Skip to content

Legacy Group Migration

NOTICE

The legacy group migration feature is currently in Early Access and should not be used in production systems without additional support.

In IEM V1, you could create Admin Groups and User Groups to share devices and self-developed applications. With IEM V2, these groups can be migrated, so you do not need to manually reconfigure all permissions. By default, migration is not started, and legacy groups are no longer visible or grant access rights.

Requirements

  • HELM version v2.1.0 or higher

Migration Instructions

To start the migration, run the helm upgrade command with the following flag:

--set central-auth.cauth.migration.triggerGroupMigration=true

This flag triggers the group migration process during the upgrade.

Important: The migration is an all-or-nothing process. If any error occurs, the entire migration will fail and no groups will be migrated. If this happens, you must run the helm upgrade command again with the following flag to reset the migration state:

--set central-auth.cauth.migration.triggerGroupMigration=false

Otherwise, the system will not start correctly.

Migration Results

  • Each My User Group will be migrated to a custom role with the appropriate permissions for the self-developed applications that were part of the original group. Since IEM V2 does not support group functionality for self-developed applications, only the role is migrated. These roles are labeled as "Migrated User Group" and can only be deleted, not modified.

  • Each My Admin Group will be migrated to a device group and a custom role to maintain device access as before. Because My Admin Group names were not unique, the new device group will use the old name plus a unique ID (UUID). The device group will include all devices from the original group. These roles are labeled as "Migrated Admin Group" and can only be deleted, not modified.

  • My Admin Groups from the Admin panel will not be migrated and must be deleted manually.

  • The IAM roles for My User Groups and My Admin Groups will remain unchanged. All existing role assignments for users, user groups, and mappers will be preserved.

NOTICE

The creator of a My Admin Group will automatically have access to the new device group and can share it with other users. This grants broader permissions than in IEM V1. If this is not desired, you must delete the group manually.