Each row or line in the privileged account CSV file, after the header row or line, represents a task to create or modify a shared account in CA ControlMinder Enterprise Management.
Important! When you create the CSV file, verify that no other application uses the file and that the file can be renamed. The SAM feeder processes only CSV files that can be renamed.
Follow these steps:
Note: We recommend that you create a copy of the sample privileged account CSV file. The sample file is located as follows, where ACServerInstallDir is the directory in which you installed the Enterprise Management Server:
ACServerInstallDir/IAMSuite/AccessControl/tools/samples/feeder
The names of the shared account attributes are as follows:
Specifies the type of the object to import.
Values: ACCOUNT_PASSWORD
Specifies the type of action to perform
Value: CREATE, MODIFY, DELETE
Defines the name by which you want to refer to the shared account on CA ControlMinder Enterprise Management.
Note: Mainframe systems, for example, RACF, ACF, and Top Secret, and SSH Device endpoint types use case-sensitive user names. Enter the account name in the correct case for these endpoint types. Enter the account name in capital letters for privileged accounts on mainframe systems and on Oracle Server endpoints.
Specifies whether to allow password check-out only if a login application is defined for the endpoint.
Values: TRUE, FALSE
Default: FALSE
Specifies the name of the endpoint on which the shared account resides. Define the endpoint in CA ControlMinder Enterprise Management before you can create any shared accounts for the endpoint.
Specifies the endpoint type of the endpoint.
Note: You can view the available endpoint types in CA ControlMinder Enterprise Management. Before you create endpoints of type CA Identity Minder Provisioning, create an Identity Manager Provisioning type Connector Server in CA ControlMinder Enterprise Management.
Specifies the name of the container for the shared account. A container is a class whose instances are collections of other objects. Containers are used to store objects in an organized way following specific access rules.
Values: (Windows Agentless and Oracle Server endpoints): Accounts
(SSH Device endpoints): SSH Accounts
(MS SQL Server endpoints): MS SQL Logins.
Specifies if the shared account originates from a disconnected system.
If you specify TRUE, SAM does not manage the account. Instead, it acts only as a password vault for shared accounts of the disconnected system. Every time that you change the password in SAM, manually change the account password on the managed endpoint.
Values: TRUE, FALSE
Specifies if a single user can check out the account at any time.
If you specify EXCLUSIVE, SAM lets a single user check-out the account at any time. If you specify EXCLUSIVE_SESSIONS, SAM denies check-in to an open session exclusive account. If you specify NONE, SAM allows multiple users to check-out simultaneously.
Values: EXCLUSIVE_SESSIONS, EXCLUSIVE, NONE
Specifies the password policy for the shared account.
Note: If you specify a password policy that does not exist, the task fails and CA ControlMinder Enterprise Management does not create the account.
Specifies the name of the account owner.
(Optional) Specifies the type of the endpoint owner.
Values: USER, GROUP
Specifies the name of the department.
Specifies up to five customer-specific attributes.
Specifies if you want CA ControlMinder Enterprise Management to change the password of the account every time it is checked out.
Values: TRUE, FALSE
Default: FALSE
Specifies whether you want CA ControlMinder Enterprise Management to change the password of the account every time it is checked in by a user, program, or when the checkout period expires.
Values: TRUE, FALSE
Default: TRUE
(Optional) Specifies the duration, in minutes, before the checked out account expires.
Each line represents a task to create or modify a shared account, and must have the same number of attribute values as the header. If a line does not have a value for an attribute, leave the field empty.
The shared account CSV file is ready to be imported by the SAM feeder.
Note: The default polling folder is located as follows, where JBoss_home is the directory in which you installed JBoss:
JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
Example: A Shared Account CSV File
The following is a sample shared account CSV file. You can find more sample shared account CSV files in the ACServerInstallDir/IAMSuite/AccessControl/tools/samples/Feeder directory.
OBJECT_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER, DISCONNECTED_SYSTEM,EXCLUSIVE_ACCOUNT,PASSWORD_POLICY ACCOUNT_PASSWORD,demo1,local windows 2003,Windows Agentless, Accounts,FALSE,FALSE,Password1@,default password policy ACCOUNT_PASSWORD,demo2,local windows 2003,Windows Agentless, Accounts,FALSE,FALSE,,default password policy ACCOUNT_PASSWORD,disconnected1,local windows 2003,Windows Agentless, Accounts,TRUE,FALSE,Password1@,default password policy
Mandatory Attributed for Creating or Modifying a Shared Account
Following are the mandatory attributes that you must define to create or modify a shared account:
OBJECT_TYPE,ACTION_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,PASSWORD_POLICY,ACCOUNT_PASSWORD
Copyright © 2013 CA Technologies.
All rights reserved.
|
|