Skip to content
Identity & Access (IAM) Migration (AI)

Migrate Any Identity System to Cloud IAM.
In Hours, Not Months.

RACF, ACF2, Active Directory, LDAP, Google Workspace, Unix/Linux, or any CSV — migrated to AWS IAM, Azure AD, GCP IAM, or Okta. Intelligent privilege mapping, dry-run conflict detection, and one-click rollback. Built for your team to run.

Traditional consultant-led IAM migration: $150,000–$300,000 and 3–6 months. QuickCloud: hours to days, near-zero error rate, automatic audit documentation.

Schedule Personalized Walk-throughTalk to an Expert
8 Sources
Mainframe, AD, LDAP, Google Workspace & more
4 Targets
AWS IAM, Azure AD, GCP IAM, Okta
Dry-Run First
Zero surprises — preview before any change
1-Click Rollback
Deletes exactly what was created

Live Mainframe Scanning — No File Extraction Required

QuickCloud connects directly to your mainframe via z/OSMF, SSH, FTP, or SFTP and scans identity data in real time. No extracting files, no waiting for a batch job, no CISO escalations — your identity data never leaves your infrastructure.

AI Role Mining & Risk Scoring

AI analyzes entitlement patterns across your entire identity corpus, scores migration risk per user and group, detects audit anomalies (dormant accounts, over-privileged users, toxic role combinations), and answers natural-language questions about your identity data — before you touch anything.

How It Works

QuickCloud Identity and Access Migration ecosystem and delivery map
01

Discover & Scan — Live or File-Based

Connect QuickCloud directly to your mainframe via z/OSMF, SSH, FTP, or SFTP for real-time scanning — no file extraction, no batch job, no waiting. Alternatively, upload a RACF/ACF2/TSS export, LDIF, CSV, or /etc/passwd file. All source types are parsed into a structured identity inventory immediately.

02

Analyze, Assess & Model

AI Role Mining analyzes entitlement patterns across all users and groups, scores migration risk, detects audit anomalies, and surfaces dormant or over-privileged accounts. RACF Dataset Profiles (UACC, access lists) are modeled as cloud resource policies. Started Tasks and service accounts are detected and mapped to cloud service identities automatically.

03

Map, Translate & Dry-Run Preview

Privilege attributes are translated semantically to cloud IAM roles. Dataset ACLs become S3 bucket policies, Azure RBAC conditions, or GCP IAM bindings. Run a dry-run to see every user, group, conflict, and mapping before a single resource is created — zero surprises.

04

Approve, Audit & Migrate

All proposed changes are presented for approval with a full audit record before execution. Migration runs with parallel processing, idempotent operations, and automatic retry/recovery. Every resource created is tracked by name, type, and timestamp in the immutable audit log.

05

Verify, Reconcile & Monitor

Post-migration reconciliation confirms every user and group was provisioned correctly. AI Agent monitors the new environment for drift, anomalies, and policy violations. Full rollback deletes exactly what was created — nothing more, nothing less — with one click.

Intelligent Privilege Mapping

Legacy mainframe privilege attributes are automatically translated to semantically equivalent cloud IAM roles. All mappings are visible in the dry-run preview before any migration is committed.

Legacy AttributeCloud RoleAccess Level
SPECIALSuper Admin / AdministratorFull platform access with all permissions
OPERATIONSPower User / OperatorOperational access without administrative rights
AUDITORAudit / Read-Only AdminCompliance and review access only
RESTRICTEDRead-OnlyMinimal permissions, view-only access

8 Supported Identity Sources

Mainframe, on-premises, cloud, or custom — if your users and groups live there, QuickCloud can migrate them.

Mainframe

IBM RACF

Resource Access Control Facility — the most widely deployed mainframe IAM system. Supports IRRDBU00/IRRADU00 unload formats and all structured RACF dump exports. Live scanning via z/OSMF or SFTP — no file extraction required.

CA ACF2

Broadcom/CA mainframe security product. Full parsing of ACF2 rule sets, user profiles, and resource access lists. Direct scan or file upload supported.

CA Top Secret

Broadcom/CA mainframe security manager. Parses TSS user records, departmental structures, and access rule definitions. Direct scan or file upload supported.

Enterprise / On-Premises

Active Directory

Microsoft on-premises directory service. Import via LDIF export from AD. Users, groups, OUs, and nested group memberships fully parsed.

LDAP / OpenLDAP / FreeIPA

Any standards-compliant directory service that exports LDIF. Includes IBM Directory Server, Oracle Unified Directory, 389 DS, and FreeIPA.

Unix/Linux (/etc/passwd)

Direct import from /etc/passwd and /etc/group files. Migrates local system users and groups to cloud IAM with privilege-level inference.

Cloud & Custom

Google Workspace

Import users and groups directly from a Google Admin Console CSV export. No API key or OAuth required — just the export file.

Custom CSV

Any CSV file with users and groups. Map your custom column names to the standard identity schema using the visual column-mapping UI.

Cloud IAM Targets

AWS IAM

Creates IAM users, groups, and attaches managed and inline policies. Maps privilege levels to appropriate AWS permission boundaries.

Azure AD (Entra)

Provisions users and groups via Microsoft Graph API with role assignments. Requires User.ReadWrite.All and Group.ReadWrite.All permissions.

GCP IAM

Creates service accounts with IAM role bindings scoped to your project. Requires the roles/iam.serviceAccountCreator role.

Okta

Provisions users and groups with role-based permissions via the Okta API. Preserves group hierarchy and access level semantics.

Execution Engine

Six purpose-built components work together to ensure every migration is fast, safe, and recoverable.

Live Mainframe Connectivity

z/OSMF, SSH, FTP, SFTP — connects to your source in real time, no extraction step required.

Parallel Migration Engine

Users, groups, policies, and service identities are provisioned concurrently to maximize throughput against target platform APIs.

Idempotent Operations

Every operation is safe to re-run. If the migration is interrupted, resuming from the same point produces the same result — no duplicates.

Retry & Recovery

Transient API failures are automatically retried with exponential backoff. Persistent failures are surfaced with full error context for manual review.

Throttling Management

Automatically respects target platform API rate limits (AWS, Azure, GCP, Okta) — no manual tuning, no 429 errors breaking migrations.

Secure Credential Vault

All target platform API credentials are stored encrypted at rest and never logged. Credential access is scoped per migration run and audited.

Enterprise Governance Built In

Identity migration touches your most sensitive data. Every feature is designed with security, auditability, and organizational control as first-class concerns.

Multi-Organization Support

Manage migrations across multiple customer organizations with isolated API keys, per-plan usage limits, and role-based access (Super Admin, Admin, Viewer).

Comprehensive Audit Logging

Every action—login, upload, dry-run, migration, rollback—is logged with actor identity, timestamp, resource affected, and outcome. Exportable for compliance reviews.

Rollback Capability

Migration records are persisted with full result details. Failed or unwanted migrations can be rolled back from the history view without manual intervention.

AI Role Mining & Risk Scoring

Analyzes entitlement patterns across all users and groups, scores migration risk per identity, detects audit anomalies, and surfaces dormant or over-privileged accounts before migration.

RACF Dataset Profiles → Cloud Resource Policies

Dataset ACLs (UACC, access lists) are automatically translated into S3 bucket policies, Azure RBAC conditions, or GCP IAM bindings — not just user/group migration.

Started Tasks → Cloud Service Identities

Batch jobs, STCs (Started Tasks), and service accounts are detected automatically and migrated to cloud service identities — not left behind as orphaned accounts.

Segregation of Duties (SoD)

Role-based access enforces SoD across the migration workflow — no single user can approve and execute a migration without a second reviewer at Enterprise tier.

Encryption in Transit & At Rest

All credentials and identity records are encrypted in transit (TLS 1.2+) and at rest. Uploaded files are deleted immediately after parsing — never persisted to disk.

Security Configuration Panel

Manage MFA settings, RBAC configuration, transit and at-rest encryption flags, SSO readiness, and audit logging toggles from a single governance dashboard.

Rate-Limited Authentication

Login endpoints are rate-limited to 10 attempts per 15-minute window per IP. JWT tokens expire after 1 hour. Uploaded files are deleted immediately after processing.

Docker-Deployed, Self-Hosted

Runs entirely on your infrastructure via Docker Compose with Nginx reverse proxy. No data leaves your environment — credentials and identity records stay on-premises.

SOC 2 Aligned Audit Trail

Immutable, tamper-evident audit log covering every migration event. Pre-formatted export for SOC 2 Type II, HIPAA, and internal compliance reviews.

The differentiator

The Only Tool That Combines All Three

Every other tool in this space is a one-way street. QuickCloud is different — and the difference is what makes it safe enough for your own security team to run without a consultant.

