Skip to content
Kisum • Documentation

Migration Plan Mongo to Auth Core

Status

Section titled “Status”

This document is FINAL and ENFORCEABLE for migrating legacy systems to the new architecture.

1. Purpose

Section titled “1. Purpose”

This plan defines how to migrate:

  • MongoDB users
  • Finance system companies
  • Legacy permission system

into:

  • Auth Backend (identity, memberships, permissions)
  • Platform Core (companies, entitlements, subscriptions)

2. Migration Principles

Section titled “2. Migration Principles”
No big-bang migration
No downtime
No dual source of truth long-term
Fail-safe and reversible steps

3. Target Mapping

Section titled “3. Target Mapping”
LegacyNew System
users (Mongo)Auth users
company_usersAuth memberships
permissionsAuth permissions
package_permissionsCore entitlements
finance companiesCore companies

4. Phases

Section titled “4. Phases”

Phase 1 — Read-only sync

Section titled “Phase 1 — Read-only sync”

  • keep Mongo as source of truth

  • build sync job: Mongo → Auth Mongo → Core

  • validate data consistency

Phase 2 — Dual write

Section titled “Phase 2 — Dual write”

  • new writes go to:

    • Mongo (legacy)
    • Auth/Core (new)

  • ensure both stay aligned

Phase 3 — Read switch

Section titled “Phase 3 — Read switch”

  • backend reads from:

    • Auth (users, permissions)
    • Core (entitlements)

  • Mongo becomes fallback only

Phase 4 — Freeze legacy writes

Section titled “Phase 4 — Freeze legacy writes”
  • disable writes to Mongo
  • validate full system using Auth/Core

Phase 5 — Decommission

Section titled “Phase 5 — Decommission”
  • remove Mongo logic
  • remove legacy permission code
  • remove dual write

5. Data Migration Details

Section titled “5. Data Migration Details”

5.1 Users

Section titled “5.1 Users”
  • copy users → Auth
  • map:
    • _id → uuid
    • email → email
    • roles → tenantRole

5.2 Companies

Section titled “5.2 Companies”
  • move finance companies → Core
  • assign unique UUID
  • map legacy IDs

5.3 Memberships

Section titled “5.3 Memberships”
  • create membership per user-company
  • assign:
    • role
    • modules (initial grants)
    • permissions

5.4 Permissions

Section titled “5.4 Permissions”
  • map legacy permissions → new permission keys
  • normalize naming (e.g. finance.expense.view)

6. Sync Strategy

Section titled “6. Sync Strategy”

6.1 Incremental sync

Section titled “6.1 Incremental sync”
  • run scheduled job (cron)
  • detect changes
  • push to Auth/Core

6.2 Event-based sync (optional)

Section titled “6.2 Event-based sync (optional)”
  • Mongo change streams
  • trigger updates instantly

7. Validation

Section titled “7. Validation”

Before switching reads:

  • user count matches
  • company count matches
  • membership count matches
  • permission parity validated

8. Rollback Plan

Section titled “8. Rollback Plan”

At any phase:

  • revert reads to Mongo
  • disable Auth/Core reads
  • maintain data sync

9. Risks

Section titled “9. Risks”
  • inconsistent IDs
  • missing permissions
  • stale cache

Mitigation:

  • strict validation
  • logs
  • metrics

10. Final Rule

Section titled “10. Final Rule”
Migration is complete only when Mongo is no longer used for:
- users
- permissions
- company access