Migrate Groups - Edge Case - Handle Duplicate Group Name in Account Console

[nfx]

Background

Within the context of a workspace->account level group migration, we need to handle the following scenario:

• Workspace Local SCIM is not configured
• A given workspace local group is an internal, not external group
• This workspace local group exists in the account console already

Recommended Solution

Create a new group in the account console

• Prefix group name with the workspace name as follows. workspaceName_groupName
• Make the workspace admin(s) the group managers for the group

[FastLee]

A customer has suggested to allow adding a prefix to group names.

[nfx]

this is already fixed:

validate-groups-membership command
$ databricks labs ucx validate-groups-membership
...
14:30:36 INFO [d.l.u.workspace_access.groups] Found 483 account groups
14:30:36 INFO [d.l.u.workspace_access.groups] No group listing provided, all matching groups will be migrated
14:30:36 INFO [d.l.u.workspace_access.groups] There are no groups with different membership between account and workspace
Workspace Group Name Members Count Account Group Name Members Count Difference
This command validates the groups to see if the groups at the account level and workspace level have different membership. This command is useful for administrators who want to ensure that the groups have the correct membership. It can also be used to debug issues related to group membership. See group migration and group migration for more details.

Valid group membership is important to ensure users has correct access after legacy table ACL is migrated in table migration workflow