Previous Topic: How the SAM Feeder WorksNext Topic: Create a Shared Account CSV File


Create an Endpoint CSV File

Each row or line in the endpoint CSV file, after the header row or line, represents a task to create, modify, or delete an endpoint in CA ControlMinder Enterprise Management.

Important! When you create the CSV file, verify that no other application uses the file and that the file can be renamed. The SAM feeder processes only CSV files that can be renamed.

Follow these steps:

  1. Create a CSV file and give it an appropriate name.

    Note: We recommend that you create a copy of a sample endpoint CSV file. The sample files are located in the following directory, where ACServer is the directory in which you installed the Enterprise Management Server:

    ACServer/IAM Suite/Access Control/tools/samples/feeder
    
  2. Create a header row or line that specifies the names of the endpoint attributes.

    The names of the endpoint attributes are as follows. Some endpoint attributes are valid only for certain endpoint types:

    OBJECT_TYPE

    Specifies the type of the object to import.

    Value: ENDPOINT

    ACTION_TYPE

    Specifies the type of action to perform

    Value: CREATE, MODIFY, DELETE

    %FRIENDLY_NAME%

    Defines the name that you refer to this endpoint by in CA ControlMinder Enterprise Management.

    DESCRIPTION

    Defines any information that you want to record for this endpoint.

    ENDPOINT_TYPE

    Specifies the type of the endpoint.

    Note: You can view the available endpoint types in CA ControlMinder Enterprise Management. Before you create endpoints of type CA Identity Minder Provisioning, create an Identity Manager Provisioning type Connector Server in CA ControlMinder Enterprise Management.

    HOST

    Defines the host name of the endpoint.

    LOGIN_USER

    Defines the name of an administrative user of the endpoint. This attribute is not valid for any of the CA Identity Minder Provisioning endpoint types, but is valid for all other endpoint types.

    For all valid endpoint types except SSH Device:

    • If you do not specify a privileged administrative account (IS_ADVANCE attribute), SAM uses LOGIN_USER to connect to the endpoint and to perform administrative tasks on the endpoint, for example, to discover accounts and change passwords.
    • If you specify a privileged administrative account, SAM ignores any values for LOGIN_USER.

    For SSH Device endpoints:

    • If you do not specify an operation administrator (OPERATION_ADMIN_USER_NAME) or a privileged administrative account, SAM uses LOGIN_USER to connect to the endpoint and to perform administrative tasks on the endpoint.
    • If you specify an operation administrator, SAM uses LOGIN_USER to connect to the endpoint and the operation administrator to perform administrative tasks on the endpoint.
    • If you specify a privileged administrative account, SAM ignores any values for LOGIN_USER.
    PASSWORD

    Defines the password of LOGIN_USER. This attribute is not valid for the CA Identity Minder Provisioning endpoint type, but is valid for all other endpoint types.

    URL

    Defines the URL that CA ControlMinder Enterprise Management uses to connect to the endpoint. This attribute is valid for the MS SQL Server and Oracle Server endpoint types.

    Format: (MS SQL Server) jdbc:sqlserver://servername:port

    Format: (Oracle Server) jdbc:oracle:drivertype:@hostname:port:service

    DOMAIN

    Specifies the name of the domain of which this endpoint is a member. This attribute is valid for the Access Control for SAM and Windows Agentless endpoint types.

    IS_ACTIVE_DIRECTORY

    Specifies whether the user account is an Active Directory account. This attribute is valid for the Windows Agentless endpoint type only.

    Limits: TRUE, FALSE

    USER_DOMAIN

    Specifies the name of the domain of which the LOGIN_USER is a member. This attribute is valid for the Windows Agentless endpoint type.

    CONFIGURATION_FILE

    Specifies the name of the SSH Device XML configuration file that you are defining. This attribute is valid for the SSH Device endpoint type.

    Note: If you do not specify a value for this attribute, CA ControlMinder Enterprise Management uses the default configuration file (ssh_connector_conf.xml).

    OPERATION_ADMIN_USER_NAME

    (Optional) Defines the name of the operation administrator user of the endpoint. SAM uses this account to perform administrative tasks on the endpoint, for example, discovering and changing the password of privileged accounts. This attribute is valid for the SSH Device endpoint type, as follows:

    • If you specify a privileged administrative account (IS_ADVANCE attribute) and an operation administrator, SAM uses the privileged administrative account to connect to the endpoint and the operation administrator to perform administrative tasks on the endpoint.
    • If you specify LOGIN_USER and an operation administrator account, SAM uses LOGIN_USER to connect to the endpoint and the operation administrator to perform administrative tasks on the endpoint.

