Identity & Access (IAM) Migration
Migrate legacy IAM systems to modern cloud identity platforms with intelligent privilege mapping.
Identity & Access (IAM) Migration
Migrate any identity system — RACF, ACF2, Top Secret, Active Directory, LDAP — to AWS IAM, Azure AD, GCP IAM, and Okta. Dry-run validation, conflict detection, and full audit trails are included.
Supported sources
| Source | Notes |
|---|---|
| IBM RACF | Users, groups, profiles, data set rules, STARTED classes |
| CA ACF2 | Logonids, rules, infostorage |
| CA Top Secret | Acids, profiles, ownership chains |
| Microsoft Active Directory | Users, groups, OUs, GPOs |
| LDAP / LDIF | Generic directory exports |
Supported targets
| Target | Notes |
|---|---|
| AWS IAM | Users, roles, policies, permission boundaries |
| Azure Active Directory | Users, groups, app registrations, conditional access |
| GCP IAM | Service accounts, roles, bindings |
| Okta | Users, groups, applications, policies |
Privilege mapping
RACF/ACF2 privileges don't have a 1:1 equivalent in cloud IAM — QuickCloud translates them intelligently:
| Legacy privilege | Cloud equivalent |
|---|---|
| SPECIAL | IAM Administrator |
| OPERATIONS | Resource Manager |
| AUDITOR | Security Auditor (Read-Only) |
| CLAUTH(USER) | User provisioner |
| Dataset READ | Object storage read |
| Dataset UPDATE | Object storage read/write |
| Dataset ALTER | Object storage full control |
Custom mappings can be defined via a YAML configuration file to match your organization's access model.
Dry-run mode
Run a full migration simulation before making any changes:
docker run registry.quickcloud.co/quickcloud/iam-migration:latest \
--mode=dry-run \
--source=racf \
--source-export=/data/racf-export.txt \
--target=aws-iam \
--output=/reports/dry-run-report.htmlThe report shows:
- Every identity and permission that would be created
- Conflicts (duplicate usernames, unmappable permissions)
- Permissions that require manual review
- Estimated IAM resource counts
No changes are made to your environment until you run with --mode=apply.
Audit logging
Every identity change is logged with:
- Source identity and privilege
- Target identity and permission
- Timestamp and operator
- Dry-run vs. applied status
Logs are exportable as JSON or CSV for SOC 2 / SOX evidence packages.
Getting started
See Quick Start to pull the image and run your first dry-run report.