Reference Guide › Utilities › policydeploy Utility—Manage Enterprise Policy Deployment › policydeploy -migrate Function—Migrate a PMD to Advanced Policy Management

policydeploy -migrate Function—Migrate a PMD to Advanced Policy Management

This function migrates a PMD to the advanced policy management environment. When you migrate a PMD to advanced policy management, you create policies from the rules in the PMD, create a host group and hosts in the DMS, and assign the policies to the host group.

This function has the following format:

policydeploy -migrate pmdName@hostName [-dms name] [-policydir directory] \
[-exportfilter "class, class..."] [-hgcreate] [-pcreate name] [-addpmdfilter]\
[-unsubs] [-delete] [-auto]

pmdName@hostName

Defines the name of the PMD to migrate.

-dms name

(Optional) Defines the name of the DMS that the rules in the PMD will be migrated to. If you do not specify the DMS name, the DMS name is retrieved from the CA ControlMinder database on the local host.

Note: If you do not specify a DMS name and there is more than one DMS name specified in the CA ControlMinder database on the local host, the rules in the PMD are migrated to all specified DMSs.

-policydir directory

(Optional) Defines the directory in which the policy file is stored. If you do not specify a directory, the policy file is stored in your current working directory.

The name of the policy file is pmdName_hostName_policy.

-exportfilter "class, class..."

(Optional) Specifies the CA ControlMinder classes to export from the PMD database. If you do not specify any classes, all classes in the PMD database are exported.

The following points apply to the -exportfilter parameter:

• If you export rules that modify resources in a particular class, and the class has a corresponding resource group, CA ControlMinder also exports the rules that modify resources in that resource group.
• If you export rules that modify resources in a particular resource group, CA ControlMinder also exports the rules that modify the member resource of the resource group.
• If you export rules that modify resources in a particular class and that class has a PACL The PACL property of a resource is an access control list. Each entry in the list specifies an accessor, the type of access to the resource that the accessor is allowed, and the name of the program that the accessor needs to use when accessing the resource. The program name can include wildcard characters. See also ACL, CALACL, NACL., CA ControlMinder also exports the rules that modify resources in the PROGRAM class.
• If you export rules that modify resources in a particular class and that class has a CALACL The CALACL property of a resource is an access control list that defines the accessors that are granted authorization to a resource, together with the type of access granted (for example, write) according to the accessors' status in the Unicenter TNG calendar. See also ACL, NACL, PACL., CA ControlMinder also exports the rules that modify resources in the CALENDAR class.
• If you export rules that modify resources in a particular class, and one of the resources in that class is a member of a CONTAINER resource group, CA ControlMinder exports the rules that modify resources in the CONTAINER class and the rules that modify the resources that are members of each CONTAINER resource group.

-hgcreate

(Optional) Creates a host group (GHNODE object) on the DMS that corresponds to pmdName, creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers of pmdName, and joins the hosts to the host group.

-pcreate name

(Optional) Creates a POLICY object on the DMS that contains the rules in the policy file that was exported from pmdName, and assigns the POLICY object to the host group on the DMS that corresponds to pmdName. If you specify name, the created POLICY object is named name_POLICY#01; if you do not specify name, the created POLICY object is named pmdName_POLICY#01.

-addpmdfilter

(Optional) Applies a filter file to pmdName. The filter file is named filter.flt and is located in the same directory as pmdName.

Note: You use the filter file to create a password PMD. The filter file lets only user password commands be sent to the subscribers of pmdName.

-unsubs

(Optional) Unsubscribes endpoint subscribers from pmdName.

-delete

(Optional) Deletes pmdName after the policydeploy -migrate function has finished executing.

-auto

(Optional) Specifies to execute both the -hgcreate and -pcreate options. This option does the following:

• Exports the rules in pmdName
• Creates a host group (GHNODE object) on the DMS that corresponds to pmdName
• Creates hosts (HNODE objects) on the DMS that correspond to endpoint subscribers of pmdName
• Joins the hosts to the host group
• Creates a POLICY object on the DMS that contains the rules in the policy file that was exported from pmdName
• Assigns the POLICY object to the host group on the DMS that corresponds to pmdName

Example: Migrate Rules and Create a Host Group

This example migrates the rules from Master PMD on host A to DMS__ on host B, saves the policy file to the C:\Data\policies_MasterPMD_hostA directory, creates a host group named MasterPMD on DMS__, creates hosts on DMS__ that correspond to the endpoint subscribers of Master PMD, and joins the hosts to the MasterPMD host group:

policydeploy -migrate MasterPMD@hostA -dms DMS__@hostB -policydir "C:\Data\policies_MasterPMD_hostA" -hgcreate