    If you specify an operation administrator for an SSH endpoint that uses a Check Point firewall, specify the expert user. However, you cannot use SAM to change the password for the expert account on the endpoint. This restriction means that the expert account must be a disconnected account in SAM.

    OPERATION_ADMIN_USER_PASSWORD

    (Optional) Defines the password for the operation administrator user of the endpoint. This attribute is valid for the SSH Device endpoint type.

    ENDPOINT

    Defines the name of the endpoint, exactly as it is defined in CA Identity Minder Provisioning Server. This attribute is valid for the CA Identity Minder Provisioning endpoint type.

    IS_ADVANCE

    (Optional) Specifies whether you want to use a privileged administrative account to connect to the endpoint and to perform administrative tasks on the endpoint, for example, to discover accounts and change passwords. This attribute is valid for all endpoint types.

    For all valid endpoint types except SSH Device, if you specify a privileged administrative account (IS_ADVANCE is TRUE), SAM uses the privileged administrative account to connect to the endpoint and to perform administrative tasks on the endpoint.

    For SSH Device endpoints:

    • If you specify a privileged administrative account and an operation administrator (OPERATION_ADMIN_USER_NAME), SAM uses the privileged administrative account to connect to the endpoint and the operation administrator to perform administrative tasks on the endpoint.
    • If you specify only a privileged administrator account, SAM uses the privileged administrative account to connect to the endpoint and to perform administrative tasks on the endpoint.

    Limits: TRUE, FALSE

    Note: If you set the value of this attribute to TRUE, do not specify a value for LOGIN_USER. However, specify PROPERTY_ADMIN_ACCOUNT_ENDPOINT_TYPE, PROPERTY_ADMIN_ACCOUNT_ENDPOINT_NAME, PROPERTY_ADMIN_ACCOUNT_CONTAINER, and PROPERTY_ADMIN_ACCOUNT_NAME.

    PROPERTY_ADMIN_ACCOUNT_ENDPOINT_TYPE

    (Optional) Defines the type of endpoint on which the privileged administrative account is defined.

    Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.

    PROPERTY_ADMIN_ACCOUNT_ENDPOINT_NAME

    (Optional) Defines the name of the endpoint on which the privileged administrative account is defined. The endpoint must exist in CA ControlMinder Enterprise Management.

    Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.

    PROPERTY_ADMIN_ACCOUNT_CONTAINER

    (Optional) Defines the container in which the privileged administrative account is defined. A container is a class whose instances are collections of other objects.

    Values: (Windows Agentless and Oracle Server): Accounts

    (SSH Device): SSH Accounts

    (MS SQL Server): MS SQL Logins

    Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.

    PROPERTY_ADMIN_ACCOUNT_NAME

    (Optional) Defines the name of the privileged administrative account that SAM uses to perform administrative tasks on the endpoint, for example, to discover accounts and change passwords. The privileged account must exist in CA ControlMinder Enterprise Management.

    Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.

    LOGIN_APPLICATION

    Specify the name of the login application to associate with the endpoint.

    OWNER_INFO

    Specifies the name of the endpoint owner.

    OWNER_TYPE

    (Optional) Specifies the type of the endpoint owner.

    Values: USER, GROUP

    DEPARTMENT_INFO

    Specifies the name of the department.

    CUSTOM1....5_INFO

    Specifies up to five customer-specific attributes.

    ADMIN_ACCOUNT_IS_DISCONNECTED

    Specifies if the endpoint administrator account is disconnected.

    Values: TRUE, FALSE

    Default: TRUE

    DISABLE_EXCLUSIVE_SESSIONS

    Specifies whether to disable the exclusive sessions option on this endpoint.

    Values: TRUE, FALSE

    Default: FALSE

    DENY_BREAKGLASS_EXCLUSIVE

    Specifies whether to prevent access to exclusive accounts who are in operation using break glass.

    Values: TRUE, FALSE

    Default: FALSE

    DISABLE_ADVANCED_LOGIN

    (Optional) Specifies to disable the Advanced Login option for this endpoint.

    Values: TRUE, FALSE

    Default: FALSE

    PROPERTY_AC_USEAGENT

    (Optional) Specifies to use CA ControlMinder on the endpoint to manage privileged and services accounts.

