Create a Privileged Account CSV File

Enterprise Administration Guide › Implementing Privileged Accounts › How to Import PUPM Endpoints and Privileged Accounts › Create a Privileged Account CSV File

Create a Privileged Account CSV File

Each row or line in the privileged account CSV file, after the header row or line, represents a task to create or modify a privileged account in CA Access Control Enterprise Management.

Important! When you create the CSV file, verify that no other application uses the file and that the file can be renamed. The PUPM feeder processes only CSV files that can be renamed.

Follow these steps:

Create a CSV file and give it an appropriate name.
Note: We recommend that you create a copy of the sample privileged account CSV file. The sample file is located as follows, where ACServer is the directory in which you installed the Enterprise Management Server:
```
ACServer/IAMSuite/AccessControl/tools/samples/feeder
```
Create a header row or line that specifies the names of the privileged account attributes.
The names of the privileged account attributes are as follows:

OBJECT_TYPE

Specifies the type of the object to import.

Values: ACCOUNT_PASSWORD

ACTION_TYPE

Specifies the type of action to perform

Value: CREATE, MODIFY, DELETE

ACCOUNT_NAME

Defines the name by which you want to refer to the privileged account on CA Access Control Enterprise Management.

Note: Mainframe systems, for example, RACF, ACF, and Top Secret, and SSH Device endpoint types use case-sensitive user names. Enter the account name in the correct case for these endpoint types. Enter the account name in capital letters for privileged accounts on mainframe systems and on Oracle Server endpoints.

ENDPOINT_NAME

Specifies the name of the endpoint on which the privileged account resides. Define the endpoint in CA Access Control Enterprise Management before you can create any privileged accounts for the endpoint.

NAMESPACE

Specifies the endpoint type of the endpoint.

Note: You can view the available endpoint types in CA Access Control Enterprise Management. Before you create endpoints of type CA Identity Manager Provisioning, create an Identity Manager Provisioning type Connector Server in CA Access Control Enterprise Management.

CONTAINER

Specifies the name of the container for the privileged account. A container is a class whose instances are collections of other objects. Containers are used to store objects in an organized way following specific access rules.

Values: (Windows Agentless and Oracle Server endpoints): Accounts

(SSH Device endpoints): SSH Accounts

(MS SQL Server endpoints): MS SQL Logins.

DISCONNECTED_SYSTEM

Specifies if the privileged account originates from a disconnected system.

If you specify TRUE, PUPM does not manage the account. Instead, it acts only as a password vault for privileged accounts of the disconnected system. Every time that you change the password in PUPM, manually change the account password on the managed endpoint.

Values: TRUE, FALSE

EXCLUSIVE_ACCOUNT

Specifies if a single user can check out the account at any time.

If you specify EXCLUSIVE, PUPM lets a single user check-out the account at any time. If you specify EXCLUSIVE_SESSIONS, PUPM denies check-in to an open session exclusive account. If you specify NONE, PUPM allows multiple users to check-out simultaneously.

Values: EXCLUSIVE_SESSIONS, EXCLUSIVE, NONE

NEW_PASSWORD

Defines the password for the privileged account. If you do not specify a value for this attribute, CA Access Control Enterprise Management generates a password that complies with the specified password policy.

Note: The password must comply with the password policy.

PASSWORD_POLICY

Specifies the password policy for the privileged account.

Note: If you specify a password policy that does not exist, the task fails and CA Access Control Enterprise Management does not create the privileged account.

OWNER_INFO

Specifies the name of the account owner.

DEPARTMENT_INFO

Specifies the name of the department.

CUSTOM1....5_INFO

Specifies up to five customer-specific attributes.

CHANGE_PASSWORD_ON_CHECKOUT

Specifies if you want CA Access Control Enterprise Management to change the password of the privileged account every time it is checked out.

Values: TRUE, FALSE

Default: FALSE

CHANGE_PASSWORD_ON_CHECKIN

Specifies whether you want CA Access Control Enterprise Management to change the password of the privileged account every time it is checked in by a user, program, or when the checkout period expires.

Values: TRUE, FALSE

Default: TRUE
Add task lines to the CSV file.
Each line represents a task to create or modify a privileged account, and must have the same number of attribute values as the header. If a line does not have a value for an attribute, leave the field empty.
Save the file to the polling folder.
The privileged account CSV file is ready to be imported by the PUPM feeder.

Note: The default polling folder is located as follows, where JBoss_home is the directory in which you installed JBoss:
```
JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
```

Example: A Privileged Account CSV File

The following is a sample privileged account CSV file. You can find more sample privileged account CSV files in the ACServer/IAMSuite/AccessControl/tools/samples/Feeder directory.

OBJECT_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,
DISCONNECTED_SYSTEM,EXCLUSIVE_ACCOUNT,NEW_PASSWORD,PASSWORD_POLICY

ACCOUNT_PASSWORD,demo1,local windows 2003,Windows Agentless,
Accounts,FALSE,FALSE,Password1@,default password policy

ACCOUNT_PASSWORD,demo2,local windows 2003,Windows Agentless,
Accounts,FALSE,FALSE,,default password policy

ACCOUNT_PASSWORD,disconnected1,local windows 2003,Windows Agentless,
Accounts,TRUE,FALSE,Password1@,default password policy