Sharegate carries your associated permissions during a migration, and will attempt to preserve their integrity from the source to the destination whenever possible.
This article explains what happens to your permissions during different scenarios when running a Copy Structure migration, and how your users are associated between your source and destination.
Users and groups Association
This includes People and Group metadata fields, such as Modified by.
Users and Active directory (security) groups are matched with what's available in the destination's active directory.
SharePoint Groups are copied at the destination and populated with users if the source user can be resolved at the destination.
How we resolve users from the source to the destination
We look at the whole account name available, for matches to users at the destination through the SharePoint people picker.
Once we have a list of potential matches for your user, we go through the list of values below (in the specified order). We consider the account a match when we find the same values for one of these properties:
- Exact same account name
- Same normalized account name (without claims header)
- Same login and domain
- Same login
- Same login and domain (source login read from display name - this can happen when importing from file system because the account name is set as the display name)
- Same login (source login read from display name - this can happen when importing from file system because the account name is set as the display name)
- Same email address
- Same display name
- PrincipalType is not set or is a Security Group and same display name without domain
Note: If you're using any kind of redundant word in the account name, or if you have certain users that have multiple matching names, you might have to create a company-wide user mapping file to resolve that problem. You can extract the user information from your Active Directory, and use that data to generate a mapping file with PowerShell.
The default SharePoint groups (Visitors, Members, Owners) will always be copied or merged.
Any other SharePoint group that has the same name will also get merged (users from the source group are added to the destination group).
If you are not sure which SharePoint groups are the defaults, they are configured under:
[your site collection URL]/_layouts/15/permsetup.aspx for SharePoint 2013+ or [your site collection URL]/_layouts/permsetup.aspx for SharePoint 2010
Full Site Collection copy
When migrating a full Site Collection (connected to the admin center, or central admin at the destination), we will re-create the permissions as-is at the destination.
Merge Site Collection copy
When merging a Site Collection to an existing one at the destination, we will add the permissions from the source to those that already exist at the destination.
Default SharePoint groups will be merged even if their name doesn't match.
Any other SharePoint group will be merged based on name (users from the source group are added to the destination group).
Promote Subsite as Site Collection
If permissions are inherited, the new Site Collection at the destination will take the permissions from the source's parent Site Collection.
If permissions are custom (not inherited from the parent) on the subsite, then we will re-create the permissions as they are in the source.
Default groups (Visitors, Members, Owners) removed at the source will not be recreated at the destination. You can set these back at the destination by accessing the permission setup page and adding /_layouts/permsetup.aspx after the name of the site (in the destination site's URL using a browser).
Demote Site Collection as subsite
Site Collections have custom permissions by default since they are at the top level of the hierarchy. When you migrate a Site Collection as a subsite and try to preserve the custom permissions, all the groups will be recreated at the destination with the exception of the default groups (visitors, members, owners). The default groups will be at the destination's Site Collection level by default. Users in the default groups in the source will not be added to the default groups at the destination to avoid security issues.
Note: To keep default groups from the source, copy the default groups (visitors, members, owners) before doing the site migration. This will make them available at the site collection level and apply them to the new subsite when you copy your site after.
Lists and Libraries
When migrating lists and libraries with custom permissions, we recreate the permissions at the destination.
If permissions are inherited from the parent at the source, the inheritance will be preserved and taken from the parent at the destination.