons Seasoned Veteran

      We currently use Native secuirty domain for everything. We now want to use LDAP connections & secuirty domains.


      Is there a way to do a mass update against folders/connections that have permissions with the old security domain.  For example.


      Folder A  has a permission by 'Grp_A, in Native Domain'. We want to replace that with 'Grp_a Domain_A'. Is there a way to do such a mass update of some kine (doesn't have to be a update, add/delete is fine). Just so I can w/o going through each folder/connection

        • 1. Re: Moving to LDAP
          Paolo Moretti Guru

          Chek whether "pmrep AssignPermission" might be of help here. I believe that you should be able to automate this process using just this tool:


          => AssignPermission

          • 2. Re: Moving to LDAP
            John Lyons Seasoned Veteran

            Thank. I also don't see a command to extract a list of objects which have a certain user & group assigned to it.

            • 3. Re: Moving to LDAP
              Lekha G M Active Member

              Hi John,


              If you are looking for a command to extract list of objects to which the specified user/group have permission, you can make use of infacmd getDomainObjectPermissions command.


              Refer to following article for more information: Support





              • 4. Re: Moving to LDAP
                Nico Heinze Guru

                That won't help here because infacmd.sh cannot work on the contents of a PowerCenter repository. You have to stick with pmrep and pmcmd (in this case, pmrep will be the tool of choice).


                Unfortunately there's no command (which I know of) to extract the permissions per repository folder. And to be honest my knowledge of the repository details doesn't extend to the point where I could tell you how the folder permissions are stored exactly. So don't have any repository query to retrieve this information.


                In case your folders are organised by "project", the following idea might work for you.


                Ask each of the "project" managers which folders belong to her/his project(s).

                From this list you can prepare a list of "pmrep AssignPermission" statements for all folders which you know of.

                For all repository folders not contained within this list, create kind of a "dummy" assignment to some repository manager.

                Once you have created the security domains in your Informatica domain, synchronise users and groups (in the domain and to the repository), then run these assignment statements. This way all folders have the permissions your developers need (at least as far as they told you).


                Now if any project manager or developer needs additional folder permissions beyond those from the statements executed earlier, they have to ask you to give them the needed permissions. If your project managers did their job well, this will not happen at all because they did tell you in advance which folders they need access to.