Migrate
Users, Groups, and App Role Memberships into Identity Cloud Service
Before You Begin
This document shows you how to migrate users, groups, and app role memberships from a Shared Identity Management (IDM) environment into an Identity Cloud Service environment or from one Identity Cloud Service environment to another.
Supported Use Cases
Most customers that have switched to the Universal Credit Model have commercial agreements. However, the following customers don't have these agreements:
- Identity Cloud Service customers who have subscribed to the Basic and Standard tiers
- Oracle Management Cloud internal compute customers
Prerequisites
Important: After the target tenant has been provisioned, don't create additional resources or delete existing resources (for example, users, groups, applications and application roles) in the target tenant until you successfully complete migration.
Background
Use the Cloud Account Migration tool to migrate users, groups, and app role memberships from a Shared IDM environment into an Identity Cloud Service environment or from one Identity Cloud Service environment to another.
Important: This is a one-time migration. If users, groups, and app role memberships are migrated successfully, then the Cloud Account Migration tool disappears from the Identity Cloud Service console.
What Do You Need?
To accomplish the tasks described in this document, make sure that you:
- Are an Identity Domain Administrator. For this document, the environment where you access the tool is the target Identity Cloud Service environment.
- Have the data center, domain, and administrative credentials
of the Shared IDM environment that contains the users, groups,
and app role memberships that you're migrating. For this
document, this is the source Shared IDM environment.
OR
The Identity Cloud Service URL and the administrative credentials of the Identity Cloud Service environment that contains the users, groups, and app role memberships that you're migrating. For this document, this is the source Identity Cloud Service environment.
Migrate
Users, Groups, and App Role Memberships from Shared IDM
In this section, migrate users, groups, and app role memberships from a Shared Identity Management (IDM) environment into an Identity Cloud Service environment.
- From the Identity Cloud Service console of the target
Identity Cloud Service environment, expand the Navigation
Drawer.
- Click Cloud Account Migration.
- In the Migrate page, click Shared
IDM, and then provide values for the following
parameters of the source Shared IDM environment:
Field Description Data Center Select the data center of the Shared IDM environment.
Domain Enter the domain of the Shared IDM environment. Admin User Name Enter the admin user name of the Shared IDM environment. Admin Password Enter the admin password of the Shared IDM environment. - Click Start Migration. A Migrating status
appears.
- If the migration job starts immediately because the
server is free, then a link to the job appears. Clicking
the link takes you to the Job Details page where
you can track the progress of your migration job. You must
refresh your web browser to see the latest status. After
all users, groups, and app role memberships are migrated,
the job status changes to Completed Successfully.
Note: Depending on how many users, groups, and app role memberships you're migrating, it may take several minutes for the migration to complete. If you don't see the status change, then refresh your web browser. After all users, groups, and app role memberships are migrated, when you click Cloud Account Migration in the Navigation Drawer, you'll see a Migrated page with a link to the migration job. You can't submit another migration job because this is a one-time migration. After the migration job completes and you terminate the web browser session, the next time you sign in, the Cloud Account Migration tool won't appear in the Navigation Drawer.
- If the migration job doesn't start immediately because
the server is busy, then a schedule Job ID appears for the
migration job. The job should start automatically in a few
minutes. Use the schedule Job ID to search for the job by
clicking Jobs in the Navigation Drawer.
Or, you can refresh the Migrating page until a
link with the Migration Job ID appears.
Note: If users, groups, and app role memberships can't be migrated, then you'll return to the Migrate page. Verify that the values you provided for the parameters of the source Shared IDM environment are correct, and try again. Also, check the child User Import, Group Import, and App Role Members Import Job details for data errors that must be fixed before migration can succeed. If the problem persists, then contact your system administrator.
- If the migration job starts immediately because the
server is free, then a link to the job appears. Clicking
the link takes you to the Job Details page where
you can track the progress of your migration job. You must
refresh your web browser to see the latest status. After
all users, groups, and app role memberships are migrated,
the job status changes to Completed Successfully.