1Pre-Migration Dry-Run

See every user, group, conflict, and privilege mapping before a single resource is created. Catch problems before they happen.

2Tracked Creation

QuickCloud records every resource it creates — not just that it ran. The migration log knows exactly what exists and where.

3One-Click Rollback

Deletes exactly what was created — nothing more, nothing less. No manual cleanup, no guesswork, no emergency consultant call.

What This Replaces

Conservative comparison of a consultant-led identity migration versus QuickCloud.

Traditional Consultant-Led Migration

Cost$150,000 – $300,000+
Timeline3 – 6 months
Error rate15 – 30% without dry-run tooling
Audit documentationManual, inconsistent
RollbackManual cleanup — days of work

With QuickCloud

CostIncluded in subscription
TimelineHours to days
Error rateNear zero — dry-run catches conflicts first
Audit documentationAutomatic, tamper-evident, SOC 2 aligned
RollbackOne click — deletes exactly what was created

Conservative ROI on first migration

10×

Frequently Asked Questions

QuickCloud accepts .txt, .csv, .xml, and .json files up to 50 MB. RACF, ACF2, and Top Secret exports are plain-text or structured dumps from the mainframe security manager. LDAP and Active Directory exports should be in standard LDIF format. Google Workspace exports are CSV files from the Admin Console. Unix/Linux imports use the standard /etc/passwd and /etc/group file format. Custom CSV files use the visual column-mapping UI to align your column names to the standard identity schema. All files are deleted from the server immediately after parsing — they are never stored.
QuickCloud maps RACF/ACF2/TSS privilege attributes to platform-specific roles using a semantic translation layer: SPECIAL becomes Administrator/Super Admin (full access), OPERATIONS becomes Power User/Operator (operational access), AUDITOR becomes Audit/Read-Only Admin (compliance access), and RESTRICTED becomes Read-Only (minimal permissions). You can review all mappings in the dry-run preview before committing.
A dry-run executes the full migration logic against your target platform API without actually creating any users or groups. It returns a complete preview of what would be created, identifies any users or groups that already exist (conflicts), and flags any privilege mappings that cannot be resolved. This lets you review and approve everything before a single change is made in production.
Yes. You can run separate migrations from the same identity export to different target platforms. For example, you might migrate your RACF users to both AWS IAM and Okta as part of a phased cutover. Each migration is tracked independently with its own audit trail and rollback capability.
Your Azure app registration needs User.ReadWrite.All and Group.ReadWrite.All permissions via Microsoft Graph API. For GCP, your service account needs the roles/iam.serviceAccountCreator role. For Okta, you need an API token with user and group write permissions. AWS uses standard IAM credentials with appropriate permissions.
Each organization gets its own isolated API key, plan tier (Starter/Pro/Enterprise), and usage limits. Admin users are assigned roles (Super Admin, Admin, or Viewer) that control what they can see and do across organizations. API keys can be rotated at any time without disrupting other organizations.

Cloud Agnostic by Design

Migrate to any cloud IAM platform — or stay on-premises. No forced target, no vendor lock-in.

AWS IAM
Azure AD / Entra
GCP IAM
Okta
On-Premises
Multi-Cloud

Measurable Outcomes

🛡️

Lower Risk

Dry-run preview, AI risk scoring, and 1-click rollback eliminate the 15–30% error rate typical of manual migrations.

Faster Migration

Live scanning, parallel provisioning, and automated mapping compress months of consultant work into hours.

💰

Lower Cost

Replace $150K–$300K consultant engagements with a SaaS subscription your own security team controls.

🎯

Higher Accuracy

Native IRRDBU00/IRRADU00 parsing, semantic privilege mapping, and dataset profile translation produce fewer post-migration access issues.

🏢

Enterprise Ready

SOC 2-aligned audit trails, SoD enforcement, immutable logs, and encrypted credential vault built in.

Also included in Full Platform — $14,999/mo

Migrating more than just identity?

Identity migration is one piece of the modernization puzzle — bring your databases along at the same time, and lock down the new environment from day one.

Database Migration →Modernization, Security & Cost Intelligence (AI) →

Ready to Migrate Your Identity System?

Upload your first identity export and run a dry-run preview in minutes — no commitment required.

Schedule Personalized Walk-throughAlso See: Modernization, Security & Cost Intelligence (AI)