    Note: Applied for The Access Control for SAM endpoint type only. Supported on CA ControlMinder r12.6.01 and above only.

    Values: TRUE, FALSE

    Default: FALSE

    ENABLEMODE_AUTH

    Specifies the authentication mode to set the device to enable mode.

    Note: Applied for The network device endpoint type.

    Values:

    • Anonymous - No username or password is required to log in.
    • Password Only - A password is required to log in.
    • Username and password - Username and password are required to log in.
    USERLOGIN_AUTH

    Specifies the user authentication mode on login.

    Note: Applied for The network device endpoint type.

    Values:

    • Anonymous—No username or password is required to log in.
    • Password Only—A password is required to log in.
    • Username and Password—Username and password are required to log in.
    PORT

    (Optional) Specifies the server listening port number.

  3. Add endpoint task lines to the CSV file.

    Each line represents a task to create or modify an endpoint, and must have the same attributes as the header. The attributes must be in the same order as the header. If a line does not have a value for an attribute, leave the field empty.

  4. Save the file to the polling folder.

    The endpoint CSV file is ready for processing by the SAM feeder.

    Note: The default polling folder is located as follows, where JBoss_home is the directory in which you installed JBoss:

    JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
    

Example: An Endpoint CSV File

The following is a sample endpoint CSV file. You can find more sample endpoint CSV files in the ACServer/IAM Suite/Access Control/tools/samples/feeder directory.

OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME%,DESCRIPTION,ENDPOINT_TYPE,HOST,LOGIN_USER,PASSWORD,URL,CONFIGURATION_FILE,DOMAIN,IS_ACTIVE_DIRECTORY,USER_DOMAIN,ENDPOINT

ENDPOINT,Oracle1,oracle 10g,Oracle Server,TEST10,
ORAADMIN1,ORAADMIN1,jdbc:oracle:thin:@TEST10:1521:RNDSRV,,,,,

ENDPOINT,local MSSQL1,local SQL server,MS SQL Server,
localhost,testAdmin,Password1@,jdbc:sqlserver://localhost:1433,,,,,

ENDPOINT,SSH_Device2,unix machine,SSH Device,TEST84,root,Password1@,,,,,,

ENDPOINT,IM_Access Control,Access Control via provisioning,Access Control,TEST1,,,,,,,,TEST1

Mandatory Attributes for Creating or Modifying an Endpoint

Following are the mandatory attributes that you must include in the CSV file to create or modify and endpoint:

OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME%,ENDPOINT_TYPE

The minimum required mandatory fields may vary according to the endpoint type that you create or modify. Refer to the following table for details:

Endpoint Type

LOGIN_USER

PASSWORD

HOST

DOMAIN

URL

ENDPOINT

SSH Device*

+

+

+

 

 

 

Windows Agentless*

+

+

+

+

 

 

Sybase Server*

+

+

+

 

+

 

OS400*

+

+

+

 

 

 

ACF2*

+

+

+

 

+

 

MS SQL Server*

+

+

+

 

+

 

Oracle Server*

+

+

+

 

+

 

Network Device

 

 

+

 

 

 

RACF*

+

+

+

 

+

 

Access Control for PUPM

 

 

+

 

 

 

Disconnected

 

 

+

 

 

 

ActiveDirectory via Provisioning

 

 

+

 

 

+

OS400 via Provisioning

 

 

+

 

 

+

NDS Servers via Provisioning

 

 

+

 

 

+

CA-ACF2 via Provisioning

 

 

+

 

 

+

Access Control for Provisioning

 

 

+

 

 

+

CA-Top Secret via Provisioning

 

 

+

 

 

+

RACF via Provisioning

 

 

+

 

 

+

SAP R3 via Provisioning

 

 

+

 

 

+

Windows NT via Provisioning

 

 

+

 

 

+

*If you define the IS_ADVANCED attribute you do not specify the LOGIN_USER and PASSWORD attributes.

Mandatory Attributes for Deleting an Endpoint

Following are the mandatory attributes that you must define to delete an endpoint:

OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME,ENDPOINT_TYPE,HOST

Mandatory Attributed for Creating or Modifying a Shared Account

Following are the mandatory attributes that you must define to create or modify a shared account:

OBJECT_TYPE,ACTION_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,PASSWORD_POLICY,ACCOUNT_PASSWORD

More information:

How to Create a Customized SSH Device Endpoint