- In the Navigation Drawer, click Jobs.
- In the Search field of the Jobs page, enter the Migration Job ID or schedule Job ID that you copied in step 4, and then press Enter.
- Click View Details.
A Summary table shows how many:
- Users, groups, and app role memberships you migrated.
- Users, groups, and app role memberships migrated successfully.
- Users, groups, and app role memberships that failed to migrate.
Migrate
Users, Groups, and App Role Memberships from Identity Cloud
Service
In this section, migrate users, groups, and app role memberships from one Identity Cloud Service environment to another.
- From the Identity Cloud Service console of the target Identity Cloud Service environment, expand the Navigation Drawer.
- Click Cloud Account Migration.
- In the Migrate page, click Identity Cloud
Service, and then provide values for the following
parameters of the source Identity Cloud Service environment:
Field Description Identity Cloud Service URL Enter the Identity Cloud Service URL of the Identity Cloud Service environment (for example, https://idcs-1234.identity.oraclecloud.com:8943). Admin User Name Enter the admin user name of the Identity Cloud Service environment. Admin Password Enter the admin password of the Identity Cloud Service environment. - Click Start Migration. A Migrating status
appears.
- If the migration job starts immediately because the
server is free, then a link to the job appears. Clicking
the link takes you to the Job Details page where
you can track the progress of your migration job. You must
refresh your web browser to see the latest status. After
all users, groups, and app role memberships are migrated,
the job status changes to Completed Successfully.
Note: Depending on how many users, groups, and app role memberships you're migrating, it may take several minutes for the migration to complete. If you don't see the status change, then refresh your web browser. After all users, groups, and app role memberships are migrated, when you click Cloud Account Migration in the Navigation Drawer, you'll see a Migrated page with a link to the migration job. You can't submit another migration job because this is a one-time migration. After the migration job completes and you terminate the web browser session, the next time you sign in, the Cloud Account Migration tool won't appear in the Navigation Drawer.
- If the job doesn't start immediately because the server
is busy, then a schedule Job ID appears for the migration
job. The job should start automatically in a few minutes.
Use the schedule Job ID to search for the job by clicking
Jobs in the Navigation Drawer. Or, you can
refresh the Migrating page until a link with the
Job ID appears.
Note: If users, groups, and app role memberships can't be migrated, then you'll return to the Migrate page. Verify that the values you provided for the parameters of the source Identity Cloud Service environment are correct, and try again. Also, check the child User Import, Group Import, and App Role Members Import Job details for data errors that must be fixed before migration can succeed. If the problem persists, then contact your system administrator.
- If the migration job starts immediately because the
server is free, then a link to the job appears. Clicking
the link takes you to the Job Details page where
you can track the progress of your migration job. You must
refresh your web browser to see the latest status. After
all users, groups, and app role memberships are migrated,
the job status changes to Completed Successfully.
- In the Navigation Drawer, click Jobs.
- In the Search field of the Jobs page, enter the Job ID or schedule Job ID that you copied in step 4, and then press Enter.
- Click View Details.
A Summary table shows how many:
- Users, groups, and app role memberships you migrated.
- Users, groups, and app role memberships migrated successfully.
- Users, groups, and app role memberships that failed to migrate.
Troubleshooting
Two types of jobs run during migration. A parent job or Migration job, and Child jobs that run as part of the Migration job. Child jobs, for example, are importing and exporting users, groups, and app role membership jobs. If a job fails, use the following steps to view the cause of the failure.
To see job details of a failed Migration job.
- On the Jobs page, click View Details to see the job details.
- Under Additional Details, you will find the reason for the failure.
To see job details of a failed Child job.
- On the Jobs page, click View Details of a child job, for example an Import Group job, to see the job errors.
- Locate a failed resource and then:
- For user related resources, click Creation Failed.
- For group related resources, click View Details.
- (Optional) Change Filter by Status, to define your results.
- Click the Status message to see the error details for the failure in the Status Message section.
Want
to Learn More?
To learn more about migrating users, groups, and app role memberships, refer to the following documentation and solutions: