Previous Topic: Create an Endpoint CSV FileNext Topic: Manually Start the Polling Task


Create a Shared Account CSV File

Each row or line in the privileged account CSV file, after the header row or line, represents a task to create or modify a shared account in CA ControlMinder Enterprise Management.

Important! When you create the CSV file, verify that no other application uses the file and that the file can be renamed. The SAM feeder processes only CSV files that can be renamed.

Follow these steps:

  1. Create a CSV file and give it an appropriate name.

    Note: We recommend that you create a copy of the sample privileged account CSV file. The sample file is located as follows, where ACServerInstallDir is the directory in which you installed the Enterprise Management Server:

    ACServerInstallDir/IAMSuite/AccessControl/tools/samples/feeder
    
  2. Create a header row or line that specifies the names of the shared account attributes.

    The names of the shared account attributes are as follows:

    OBJECT_TYPE

    Specifies the type of the object to import.

    Values: ACCOUNT_PASSWORD

    ACTION_TYPE

    Specifies the type of action to perform

    Value: CREATE, MODIFY, DELETE

    ACCOUNT_NAME

    Defines the name by which you want to refer to the shared account on CA ControlMinder Enterprise Management.

    Note: Mainframe systems, for example, RACF, ACF, and Top Secret, and SSH Device endpoint types use case-sensitive user names. Enter the account name in the correct case for these endpoint types. Enter the account name in capital letters for privileged accounts on mainframe systems and on Oracle Server endpoints.

    CHECKOUT_ONLY_AUTO_LOGIN

    Specifies whether to allow password check-out only if a login application is defined for the endpoint.

    Values: TRUE, FALSE

    Default: FALSE

    ENDPOINT_NAME

    Specifies the name of the endpoint on which the shared account resides. Define the endpoint in CA ControlMinder Enterprise Management before you can create any shared accounts for the endpoint.

    NAMESPACE

    Specifies the endpoint type of the endpoint.

    Note: You can view the available endpoint types in CA ControlMinder Enterprise Management. Before you create endpoints of type CA Identity Minder Provisioning, create an Identity Manager Provisioning type Connector Server in CA ControlMinder Enterprise Management.

    CONTAINER

    Specifies the name of the container for the shared account. A container is a class whose instances are collections of other objects. Containers are used to store objects in an organized way following specific access rules.

    Values: (Windows Agentless and Oracle Server endpoints): Accounts

    (SSH Device endpoints): SSH Accounts

    (MS SQL Server endpoints): MS SQL Logins.

    DISCONNECTED_SYSTEM

    Specifies if the shared account originates from a disconnected system.

    If you specify TRUE, SAM does not manage the account. Instead, it acts only as a password vault for shared accounts of the disconnected system. Every time that you change the password in SAM, manually change the account password on the managed endpoint.

    Values: TRUE, FALSE

    EXCLUSIVE_ACCOUNT

    Specifies if a single user can check out the account at any time.

    If you specify EXCLUSIVE, SAM lets a single user check-out the account at any time. If you specify EXCLUSIVE_SESSIONS, SAM denies check-in to an open session exclusive account. If you specify NONE, SAM allows multiple users to check-out simultaneously.

    Values: EXCLUSIVE_SESSIONS, EXCLUSIVE, NONE

    PASSWORD_POLICY

    Specifies the password policy for the shared account.

    Note: If you specify a password policy that does not exist, the task fails and CA ControlMinder Enterprise Management does not create the account.

    OWNER_INFO

    Specifies the name of the account owner.

    OWNER_TYPE

    (Optional) Specifies the type of the endpoint owner.

    Values: USER, GROUP

    DEPARTMENT_INFO

    Specifies the name of the department.

    CUSTOM1....5_INFO

    Specifies up to five customer-specific attributes.

    CHANGE_PASSWORD_ON_CHECKOUT

    Specifies if you want CA ControlMinder Enterprise Management to change the password of the account every time it is checked out.

    Values: TRUE, FALSE

    Default: FALSE

    CHANGE_PASSWORD_ON_CHECKIN

    Specifies whether you want CA ControlMinder Enterprise Management to change the password of the account every time it is checked in by a user, program, or when the checkout period expires.

    Values: TRUE, FALSE

    Default: TRUE

    CHECKOUT_EXPIRATION_MIN

    (Optional) Specifies the duration, in minutes, before the checked out account expires.

  3. Add task lines to the CSV file.

    Each line represents a task to create or modify a shared account, and must have the same number of attribute values as the header. If a line does not have a value for an attribute, leave the field empty.

  4. Save the file to the polling folder.

    The shared account CSV file is ready to be imported by the SAM feeder.

    Note: The default polling folder is located as follows, where JBoss_home is the directory in which you installed JBoss:

    JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
    

Example: A Shared Account CSV File

The following is a sample shared account CSV file. You can find more sample shared account CSV files in the ACServerInstallDir/IAMSuite/AccessControl/tools/samples/Feeder directory.

OBJECT_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,
DISCONNECTED_SYSTEM,EXCLUSIVE_ACCOUNT,PASSWORD_POLICY

ACCOUNT_PASSWORD,demo1,local windows 2003,Windows Agentless,
Accounts,FALSE,FALSE,Password1@,default password policy

ACCOUNT_PASSWORD,demo2,local windows 2003,Windows Agentless,
Accounts,FALSE,FALSE,,default password policy

ACCOUNT_PASSWORD,disconnected1,local windows 2003,Windows Agentless,
Accounts,TRUE,FALSE,Password1@,default password policy

Mandatory Attributed for Creating or Modifying a Shared Account

Following are the mandatory attributes that you must define to create or modify a shared account:

OBJECT_TYPE,ACTION_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,PASSWORD_POLICY,ACCOUNT_PASSWORD